DEF CON 25

The Packet Hacking Village will be located in the Neopolitan Ballroom and Milano VIII at Caesars Palace (right behind the vendor area).

Speaker Workshops Schedule

Friday, July 28th Saturday, July 29th Sunday, July 30th
10:10 Opening Ceremony / How Hackers Changed The Security Industry
Chris Wysopal
Make Your Own 802.11ac Monitoring Hacker Gadget
Vivek Ramachandran, Thomas d'Otreppe
CLOSED
11:10 When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News
Catherine J. Ullman, Chris Roberts
The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots
Gabriel Ryan
Demystifying the OPM breach, WTF really happened
Ron Taylor
12:10 Iron Sights for Your Data
Leah Figueroa
Fortune 100 InfoSec on a State Government Budget
Eric Capuano
Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform
Eric Capuano
13:10 CVE IDs and How to Get Them
Daniel Adinolfi, Anthony Singleton
YALDA – Large Scale Data Mining for Threat Intelligence
Gita Ziabari
Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home!
Tan Kean Siong
14:10 You're Going to Connect to the Wrong Domain
Sam Erb
Past, Present and Future of High Speed Packet Filtering on Linux
Gilberto Bertin
Closing Ceremony
14:40 XSS FTW - What Can Really Be Done With Cross-Site Scripting
Brute Logic
Visual Network and File Forensics
Ankur Tyagi
15:10 IP Spoofing
Marek Majkowski
Modern Day CovertTCP with a Twist
Mike Raggo, Chet Hosmer
16:10 Layer 8 and Why People are the Most Important Security Tool
Damon Small
Fooling the Hound: Deceiving Domain Admin Hunters
Tom Sela
CLOSED
17:10 AWS Persistence and Lateral Movement Techniques
Peter Ewane
Hunting Down the Domain Admin and Rob Your Network
Keith Lee and Michael Gianarakis
CLOSED
17:40 Strengthen Your SecOps Team by Leveraging Neurodiversity
Megan Roddie
CLOSED
18:10 Threat Intel for All: There's More to Your Data Than Meets the Eye
Cheryl Biswas
Passwords on a Phone
Sam Bowne
CLOSED

DJ Schedule

Friday, July 28th Saturday, July 29th Sunday, July 30th
10:00 phreakocious yurk CLOSED
11:00 tense future vs phreakocious yurk vs tense future kampf
12:00 phreakocious vs yurk percent27 yurk
13:00 s7a73farm percent27 phreakocious
14:00 tense future tense future (Live) PHV will be doing teardown and load/unload all day. We'll jam until the gear is gone. :)
15:00 os.system Skittish and Bus
16:00 percent27 Deep Therapy
17:00 Deep Therapy Joey Muniz
18:00 yurk phreakocious

Speaker Workshops Abstracts and Bios

AWS Persistence and Lateral Movement Techniques

Peter Ewane, Security Researcher at AlienVault

Presentation Slides: phv2017-pewane.pdf

The use of Amazon Cloud as a base of operations for businesses is increasing at a rapid rate. Everyone from 2 person start-ups to major companies have been migrating to the cloud. Because of this migration, cloud vendors have become the focus of potential exploitation and various role abuse in order to achieve persistence. This presentation will cover several different methods of post-infection and account persistence along with a discussion on best practices that can be used to protect from such techniques.

Peter Ewane (Twitter: @eaterofpumpkin) is a security researcher, sometimes conference speaker and a mostly blue teamer for the Alien Vault Labs Team. When not playing with computers, Peter enjoys trying and making interesting cocktails and collecting whisk(e)y.

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Presentation Slides: phv2017-gryan.pdf

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility. The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In this presentation, we will present a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

CVE IDs and How to Get Them

Daniel Adinolfi, Lead Cybersecurity Engineer at The MITRE Corporation
Anthony Singleton, Cyber Security Engineer at The MITRE Corporation

Presentation Slides: phv2017-adinolfisingleton.pdf

The Common Vulnerabilities and Exposures (CVE) program uniquely identifies and names publicly-disclosed vulnerabilities in software and other codebases. Whether you are a vulnerability researcher, a vendor, or a project maintainer, it has never been easier to have CVE IDs assigned to vulnerabilities you are disclosing or coordinating around. This presentation will be an opportunity to find out how to participate as well as a chance to offer your thoughts, questions, or feedback about CVE. Attendees will learn what is considered a vulnerability for CVE, how to assign CVE IDs to vulnerabilities, how to describe those vulnerabilities within CVE ID entries, how to submit those assignments, and where to get more information about CVE assignment.

