Between Two Moose

Kiersten Todt, Matt Blaze, Beetle, and Bruce Potter (interviewer)

Join us as we close down ShmooCon 2020 with another episode of “Between Two Moose” in which Bruce interviews a few folks who are helping to shape the security industry–with a focus on what formed their understanding of security, the journey they traveled in their careers, and opinions on contemporary security topics (with of course some irreverent frivolity thrown in). We will also challenge each guest to a game of Cork and Towel and will declare a winner at the end of the session. Come and enjoy the show!

Kiersten Todt (@kierstentodt) is currently the President and CEO of Liberty Group Ventures, LLC and advises senior executives and Boards on cyber risk management and the role of human behavior in cybersecurity. She is also the Managing Director of the Cyber Readiness Institute, a non-profit that convenes senior leaders of global companies to help small and medium-sized enterprises improve their cybersecurity. Ms. Todt is the Scholar of the University of Pittsburgh Institute for Cyber Law, Policy, and Security. She most recently served as the Executive Director of the Presidential Commission on Enhancing National Cybersecurity.

Matt Blaze (@mattblaze) is a computer science and law professor at Georgetown University. He can usually be found somewhere at the intersection of technology and public policy.

Beetle made the transition from Army supply guy to security geek in the mid-90s, inspired by dial-up access to a BBS, Trumpet Winsock, and the L0pht. Beetle is a Senior Principal Security Engineer at Amazon Web Services, a founding member of the AWS Security team, and he is quite passionate about his day job: protecting customers, their data, and AWS itself. Prior to AWS, Beetle was a security engineer with the MITRE Corporation for 11 years, where he prototyped nifty things for the U.S. government and military, such as CTF-like attack labs and first-person shooter gaming interfaces to intrusion detection systems. Beetle wrote the very first check for ShmooCon “back in the day,” and he has presented on the topics of wireless security and cloud security at a variety of other conferences, including Black Hat, DEF CON, ToorCon, LayerOne, AWS re:Invent, and AWS re:Inforce. Beetle has a BS in Computer Science from James Madison University.

Bruce Potter (@gdead) is the CISO at Expel and spends most of his time instructing people on the correct pronunciation of CISO (it’s “ciz-oh”).


Using OSINT for Human Rights and Victim Support

Rae Baker

Open-Source Intelligence can have both positive and negative impacts on vulnerable populations such as domestic violence and stalking victims. We will discuss the ways that OSINT has been used in the past to target victims and how it may evolve in the future. Then, pivoting from the negative, we take a look at how non-profit organizations are beginning to use OSINT for good. I will show some examples of OSINT models being used to help victims of crimes regain control of their situation and how OSINT professionals are using it to keep victims safe. Finally, we will look at ways that you, as a security professional, can use your skillset to promote change and have a greater understanding of the importance of privacy, empathy, and safety for victims.

Rae Baker (@wondersmith_rae) is a student at The Pennsylvania State University studying Information Systems Technology with a focus on Cybersecurity. Rae specializes in Open Source Intelligence and currently works as a Cyber Security Analyst Intern with IACI at NASA-Kennedy Space Center. Rae is also the current President of the Penn State World Campus Technology club and is very active in organizing speaking engagements, networking, planning events, and presenting education to the club on
current vulnerabilities and foreign and domestic threats. In addition, she is an Open Source Intelligence volunteer with Operation Safe Escape, which is a 501(c)(3) non-profit comprised of security professionals tasked with keeping domestic violence victims hidden from their abusers.


Battling Supermutants in the Phishing Wasteland

Ashlee Benge and Zack Allen

Phishing attacks are nothing new or unusual, and yet the menace they pose is often overlooked in lieu of flashier malware, APTs, and 0-day exploits. This talk will discuss the state of modern phishing, delving into the economy of phishing. It will detail the roles within this economy and why it presents such a risk to organizations. Using RPG-style stat cards to highlight author strengths and weaknesses, we will then present our research on three phishing kit authors, break down their offerings, and discuss what it takes to run a successful phishing kit empire.

Zack Allen (@teachemtechy) is both a security researcher and the director of threat intelligence at ZeroFOX. Previously, he worked in threat research for the US Air Force and Fastly. Outside of his professional life, Zack volunteers for security competitions such as CCDC and ISTS and practices Brazilian jiu-jitsu.

Ashlee Benge (@ashtr0nautt) is an astrophysicist turned security researcher. In her current role, she researches emerging threats for ZeroFOX. Prior to joining ZeroFOX, Ashlee worked in threat hunting, outreach, and detection analysis roles at Cisco Talos. Outside of infosec she is also a competitive CrossFit athlete and dabbles in stained glass work.


Hacking Democracy: On Securing an Election

Casey Ellis, Tod Beardsley, Kimber Dowsett, Jack Cable, and Amelie Koran (moderator)

Democracy is the cornerstone of America’s Constitution, identity, and ideology, and this foundation was shaken during the 2016 Presidential Election. Four years later, we still have great lengths to go to ensure that the integrity of the 2020 Presidential Election, and any election moving forward, is protected.

The Senate approved a $250 million budget to assist with election cybersecurity efforts across the country, but is it enough? The Presidential Race is on but so is the race to secure the 2020 vote.

In this panel we’ll discuss the intersection of people, technology, security, and elections, with a focus on themes including:

  • The true scope of the problem when it comes to “hacking elections”
  • The biggest threats to the 2020 vote–threat modeling for disinformation, voting machine vulnerabilities, website hacking, and election manipulation
  • The role of hackers and coordinated vulnerability disclosure in building voter trust and improve cyber-resilience
  • The impact for the elections in the west at large, driven by the U.S.’s prominence as the champion for democracy.

As founder and CTO of Bugcrowd, Casey Ellis (@caseyjohnellis) pioneered the crowdsourced-security-as-a-service model.

Tod Beardsley (@todb) directs the security research program at Rapid7.

Kimber Dowsett (@mzbat) is the Director of Security Engineering at Truss, following 10 years in the federal government.

Jack Cable

Amelie Koran


The Hacker’s Guide to Cybersecurity Policy in 2020

Jen Ellis, Nick Leiserson, Leonard Bailey, and Kurt Opsahl

So far in the 116th Congress (2019-2020), 96 bills have been introduced containing the term “cybersecurity” in their title. As experts in security, we can either choose to participate and try to create better outcomes, or we can sit by while others decide our fates. Our goal for this session is to give attendees an overview of the themes and intentions of some of the key policy discussions relating to cybersecurity, their potential outcomes, and how attendees can help influence them.

Jen Ellis (@infosecjen) works with governments on legislative and non-legislative approaches to advancing security.

Nick Leiserson is Legislative Director for Congressman Jim Langevin, helps manage the Congressional Cybersecurity Caucus, and is a leading congressional expert on cybersecurity.

Leonard Bailey is Special Counsel for National Security in DoJ’s Computer Crimes and Intellectual Property Section (CCIPS). He leads Justice’s Cybersecurity Unit, advising on cybersecurity matters, including legislation and policies affecting the security community.

Kurt Opsahl (@kurtopsahl) is General Counsel of the Electronic Frontier Foundation (EFF) and a leading voice on legal issues in the security community.


Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Review Process From the Ground Up

Wendy Knox Everette

You’ve just been tasked with creating a vendor review management process at your company, but what does that even mean, and how are you going to do this? Do you need to buy a lot of expensive GRC software and hire an army of compliance staffers? This talk will explain what a vendor review process is and walk through setting one up at your company, using nothing more complicated than email, text files, and maybe some Slack and Google Forms.

Wendy Knox Everette (@wendyck) is a Senior Security Advisor at Leviathan Security Group. She has more than 15 years of experience as a software developer, software quality assurance engineer, and information security professional. She’s been involved in all aspects of the system development life cycle (SDLC) from requirements definition through implementation and operation as well as compliance gap analysis and risk assessment. As an information security consultant, she’s guided clients through creation of risk management programs tailored to fit their size and has extensive experience both sending and receiving vendor security questionnaires.


Adventures in Hardware Hacking or Building Expensive Tools on a Budget

Zac Franken

CT Scanning is one of the gold standards for hardware hacking. It enables a user to slice and dice a 3D model of the device in question and most importantly it will allow a user to selectively slice through the model to extract key features such as the copper layers on multi-layer boards, embedded vias, embedded components, etc. It is these copper layers that represent the device’s circuit and therefore extracting them is a key method in enabling the reconstruction of the schematic from the physical device. This technique will allow non-destructive analysis of the device in question and will greatly shorten the phase of reversing the physical device to a logical schematic. I will also cover the construction of the Decapinator–an accurate non-destructive chip de-capping device that precisely exposes the silicon inside the epoxy chip package without damage to expose it for micro-probing, masked rom, and other detail extraction.

Zac Franken recently retired from 20 years as the Operations Director of DefCon. Zac’s research focuses on embedded systems security, access control systems, and biometric devices, and he has spoken and trained at information security conferences in Europe and the US publicly and for private and governmental audiences. He is responsible for identifying major vulnerabilities in various access control and biometric systems, and has a passion for creating devices that emulate access control tokens either electronic, physical, or biometric. Zac has been responsible both directly and indirectly for changing access control standards for several Western governments.


SBOM: Screw it, We’ll Do it Live!

Audie and Josh Corman

The concept of Software Bill of Materials (SBOM) isn’t that groundbreaking–we should know as much about the software that literally controls our lives as we do about the ingredients in a Twinkie. Yet changing the world can be hard. We set out not only to encourage others to be more transparent about their software supply chain but to show that it was possible and achievable, as well.

This talk will give an overview of the idea of SBOMs, their potential in the marketplace, and highlight how they can have a huge impact on the security of the critical healthcare sector. We’ll review why it’s needed, why there’s reluctance, and why it’s easier than you think. While the stories we share will be gleaned from the notoriously vulnerable healthcare sector, the lessons will be useful for anyone responsible for making, buying, or operating software and has ever wondered what was under the hood.

We need transparency across the entire software supply chain and for the first time, have a vision of what it can look like and some insight on how to get there. Now we need your help!

Audie (@_odddie_) spent the last 15 years in healthcare technology, working alongside clinicians. Through her experiences in hospital environments, she became increasingly concerned with how security lapses can impact patient safety. Her personal commitment and advocacy recently intersected with her professional life, allowing her to focus on the security of medical devices.

Josh Corman (@joshcorman) is a pioneer for public safety and social impact. He co-founded IamTheCavalry.org to encourage new security approaches in response to the world’s increasing dependence on digital infrastructure. He is an adjunct faculty member for Carnegie Mellon and was on the Congressional Task Force for Healthcare Cybersecurity.


Privacy Scores for iOS Apps

Noelle Garrett

Privacy scores are a system for rating mobile apps on their use of private data. The source code behind the most popular mobile apps can often be difficult to gain access to. This means that the only information the user has on how their private data is handled by an application is through the vague privacy permissions users can grant. However, users don’t know what the app has been programmed to do with the data it has permissions to access, nor can users see what other information the app has access to without the user’s expressed approval. Using mitmproxy, the network traffic which Apple devices send out and receive can be intercepted and inspected, in order to see what data is being transmitted by different mobile apps. With the captured traffic, privacy scores are assigned to different applications based on four factors critical to measuring privacy.

However, privacy scores are not a complete solution for informing users about the private information their applications are using. The process for monitoring information flowing to/from iOS devices is already becoming thwarted by new techniques. It will only become more difficult for users to monitor the release of their private information as time advances.

Noelle Garrett is a cadet at the United States Military Academy. Noelle is an Information Technology major with a minor in Eurasian studies. She is currently in her senior year at the academy and will become an US Army Cyber officer upon graduation.