Daniel Adinolfi (Twitter: @pkdan14850) is a Lead Cybersecurity Engineer at The MITRE Corporation. He works as part of the CVE Program as the CVE Numbering Authority (CNA) Coordinator and the Communications Lead. Daniel has a background in security operations and incident response and in developing information sharing programs, compliance programs, and security architectures. Daniel also writes poetry, plays games, and drinks a lot of coffee. He works in cybersecurity to pay the bills. Most of those bills are coffee and game-related.

Anthony Singleton recently completed his MS in Information Security and Policy Management at Carnegie Mellon University. He has worked for CERT-CC interning as a Cyber Workforce Developer and Vulnerability Analyst and is currently working at MITRE Corporation as a Cybersecurity Engineer with a focus in both the CVE and CWE efforts. Anthony is an aspiring Hacker working towards acquiring both the OSCP certificate and CEH certificate. He is a major New England Patriots fan and enjoys working on his Jeep Wrangler on his down time.

Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research and Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.

Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

Presentation Slides: phv2017-tsela.pdf

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers. Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected. To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.

Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

Presentation Slides: phv2017-ecapuano.pdf

A common misconception is that it takes spending millions to be good at security. Not only is this untrue, but I will share ways that you can increase security posture while actually reducing spending. This talk outlines many of the tricks and mindsets to doing security well without breaking the bank. This is not the typical “Problem, problem, problem....” talk.... This is a solution-based talk that goes back to many of the basic challenges facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform

Eric Capuano, SOC Manager at Texas Department of Public Safety

How prepared is your incident response team for a worst case scenario? Waiting for a crisis to happen before training for a crisis is a losing approach. For things that must become muscle memory, instinctive, you must simulate the event and go through the motions. This talk is a deep-dive technical discussion on how you can build your own DFIR simulation. Best part -- almost all of this can be accomplished with open source tools and inexpensive equipment, but I'll also share tips and tricks on getting free commercial hardware and software for use in your new simulation environment!

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Presentation Slides: phv2017-cwysopal.pdf

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does. This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software. Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

Hunting Down the Domain Admin and Rob Your Network

Keith Lee, Senior Security Consultant at Trustwave SpiderLabs
Michael Gianarakis, Director of Trustwave SpiderLabs Asia-Pacific

Presentation Slides: phv2017-leegianarakis.pdf

Portia: it's a new tool we have written at SpiderLabs to aid in internal penetration testing test engagements. The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses. The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, reuses them to compromise other hosts in the network. In short, the tool helps with lateral movements in the network and automating privilege escalation as well as find sensitive data residing in the hosts.

Keith Lee (Twitter: @keith55) is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. Keith Lee has presented in Hack In The Box, BlackHat Arsenal and PHDays.

Michael Gianarakis is the Director of Trustwave SpiderLabs' Asia-Pacific practice where he oversees the delivery of technical security services in the region. Michael has presented at various industry events and meetups including, Black Hat Asia, Thotcon, Rootcon, and Hack in the Box. Michael is also actively involved in the local security community in Australia where he is one of organizers of the monthly SecTalks meetup.

IP Spoofing

Marek Majkowski, Cloudflare

Presentation Slides: phv2017-mmajkowski.pdf

At Cloudflare we deal with DDoS attacks every day. Over the years, we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Iron Sights for Your Data

Leah Figueroa

Presentation Slides: phv2017-leah.pdf

Data breaches have become all too common. Major security incidents typically occur at least once a month. With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information. This is something that can be changed with the right tools. Tools now available allow blue teams to weaponize data and use it to their advantage. This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts. The allows the blue team to focus on potential risks instead of trying to put out every fire.