Think of the Kitten: The Truth About Section 230, the Law All the Cute Online Cat Pictures (And a Lot of Other Good Stuff) Depends On

Cathy Gellis

It seems like everyone’s talking about Section 230 these days, and keen to change it, even without really knowing what it says and does. Don’t let this happen to you! Come to this crash course in Section 230 basics given by a lawyer who regularly litigates (and pontificates) about Section 230 to learn the truth about this crucial law that enables all our online cat pictures (and so much more). We’ll talk about why we have Section 230, what it does, why it works, and how badly we jeopardize our supply of online cat pictures (as well as a lot of other good, important stuff) if we mess with it.

Frustrated that people were making the law without asking her for her opinion, Cathy Gellis (@cathygellis) gave up a career as a web developer to become a lawyer so that she could help them not make it badly, especially where it came to technology. A former aspiring journalist and longtime fan of free speech, her legal work includes defending the rights of Internet users and advocating for policy that protects online speech and innovation. She also writes about the policy implications of technology regulation on sites such as the Daily Beast, Law.com, and Techdirt.com, where she is a regular contributor.


Anti-Forensics for Fun and Privacy

Alissa Gilbert

Want to learn how to avoid surveillance and investigators? Anti-forensics is the practice of modifying or removing data so that others cannot find it later during an investigation. While annoying to forensic practitioners and law enforcement, it is unavoidable to help maintain privacy in a world of shady ToS, snooping partners, and potential search and seizures. How far do you need to go to maintain your privacy? This talk will break down anti-forensics techniques that you can use to protect yourself from audiences like your mom to an extreme nation-state level actor. The only thing more fun than forensics is anti-forensics.

Alissa Gilbert (@dnsprincess) is a digital forensics instructor and Ph.D. researcher. She has had the privilege of working with digital forensic investigators, law enforcement, and private contractors on cases they have processed. Alissa also manages a security operation center and is a teaching assistant at her university. She is a curious troublemaker whose work does not represent that of her employers or university.


Software Mitigations for Hardware Vulnerabilities

Antonio Gomez

In the last couple of years, we have observed the disclosure of a new set of innovative methods targeting internal structures and common hardware abstractions of many modern CPUs. These methods are relevant to many technology contexts, but what are these methods? Why are those hardware abstractions included in modern processors? What would the thread model of a potential implementation be? Even though these are methods that target the hardware, the existing mitigations for components that are already in the market, or that have even been out of the market for a while, are implemented in software. What do these software mitigations look like? What do they do? Do different actors understand these methods, what the mitigations do, and what they can do to configure these mitigations to better protect their systems based on their computing requirements? What can be done in the Linux kernel to enhance process isolation to prevent potential attacks? This presentation will answer all those questions while focusing on changes introduced in the Linux kernel and that are publicly available.

Antonio Gomez (@4g0mez) is a software engineer at Intel where he focuses on security software mitigations. He holds a Ph.D. in computer science and has worked on different roles in the area of performance, computer architecture, parallel programming, and security for the last 15 years.


Knowing the UnFuzzed and Finding Bugs with Coverage Analysis

Mark Griffin

The rise in fuzzing has resulted in bugs getting found and fixed at an amazing rate. But it has raised some new questions: how do we find good fuzz targets quickly, and what is left to fuzz? These questions require tools and workflow that remain uncommon among software developers and security researchers alike, and one potential solution is in automated coverage analysis.

This motivation drove the development of bncov, an open-source coverage analysis plugin for Binary Ninja that enables scripting and the construction of tools to help you get the most bang for your fuzz-buck.

Mark Griffin is a researcher who has always been interested in working on difficult problems and always finding new ways to get the job done better. He’s been working in computer security for over 10 years, and in that time has realized he enjoys work more when he doesn’t have to use chopsticks to dig a ditch.


A Wireless Journeyman’s Experience in Practical SIGINT

Russell Handorf

This talk will be a demonstration of my experiences, joys, and frustrations in building a small home/office (SOHO) signals intelligence (SIGINT) platform. Starting as a custom system and solution called SoHoSIGINT, its design, architecture, and results will be briefly discussed but segways to a narrative and instruction about contributing to FOSS software. The result is the experience of contributing code to Kismet which enhanced the different kinds of wireless devices that are captured and logged in this platform. The finale is in the demonstration of creating new hardware to capture signals and integrating it into kismet. If I could do it, you can do it, and I’m going to show you how.

Dr. Russell Handorf (@dntlookbehindu) currently is a principal threat intelligence hacker for WhiteOps where he spends his time making criminals curse his very existence. He is also a recovering fed after ten years of service defending the country in a variety of matters. He’s done a lot of other odd things here and there, but that isn’t important. Let’s just have a conversation, but you’ll have to endure my dad jokes.


5G Protocol Vulnerabilities and Exploits

Roger Piqueras Jover

The first protocol exploits against LTE were introduced in early 2016. Since then, security researchers have published a large number of excellent papers and talks identifying more and more critical vulnerabilities in the LTE protocol. 3GPP released the 5G specifications in 2018 and, by late 2019, a number of theoretical studies and formal verifications of the protocol have already identified several security issues. Despite a potential, yet optional, solution to prevent IMSI catching, 5G communication systems are still vulnerable to preauthentication message-based exploits. The 5G security architecture provides no means for mobile devices and base stations to verify cryptographically that they are not communicating with a malicious node until a substantial number of messages have been exchanged entirely in the clear. This talk will present the first security investigation of the 5G security specifications based on the analysis of real 5G traffic captures. Pre-authentication messages from real Release15-compliant 5G base stations, mobile devices and test tools, in both non-standalone (NSA) and standalone (SA) mode, will be analyzed. We will discuss ways in which an adversary could exploit these messages maliciously. The analysis will also demonstrate how certain exploits against LTE are still possible in 5G.

Roger Piqueras Jover (@rgoestotheshows) is a Senior Security Architect at Bloomberg LP and a wireless and mobile security researcher. His research work focuses on LTE and 5G mobile network security, protocol exploits, and exploring the security of anything that communicates wirelessly.


Voight-Kampff for Email Addresses: Quantifying Email Address Reputation to Identify Spear-Phishing and Fraud

Josh Kamdjou

“Is this email address real?” Internet history and age can’t be faked. Legitimate email addresses have social media profiles, Github profiles and commits, LinkedIn accounts, and they’ve been in credential dumps and data breaches. Real people can be differentiated from attacker personas using these internet breadcrumbs.