Leah Figueroa (Twitter: @Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master's in Education, an ABD in research psychology, and taught kindergarten. A data aficionado, Leah focuses on research on improving students' outcomes at the higher education level, including focusing on both minority students issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter), loves cats, InfoSec, picking locks, cooking, and reading.

Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting at NCC Group North America

Presentation Slides: phv2017-chef.pdf

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user's activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil and Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.

Make Your Own 802.11ac Monitoring Hacker Gadget

Vivek Ramachandran, Founder of Pentester Academy and SecurityTube.net
Thomas d'Otreppe, Author of Aircrack-ng

802.11ac networks present a significant challenge for scalable packet sniffing and analysis. With projected speeds in the Gigabit range, USB Wi-Fi card based solutions are now obsolete! In this workshop, we will look at how to build a custom monitoring solution for 802.11ac using off the shelf access points and open source software. Our "Hacker Gadget" will address 802.11ac monitoring challenges such as channel bonding, DFS channels, spatial streams and high throughput data rates. We will also look different techniques to do live streaming analysis of 802.11 packets and derive security insights from it!

Vivek Ramachandran (Twitter: @securitytube) is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started SecurityTube.net in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, Mundo Hacker Day and others.

Thomas d'Otreppe (Twitter: @aircrackng) is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues

Modern Day CovertTCP with a Twist

Mike Raggo, CSO at 802 Secure, Inc.
Chet Hosmer, Owner of python-forensics.org

Presentation Slides: phv2017-raggohosmer.pdf

Taking a modern day look on the 20 year anniversary of Craig Rowland's article on Covert TCP, we explore current day methods of covert communications and demonstrate that we are not much better off at stopping these exploits as we were 20 years ago. With the explosion of networked devices using a plethora of new wired and wireless protocols, the covert communication exploit surface is paving new paths for covert data exfiltration and secret communications. In this session, we will explore uPnP, Zigbee, WiFi, P25, Streaming Audio Services, IoT, and much more. Through real-world examples, sample code, and demos; we bring to light this hidden world of concealed communications.

Mike Raggo (Twitter: @MikeRaggo) Chief Security Officer, 802 Secure (CISSP, NSA-IAM, ACE, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of “Mobile Data Loss: Threats and Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @ChetHosmer) is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping, Python Forensics, and Data Hiding. Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.

Passwords on a Phone

Sam Bowne

Presentation Slides: phv2017-sbowne.pdf

Almost all Android apps from major retailers store your password on the phone, which is dangerous and unnecessary. And they don't even use the Android KeyStore; they just use custom encryption schemes that generate a key in predictable ways, so passwords are easily recoverable. This is “fake encryption” – the data appears to be encrypted but in fact is not actually protected from attackers. I will present results of my tests of many top retailers, and demonstrate how to steal passwords from them. I will also list a few (very few) companies who actually protect their customers' passwords properly.

Sam Bowne (Twitter: @sambowne) has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has these things: BS, PhD, CEH, CISSP, WCNA, and a lot of T-shirts.

Past, Present and Future of High Speed Packet Filtering on Linux

Gilberto Bertin, CLoudflare

Presentation Slides: phv2017-gbertin.pdf

As internet DDoS attacks get bigger and more elaborate, the importance of high performance network traffic filtering increases. Attacks of hundreds of millions of packets per second are now commonplace. In this session, we will introduce modern techniques for high speed network packet filtering on Linux. We will follow the evolution of the subject, starting with Iptables and userspace offload solutions (such as EF_VI and Netmap), discussing their use cases and their limitations. We will then move on to a new technology recently introduced in the Linux kernel called XDP (express data path), which works by hooking an eBPF program into the lowest possible layer in the Linux kernel network stack, allowing network traffic to be filtered at high speeds.

Gilberto Bertin (Twitter: @akajibi) originally from a little Italian town near Venice, loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he decided to move to London to help the Cloudflare DDoS team filter all the bad internet traffic.

Stories from a 15 days SMB Honeypot: Mum, Tons of WannaCry and Evils Attacked Our Home!