EmailRep is a system of crawlers, scanners, and enrichment services that collects data on email addresses, domains, and internet personas to predict the relative risk of an email address. It uses OSINT techniques, crawlers on forums, social media sites, and professional networking sites, as well as data points from credential breaches, malicious phishing kits, community reported phishing emails, spam lists, and more.

In this talk I’ll discuss why we built EmailRep, dive in to how Blue and Red teams are using this, and review some shortcomings of this approach that future attackers will seek to exploit. Finally, I’ll deep dive on the technical architecture and implementation, giving an overview of how you could build this yourself.

We’ll invite audience members on stage to query EmailRep, live, for their personal email addresses or attacker email addresses they’ve encountered or used in their work.

EmailRep is free to use via emailrep.io or API.

Josh Kamdjou (@jkamdjou) has been doing offensive security related things for the past 10 years. He’s spent most of his professsional career breaking into networks and building software for both the public and private sectors. Josh is the Founder of Sublime Security, enjoys staying fit, and loves phishing.


Whitelisting LD_PRELOAD for Fun and No Profit

Tony Lambert

Sometimes bolting a security solution on the side of technology just doesn’t work as well as built-in protection. One example of this on Linux systems is libpreloadvaccine, a whitelisting solution I built that aimed, and failed, to provide foolproof protection against abuse of LD_PRELOAD process injection. This talk will cover how adversaries use LD_PRELOAD, how its built-in audit system works, and how the audit system can be leveraged for whitelisting. We’ll also examine design and implementation considerations for whitelisting, closing the talk by showing how checks built into the dynamic linker would be much more effective than a solution thrown on top.

Tony Lambert (@ForensicITGuy) is a professional geek who loves to jump into all things related to detection and digital forensics. After working for several years in Desktop and Systems Administration, he joined the Red Canary team to help find evil and augment detection capabilities for organizations. Tony holds a Master’s of Science in Digital Forensic Science from Champlain College and has taught numerous technology classes for a local community college.


Zoom 0-Day: How Not to Handle a Vulnerability Report

Jonathan Leitschuh

On July 8th, 2019, a bombshell 0-Day vulnerability was dropped on Zoom Inc. that disclosed how anyone could maliciously join a victim’s Mac to a call with their video camera active simply by visiting a malicious website. Additionally, Zoom left behind a hidden daemon that would re-install the Zoom client after it had been uninstalled. It was later discovered that this “feature” could be abused to allow remote code execution.

In this talk I’ll discuss my communications with Zoom’s security team and the reasoning behind what led to my decision to resort to 0-Day disclosure. Additionally, we’ll walk through the post-disclosure timeline around how this vulnerability went from bad to worse, requiring the Apple security team to step in and use MRT to resolve this vulnerability.

Jonathan Leitschuh (@JLLeitschuh) is a Software Engineer and Security Researcher. He is currently a member of the Gradle Security Team. His company’s software is used to build almost all JVM based Android applications in the world. His research focuses on open source software, build infrastructure, and software supply chain security.


The Verilog to Verilog Decompiler

Katie Liszewski

Methods have been developed for conducting integrated circuit decomposition on fabricated chips to extract the as-fabricated design files such as the GDSII layout or gate-level netlist. While mature netlist equivalency checking tools are included with any design flow, there is a lack of tools for performing deeper analyses on the extracted designs for the purposes of hardware assurance or design recovery from obsolete parts. To this end, there is a need for a tool to extract functionality from netlists at a higher abstraction level to reconstruct behavioral Register Transfer Level (RTL) code.

Software decompilation is a well-established technique that has been used since the 1960s to recover lost source code, verify code against design changes produced by the compiler, and support detection of malicious code. In seeking to recover RTL, these 80 years of expertise in reconstructing functionality are invaluable. We introduce the terminology of “hardware decompilation” and explore where software techniques are relevant, how existing netlist structure recovery techniques fit into the decompilation pipeline, and present new techniques that are unique to hardware decompilation.

Katie Liszewski has a mathematics PhD and, since graduating, has specialized in solving computationally hard firmware and hardware security problems. At Battelle she leads efforts in emerging nondestructive counterfeit detection methods and process automation for hardware security. She has authored several papers in scalable second order effects based counterfeit detection.


Moose v. Woodchuck

Samantha Livingston

The world is buzzing with the claim that computers “can do X better than humans.” So then why did ShmooCon use animal picture identification to throw off bots during their most recent ticket sales? We’ll look at how computers are learning and more importantly how they are not learning… or alternatively how woodchucks are like moose. A simple framework will be introduced to help the you understand how a computer approaches problems. Then we’ll continue by examining potential computer security applications of machine learning to prepare you to evaluate its usefulness the next time you encounter a product that promises a “deep learning” or “AI” solution to all your problems. Throughout the discussion we’ll recognize the large datasets needed for machine learning algorithms to perform reliably and the resulting implications on privacy, whether it is your personal photos or your corporate intellectual property.

Samantha Livingston is a software developer in Boston, MA. Her interests include incorporating, exploiting, and promoting the use of exploratory data analysis tools in the design and development of robust software solutions for real-world problems.


Real World Zero Trust Implementation

Mark Loveless

A lot of vendors sell Zero Trust solutions. Or do they? Most are based upon their own product line that existed before Zero Trust became a thing and have simply been adapted, and none of them are complete solutions. I work at a company that is 100% cloud based, no perimeter or VPN, an open-source BYOD background, with a 100% remote employee base. We use dozens of SaaS solutions as a company; we have hundreds of servers/containers/images, multiple cloud providers for our services; and we are growing exponentially.

We wanted to deploy Zero Trust solutions as there are many benefits from a security standpoint of doing so, but after looking at the landscape out there, we had to get extremely creative in how we deployed any solution. Our solutions are not for you–they are for us–but we learned a lot getting to the point we are at now. I’ll describe what has happened so far, what we plan to do next, what has worked and what has not, and cover some important lessons that we think might be beneficial to all those considering Zero Trust, or simply shoring up security in general since that is essentially what most of Zero Trust boils down to.

Mark Loveless (@simplenomad)–aka Simple Nomad–is a security researcher, hacker, and explorer. He has worked in startups, large companies, and hardware and software vendors. He’s spoken at numerous security and hacker conferences worldwide on security and privacy topics, including Blackhat, DEF CON, ShmooCon, RSA, AusCERT, among others. He has been quoted on television, online, and in print media outlets as a security expert, including CNN, the Washington Post, and the New York Times. He’s paranoid (justified), has done ghost hunting, been mugged four times, storm chased, and seen UFOs. He is currently a Senior Security Researcher at GitLab.


Extracting an ELF From an ESP32

Chris Lyne and Nick Miles

The Espressif ESP32 is a system on a chip (SoC) “engineered for mobile devices, wearable electronics, and IoT applications.” It provides Wi-Fi and Bluetooth LE which makes it great for products needing wireless capabilities. While researching a consumer product, we discovered an ESP32 being used to provide Wi-Fi connectivity to the device. We found that there was limited tooling available to facilitate the reverse engineering process of an ESP32 firmware image. So, we decided to create tooling of our own.

We will talk about how we went about creating our tooling to extract an ELF file from an ESP32 flash dump. With excruciating amounts of detail, we will discuss the binary format of ESP32 firmware images as well as the process of converting it to an ELF file. By the end of the talk, you will know how to go from flash dump all the way to control flow graph in IDA.

Nick Miles (@_NickMiles_) joined Tenable as a Research Manager in 2011. He has written hundreds of Nessus plugins and developed several core libraries used in the Nessus engine. He now leads the company’s Zero Day Research team. In his free time, Nick likes model aircraft, metalworking and breaking out his telescope on clear nights.

Chris Lyne (@lynerc) enjoys dissecting complex applications and lives for the hunt. Despite having deep roots in software development, his true passion is security. An avid learner, Chris is continuously evolving his skills, capabilities, and methodologies. Chris believes any problem can be solved with knowledge, intelligent decisions, and sheer grit.


Command and KubeCTL: Real-World Kubernetes Security for Pentesters

Mark Manning

Kubernetes is a security challenge that many organizations need to take on, and we as pentesters, developers, security practitioners, and the technically curious need to adapt to these challenges. In this talk we will look at tactics, techniques, and tools to assess and exploit Kubernetes clusters. We will demonstrate how to intercept service mesh traffic, evade runtime syscall filters, exploit custom sidecars, and chain attacks that go from compromising a build environment, to exploiting production applications. We’ll cover real world attack paths, provide practical advice, and guidance using the experience of conducting hundreds of reviews of containerized environments while running NCC Group’s container research group.

Mark Manning (@antitree) is a Technical Director with NCC Group and heads the container research practice there. He has been focused on containerization and orchestration technologies like Kubernetes and performs many of NCC Group’s containerization related assessments and research. This includes running container breakouts and attack simulations on orchestration environments, performing architecture reviews of devops pipelines, and working with developers to assist with applications that leverage containerization technologies like namespace isolation, Linux kernel controls, syscall filtering, and integration with products like Docker and Kubernetes.


Teen Hacks for Obfuscating Identity on Social Media

Russell Mosley and Samantha Mosely

It turns out our kids were listening to our caution about privacy, social media, and opsec. There is widespread use by teens “sharing” social media accounts with friends, i.e., having friends post to shared accounts: multiple phones, multiple locations (even globally) to confuse social media applications and obfuscate their identity. They figured out how to share accounts without sharing passwords and methods for monitoring accounts and deleting abusers in the group. They use different accounts for interacting with different groups, like that one they share with “old people.”

Father-daughter presenters, Russell and Samantha, will discuss the pro’s and con’s of these methods and share insights on what teenagers have learned from parents and from each other about privacy and opsec.

Samantha Mosely (@Pr0d1g4) is a high school junior, an instructor for Girls Who Code, and recently completed her third summer working as an embedded software engineer for a defense contractor. Samantha competed in First Lego League in international competition and co-founded a Student Voice Council to change discriminatory policies against underrepresented student populations.

Russell Mosley (@sm0kem) has nineteen years’ experience in systems administration, IT operations, and information security operations and management. He is currently the CISO for a government contractor. Samantha and Russell volunteer at the BSidesDC Crypt Kids event and are organizers with BSidesCharm and the DEF CON Blue Team Village.


Resistance Isn’t Futile: A Practical Approach to Prioritizing Defenses with Threat Modeling

Katie Nickels

There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.

The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.

Katie Nickels (@likethecoins) is a Principal Intelligence Analyst with Red Canary and a SANS Instructor for FOR578: Cyber Threat Intelligence. She has worked in network defense, incident response, and cyber threat intelligence for over a decade, including in her prior role as the Threat Intelligence Lead for MITRE ATT&CK. Katie has shared her expertise with presentations at Black Hat, SANS Summits, and other events. She is also a Co-Chair of the SANS CTI Summit and the FIRST CTI Symposium. Katie serves as the Program Manager for the Cyberjutsu Girls Academy, which seeks to inspire young women to learn about STEM.


Adversary Detection Pipelines: Finally Making Your Threat Intel Useful

Xena Olsen

Security teams often feel like they’re in a losing battle with threat intel. They don’t know how to make threat intel useful or operationalize it within their organizations, especially if there isn’t a dedicated full-time team. In this talk, we’ll help you extract more value out of your threat intel program, giving you an easy win to level up not just your team, but the other teams in your security department. First, we’ll explore why true attribution is so hard, from false flag operations and proxy attackers to obtaining all the forensic data you would need and even possible coordination with law enforcement or government agencies to perform true attribution. We’ll discuss TTPs and how they’re a lower-cost way of tracking threat activity groups for most organizations. Then we’ll introduce Adversary Detection Pipelines, how they can add value through prioritizing defensive and offensive activities as well as a discussion on the practical implementation of them in any organization. Finally, we’ll conclude by looking at case studies of how purple teams can leverage Adversary Detection Pipelines to enhance their operations and encourage an intelligence driven security program.