Tan Kean Siong, Security Researcher

Presentation Slides: phv2017-tksiong.pdf

WannaCry, Eternal Blue, SambaCry are the popular topic recently. During the outbreak in May 2017, we designed a 'real' Windows 7 / Samba server with the open source Dionaea honeypot and exposed the favourable SMB port to the world. There are tons of expected WannaCry attacked the pot, and interestingly there are more juicy collection than that! In this session, we would like to present the stories from a 15 days SMB honeypot. As a honeypot hobbyist, we deployed an emulated Windows 7 machine which implanted with DoublePulsar backdoor. Yes, a Windows system infected with DoublePulsar! Also, our honeypot is up for the CVE 2017-7494 SambaCry vulnerability. We observed tons of scanning which looks for targets to spread the expected WannaCry ransomware. Surprisingly, there are more juicy collection in the pot, e.g. EternalRocks, Reverse Shell, RAT, DDoSers, Coin Miner, Trojan, etc (you name it you have it!). We love to share various interesting data, with the 15 days observation from a single home-based sensor in the entire IP space.

Tan Kean Siong (Twitter: @gento_) is an independent security researcher and honeypot hobbyist. As part of The Honeynet Project, he enjoys reading the backlog of various sensors over the net, analyzing and scout for evil activities. He involved in several open source network sensor and honeypot development, including Dionaea, Honeeepi and Glutton. He has spoken in conferences e.g. Hack In The Box SIGINT, Hack In The Box GSEC Singapore, HoneyCon Taiwan and other open source community events.

Strengthen Your SecOps Team by Leveraging Neurodiversity

Megan Roddie, Cyber Security Analyst at the Texas Department of Public Safety

Presentation Slides: phv2017-mroddie.pdf

High productivity, extreme attention to detail, logical/calculated, passionate, and hyper-focused. These are all characteristics considered valuable in the information security industry. However, a certain group of people who exceed expectations in these skill sets are constantly overlooked for job positions. That group of people is the High Functioning Autistic (HFA) community. Individuals in the high functioning autistic community are often overlooked for job positions due to their social disabilities which makes them perform poorly in an interview and in their interactions with other people. However, if you look past their awkward behavior and social struggles, you will find these individuals are perfectly suited for roles in the information security industry. This talk aims to show the listeners that, as many tech companies have found, the HFA community is ripe with individuals who could be the best of the best in the security industry if given the chance. The audience will realize that a small investment in time, understanding, and acceptance can result in the addition of an invaluable member to a Security Operations team.

Megan Roddie (Twitter: @megan_roddie) is a graduate student pursuing her Master's in Digital Forensics at Sam Houston State University while also working as a Cyber Security Analyst at the Texas Department of Public Safety. As a 20-year old with Asperger's Syndrome (High Functioning Autism), Megan offers a unique perspective in any topic she discusses. Megan can articulate her struggles and how small modifications in daily life have made her successful.

Threat Intel for All: There's More to Your Data Than Meets the Eye

Cheryl Biswas

Presentation Slides: phv2017-cbiswas.pdf

Threat Intel isn't just a buzzword. It's about what you do with your data, to take a more proactive stance at securing yourself. Everybody has data, but we don't realize how to harness the power, to operationalize the context and relevancy within it as our strategic advantage. That's why Threat Intel isn't some shiny expensive box only the big kids get to play with. More importantly, as the nature of threats evolve, we need to keep pace by doing more than just monitoring. Everyone can level up by looking beyond their logs to see what's really in their data. Because there are all kinds of people in your neighbourhood...

Cheryl Biswas (Twitter: @3ncr1pt3d) is a Cyber Security Consultant, Threat Intel, with a Big4 firm in Toronto, Canada, where she also works on GRC, privacy, breaches, and DRP. Armed with a degree in Poli Sci, she engineered a backdoor into an IT role with CP Rail's helpdesk over 20 years ago, and got experience in vendor management and change management. Hacking her career, @3ncr1pt3d initiated the security role within JIG Technologies, an MSP. There she delivered weekly threat intel updates, and advised her team and clients on security matters. Her areas of interest include APTs, mainframes, ransomware, ICS SCADA, and building security awareness. She actively shares her passion for security in blogs, in print, as a guest on podcasts, and speaking at conferences.