Xena Olsen (@ch33r10) is a threat intelligence analyst in the financial services industry. A graduate of SANS Women’s Academy with 6 GIAC certifications, an MBA IT Management, and a doctoral student in Cybersecurity at Marymount University.


Crossing the Border With Your Electronic Devices

Kurt Opsahl and Bill Budington

Our lives are on our laptops: family photos, medical documents, banking information, details about what websites we visit, and so much more. Digital searches at national borders can reach our personal correspondence, health information, and financial records, allowing an affront to privacy and dignity which is inconsistent with the values of a free society. While privacy and security is important for any traveler, this has become a critical issue for security researchers, who often travel with confidential information, and who shouldn’t need to trade off an invasive search for participating in important conversations. This talk will discuss the both the legal and policy issues with border searches, as well as technological measures people can use in an effort to protect their data.

Bill Budington (@legind) and Kurt Opsahl (@kurtopsahl) fight for digital rights at the Electronic Frontier Foundation, where Bill is a Senior Staff Technologist, and Kurt is the Deputy Executive Director and General Counsel. Bill works on EFF’s Tech Projects team, building out the HTTPS Everywhere and Panopticlick software projects and researching emergent technologies. Kurt is an attorney who represents clients on civil liberties, free speech and privacy law, counsels on EFF projects and initiatives, and is the lead attorney on the Coders Rights Project, providing pro bono legal counsel to security researchers.


Chip Decapping on a Budget

Zach Pahle

What wondrous secrets lie beneath the surface of the integrated circuits that we use every day? The IC manufacturers don’t want you to know. However with some creativity and a tight budget, we can circumvent the obfuscation techniques employed by 99% of the IC industry and reveal a colorful cacophony of circuits, bond wires, and silicon dioxide. Now with more DIY!

Zach Pahle (@zjpahle) has been playing or running hacking villages since 2010. Unable to pick one hobby, he decided to try as many as he could. He enjoys robotics, software defined radios, machining, tamper evident devices, hardware hacking, and juggling. He’s also an avid foodie, and will talk cooking with anyone who asks.


Robots and Privacy

Brittany Postnikoff

Once data is taken in by a robot, it can be hard to tell where it will end up. One way to figure out how the data collected by robots will be treated and used is to read the privacy policies that come with the robots. Sometimes robot privacy policies can include clauses you likely wouldn’t expect. This presentation discusses the who, what, where, when, and why of robot data collection and the use of that data.

Brittany Postnikoff (@Straithe) is a privacy, security, and social robotics researcher. During the day she works for $JOB, but during the evening she researches robots and finds ways to include more hardware and blinking lights into her life.


Project Everest: Fast, Correct, and Secure Software for Deployment Now!

Jonathan Protzenko and Nikhil Swamy

Project Everest is a joint research effort between Microsoft Research, INRIA, Carnegie Mellon, and the University of Edinburgh. Our goal is to provide high-performance standards-based secure communication components (e.g., TLS and QUIC) backed by mathematical proofs of their correctness and security. Additionally, we aim to show that software with formal proofs can be developed and deployed at scale today, within the existing software ecosystem.

Our code is programmed in F*, a language designed for co-developing programs and proofs. We prove our code memory safe (no buffer overflows, no use-after-free, etc.); functional correct (we always compute the right result); side-channel resistant (ruling out cache and timing-based leaks); as well as provide several application-specific guarantees.

Our programming tools and verified components are open source on GitHub, including the following highlighted components:

  • EverCrypt, a functionally correct and side-channel resistant cryptographic library that matches or exceeds the performance of any other library for many algorithms
  • EverParse, a library of verified parsers and formatters for binary formats
  • EverQuic-transport, an implementation of the QUIC transport layer proven cryptographically secure

Our code is distributed as a set of C files, for easy integration with existing code. Several large projects have already adopted our components, including Firefox, Windows, Wireguard, mbedTLS, the Tezos blockchain, and many others: you should too!

https://project-everest.github.io/

Jonathan Protzenko, PhD, (@_protz_) is a Senior Researcher at Microsoft Research in Redmond. His interests revolve around type systems, language design, and software verification. Jonathan drives the EverCrypt project and wrote the F*-to-C compiler used pervasively throughout Project Everest.

Nikhil Swamy, PhD, is a Principal Researcher at Microsoft Research in Redmond, working broadly in the area of programming languages and computer security. He leads the design and implementation of the F* programming language and co-leads Project Everest.


Cisco SMB Products — Critical Vulnerablities / 0-day Release

Ken Pyle

This session will be a detailed examination of Cisco’s Small and Medium Business products, specifically switches, outlining serious 0-day vulnerabilities in the embedded web application and API.

These attacks can result in complete compromise of the endpoint, leakage of accounts and passwords, metadata, and network configuration. Other attacks demonstrated will include XSS / HTML Injection vulnerabilities and unpatchable application issues. These issues affect the entire Cisco Small Business switch product line, SNA, and rebranded products, such as Linksys. This session will serve as the public release for these critical vulnerabilities.

Ken Pyle is a partner of DFDR Consulting specializing in Information Security, Computer Forensics, Enterprise Virtualization, and Network Engineering. Ken has an extensive background in Network Penetration and Remediation, Compliance, and exploit development. Ken has published exploit research and vulnerabilities for a large number of companies, including Dell, Cisco, Sonicwall, Sage Software, and DATTO. Ken’s academic work includes social engineering research, application of sociology and psychological factors to phishing campaigns, and technical work on next generation
attacks.


Banjo: An Android Disassembler for Binary Ninja

Austin Ralls

A common recommendation for reverse engineering Android apps is to start with a decompiler to Java (like JADX or JD-GUI) and look at Smali generated by baksmali for methods where they fail. In an obfuscated or just weird application, many methods can fail decompilation, forcing us back into the dark ages of reading text disassembly.

This presentation will release Banjo, a plugin for Binary Ninja that brings interactive disassembly features like references, graph mode, and a Python 3 API to Smali. Banjo also includes a standalone Smali disassembler that attempts to produce the same output format as baksmali. The presentation will also cover how to make Binary Ninja do things it wasn’t designed to do while disassembling a complex VM language. This includes details of why Android apps in particular posed a challenge, what workarounds were employed, and some undocumented features of Binary Ninja that can help you write your own plugins for other languages.

Austin Ralls is a pentester at Carve Systems, where he hacks things like IoT devices, Linux systems, binary protocols, networks, and Android apps. Outside of work he competes in CTFs with RPISEC.


What if We Had TLS for Phone Numbers? An Introduction to SHAKEN/STIR

Kelley Robinson

If you’ve noticed a surge in unwanted robocalls from your own area code in the last few years, you’re not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it’s time to address the problem.

This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We’ll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

Kelley Robinson (@kelleyrobinson) works on the Account Security team at Twilio, helping developers manage and secure customer identity in their software applications. Previously she worked in a variety of infrastructure and data engineering roles at startups in San Francisco. She believes in making technical concepts, especially security, accessible and approachable for new audiences. In her spare time, Kelley is an avid home cook and greatly enjoys reorganizing her Brooklyn kitchen to accommodate completely necessary small appliance purchases.


Playing the Short Game: The Effects of Data Breaches on Share Prices

Chaim Sanders

The security industry is quick to point out that data breaches will negatively affect the public perception of an organization. While regulatory fines and lawsuits may also impose financial penalties, they often only represent a slap on the wrist compared to the cost of maintaining an effective security program. With over two hundred breaches disclosed against public companies in the last thirteen years, I investigate if the security shortfalls of breached organizations can impact their stock price. In this session I examine and expand upon existing work identifying the effects of announced breaches on publicly traded companies. Using this expanded dataset I will determine what measurable fiduciary effects breach notifications have on public companies and possible future trends in this area.

Chaim Sanders is a security researcher, lecturer, and security engineer. When he is not busy being overly cynical about the state of computing security, he teaches for the Computing Security department at the Rochester Institute of Technology and works as a Senior Offensive Security Engineer at Okta. His areas of interests include web application security and secure software development. Chaim’s sarcasm driven approach to security provides a unique vantage point that helps him to contribute to several Open Source projects including ModSecurity and OWASP Core Rule Set where he serves as the project leader.


0wn the Con

The Shmoo Group

For fifteen years, we’ve chosen to stand up and share all the ins and outs and inner workings of the con. Why stop now? Join us to get the break down of budget, an insight to the CFP process, a breakdown of the hours it takes to put on a con like ShmooCon, and anything thing else you might want to talk about. This is an informative, fast paced, and generally fun session as Bruce dances on stage, and Heidi tries to hide from the mic. Seriously though–if you ever wanted to know How, When, or Why when it comes to ShmooCon you shouldn’t miss this. Or go ahead and do. It’ll be online later anyway.

The Shmoo Group is the leading force behind ShmooCon. Together with our amazing volunteers we bring you ShmooCon. It truly is a group effort.


Choose Your Own Adventure: Ransomware Response!

Heather Smith

This talk starts out simple enough–the CISO has contacted you, the incident responder. There’s a ransom note, they’re yanking and rebooting machines, mass panic, now what?

Walk through a full ransomware scenario, stopping along the way to vote on crucial turning points as an audience. What flavor of malware will you find? Will there be more than one threat actor? APT or script kiddie? Oh no, is that Joe from accounting’s nudes?

This talk is based on multiple REAL ransomware cases, they’ve just been obfuscated to protect the innocent. Come for the memes, catharsis, and bizarre stories that can result–you choose!

Heather Smith (@LitMoose), aka Moose, is a DFIR (digital forensics and incident response) Dumpster Diver, a lover of logs, report artificer, and generally benevolent contractor. She has some degrees but would rather talk to you about weird stuff she finds on cell phones or reconstructing RDP sessions. Caretaker of three cats, fiddle player, and fan of potatoes in all forms.


The Cyberlous Mrs. Maisel: A Comedic (and slightly terrifying) Introduction to Information Warfare

J. Zhanna Malekos Smith, J.D.

Like a dear family relative who won’t stop talking at Thanksgiving dinner, a backdoor exploit also talks to anyone who’ll listen. Come listen to the Cyberlous Mrs. Maisel! She’ll offer a satirical reflection on how we engage with technology in the Information Age and explain the basic historical principles that animate Russia’s approach to information warfare. Topics covered include maskirovka (i.e., camouflage, concealment, and deception), disinformation, and reflexive control, among others. Although a strategic objective of information warfare is to induce complacency with falsehoods, this presentation’s unique style can help jolt the public’s consciousness awake through its originality and bite.

Jessica ‘Zhanna’ Malekos Smith, a Duke University researcher, served as a captain in the U.S. Air Force Judge Advocate General’s Corps and is a delegate in Stanford University’s U.S.-Russia Forum. She received a B.A. from Wellesley College, an M.A. and A.K.C. from King’s College London, Department of War Studies, and J.D. from the University of California, Davis School of Law. Malekos Smith has held fellowships with the Madeleine K. Albright Institute for Global Affairs, the Belfer Center’s Cyber Security Project at the Harvard Kennedy School, and Duke University Law School as the Everett Cyber Scholar. She has presented at DEF CON, RSA, and ShmooCon, and been published in The Hill, Defense One, and The National Interest, among others.


Airplane Mode: Cybersecurity @ 30,000+ Feet

Olivia Stella

Imagine being in charge of a system where you own the product. You do not own the software and the hardware is proprietary. You need to coordinate with multiple vendors for any updates or modifications, and you’re under strict government regulation. By the way, the product has a lifespan of 20-30 years. Welcome to the world of aviation cybersecurity, where safety and security live together. At a high level this presentation will cover what is aviation cybersecurity, the unique challenges it represents, and why the industry is captivating.

Olivia Stella (@OliviaCurls) is an aviation cybersecurity engineer for American Airlines. In her current role, she focuses on aviation security and vulnerability management including pen testing and coordinated disclosure. She has over ten years of experience in software development and information security. Previously, she worked at an in-flight entertainment company in product security supporting incident response, risk & compliance, and as the bug bounty lead. She holds a bachelor’s degree in computer science, masters in software engineering, CISSP & CISM. When she’s not wearing her security hat, she loves to curl and is an avid toastmaster. (That’s right, ice curling.)


Reverse Engineering Apple’s BLE Continuity Protocol for Tracking, OS Fingerprinting, and Behavioral Profiling

Sam Teplov

We reverse engineer several message types of Apple’s Bluetooth Low Energy (BLE) Continuity protocol, and show that they can be used for tracking, operating system fingerprinting, and behaviorally profiling users. In particular, we identify and reverse engineer seven distinct message types, most of which are sent in response to a particular user interaction with their iOS or macOS device. Through a series of rigorous tests in a radio-frequency sterile environment, we i) determine what actions are necessary to stimulate a device to transmit these messages, ii) deduce the meanings of most fields within each message type, and iii) ascertain how operating system version updates have introduced and affected each message type. Together, this information allows an adversary within BLE transmission range to determine what actions a user is making on their device, infer what operating system version they are using, and even track users despite the use of randomized BD_ADDR. Finally, we introduce, demonstrate, and publicly release the first-ever Wireshark dissector for displaying the Continuity message types we and other security researchers have reverse engineered.

The FuriousMAC research group at the US Naval Academy was established in 2015 to investigate computer security and privacy topics. The group consists of current and former cyber operations and computer science faculty, as well as undergraduate and recently-graduated student researchers. FuriousMAC is especially interested in wireless network identifiers and how they can be leveraged to track users, as well as in evaluating techniques designed to prevent tracking and protect users’ privacy. FuriousMAC’s research has been published in numerous highly competitive security and privacy venues.


Security Researcher OPSEC

Krassimir Tzvetanov

Whether performing an in-depth investigation or merely quick research, the investigator (or researcher) and the investigation itself are exposed to certain risks.

This talk focuses on security and safety issues pertaining to online research and investigations. It covers different areas of the investigative process and how tools and particular techniques can leak information detrimental to the case or the investigator.

Furthermore, it goes deeper into how investigators and blue teams can be profiled and targeted. Those can be either direct attack against their computer or supporting infrastructure, their person, or the investigation, which in turn may be as subtle as steering it in the wrong direction or making the evidence inadmissible in court.

More specifically the talk will cover different browser and infrastructure fingerprinting techniques, browser hooking, instant messaging programs, email security, and tracking.

As it covers the dangers, this talk provides series of countermeasures and mitigations, which can help the investigator increase their level of safety and security and decrease their digital footprint.

In addition, the talk introduces containerization and how it can be used to segment and streamline the process.

Krassimir Tzvetanov is a graduate student at Purdue University focusing on Threat Intelligence, Operational Security, and Counterintelligence techniques (in the cyber domain). In the recent past, Krassimir was a security engineer at a small CDN, where he focused on incident response, investigations, and threat research. Previously he worked for companies like Cisco and A10 focusing on threat research and information exchange, DDoS mitigation, and product security. Before that, Krassimir held several operational (SRE) and security positions at companies like Google and Yahoo! Krassimir is very active in the security research and investigation community and has contributed to FIRST SIGs. He is also a co-founder and ran the BayThreat security conference and has volunteered in different roles at DEF CON, ShmooCon, and DC650.


Face/Off: Action Plan for Perils & Privileges of Facial Recognition

Elizabeth Wharton and Suchi Pahi

Biometric data points, facial recognition, is becoming ubiquitous–unlocking your phone, airline boarding passes, law enforcement, in-store marketing metrics, even ordering fast food. As engineers, managers, or leaders–focus is on revenue, design, and cutting-edge technology. But what about the other effects of facial recognition? Your voice may be your password, but what happens when it’s your face and there’s a data breach or the data is wrong. With studies indicating error ranges in excess of 35%, increasing state biometric related privacy statutes, and biometric data breaches on the rise–what should you be worried about and watching as an architect and designer of such systems?

We’re going to discuss the current facial recognition use cases, growing regulatory concerns, the consequences of facial recognition, and what you can do to make sure that facial recognition technology doesn’t run amok.

Suchi Pahi (@suchipahi) is a data privacy and cybersecurity lawyer. She was supposed to be a doctor but instead wound up in law school arguing about the CFAA. After years of cybersecurity firefighting on behalf of clients at a law firm, Suchi is currently Director of Privacy and Business Affairs at Rally Health, Inc.

Elizabeth Wharton (@lawyerliz) is a technology-focused business and public policy attorney who has advised researchers, startups, and policymakers at the federal, state, and local level. In addition to (legally) working with drones at the World’s Busiest Airport, she also is the former host of “Buzz Off with Lawyer Liz” podcast.


Hack the Stars

Yacko, Wacko, and Dot

The year is 2020, and NASA struggles to deliver public-sector access to space while megacorporations are planning the colonization of Mars. “Hack the Planet” was thinking too small. As commercial enterprise expands in to space faster than regulatory bodies can adapt, the security and technology posture of space-based systems looks a lot like the wild west of the party line days of phone phreaking. On the ground more and more groups rely on satellite data links to connect critical infrastructure and deliver cat videos to isolated personnel, and in the air numerous non-government organizations are deploying remote sensing cubesats to orbit for science and profit. As the cost of RF equipment to engage these systems goes down, the likelihood that casual hackers will go after your space asset naturally goes up. This talk will examine the attack surface presented by space-based communications relays and sensing platforms. We will share our experience and some tips on how to build simple solutions to get started hacking the stars, then outline a few theoretical methods to defensively instrument the astroenterprise.

Yacko, Wacko, and Dot started their infosec careers after their hit TV show went off the air in 1998. Yacko and Wacko deliver pentesting support to numerous telecommunications clients around the world, and Dot is actively involved in the operation of an RF-sensing cubesat. They regularly compete in the WCTF and can be found near piles of Pelican cases loaded with antennas and blinking lights.