Visual Network and File Forensics

Ankur Tyagi, Senior Malware Research Engineer at Qualys Inc.

Presentation Slides: phv2017-atyagi.pdf

This presentation aims to demo the effectiveness of visual tooling for malware and file-format forensics. It will cover structural analysis and visualization of malware and network artifacts. Various techniques like entropy/n-gram visualization, using compression-ratio and theoretical minsize to identify file type and packed content will be shown. Along with this, a framework that helps automate these tasks will be presented. Attendees with an interest in network monitoring, signature writing, malware analysis and forensics will find this presentation to be useful.

Ankur Tyagi (Twitter: @7h3rAm) is working as a Sr. Malware Research Engineer at Qualys Inc., where he analyzes malicious code and applies statistical modelling to identify suspicious patterns and evolving trends. His research interests include developing algorithms and analysis tools that help with classifying large sets of unlabelled content collected via network and host-based monitoring tools. He is the author of Flowinspect - a network inspection tool and Rudra - a visual malware forensics framework.

When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News

Catherine Ullman, Senior Information Security Analyst at University at Buffalo
Chris Roberts, Chief Security Architect at Acalvio Technologies

Presentation Slides: phv2017-robertsullman.pdf

Enabling better communications between geeks and management. As humans, we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell "FIRE!" in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell "FIRE!" and other necessary things across the enterprise in a language both leadership, managers and end-users understand.

Dr. Catherine Ullman (Twitter: @investigatorchi) began her IT career nearly 20 years ago as a Technical Support Specialist for Corel Word Perfect. After gaining valuable experience, as well as several technical certifications while working for Ingram Micro and subsequently Amherst Systems, she was offered and accepted a position at UB as a Systems Administrator in 2000 in which she provided both server and workstation support for several departments within Undergraduate Education. While she enjoyed her support role, she began to specialize in computer security and computer forensics. As a result, Cathy was often utilized by the Information Security Office to assist in the investigation of security breaches. Ultimately, she was asked to join the Information Security Office full time in 2009. In her current role as a Senior Information Security Analyst, Cathy is responsible for performing computer forensic investigative services for compliance on potentially compromised machines as well as personnel issues. She also assists with incident management involving intrusion detection and analysis and provides security awareness training to departments on campus upon request. In her (minimal) spare time, she enjoys researching death and the dead, and learning more about hacking things.

Chris Roberts (Twitter: @sidragon1) is considered one of the world's foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. With increasingly sophisticated attack vectors, Roberts' unique methods of addressing the evolving threat matrix and experience with a variety of environments - Enterprise, Industrial, and IoT, make Roberts and his team an indispensable partner to organizations that demand robust, reliable, resilient and cost-effective protection.

XSS FTW - What Can Really Be Done With Cross-Site Scripting

Brute Logic, Security Researcher at Sucuri Security

Presentation Slides: phv2017-brutelogic.pdf

Cross-site Scripting (XSS) is the most widespread plague of the web but is usually restricted to a simple popup window with the infamous <script>alert(1)</script> vector. In this short talk we will see what can be done with XSS as an attacker or pentester and the impact of it for an application, its users and even the underlying system. Many sorts of black javascript magic will be seen, ranging from simple virtual defacement to create panic with a joke to straightforward and deadly RCE (Remote Command Execution) attacks on at least 25% of the web!

Brute Logic (Twitter: @brutelogic) is self-taught computer hacker from Brazil working as a security researcher at Sucuri Security. Best known for providing useful content in Twitter in his starting years on several hacking topics, including hacking mindset, techniques and code (most fitting in 140 chars). Now his main interest and research involves Cross Site Scripting (XSS) and filter/WAF bypass. Has helped to fix more than 1000 XSS vulnerabilities in web applications worldwide by means of the Open Bug Bounty platform (former XSSposed). Some of them include big players in tech industry like Oracle, LinkedIn, Baidu, Amazon, Groupon e Microsoft. He also has a blog totally dedicated to XSS subject and a private twitter account where he shares some of his XSS and bypass secrets (@brutalsecrets). Recently launched a paradigm-changing XSS online tool named KNOXSS, which works in an automated manner to provide a working XSS PoC for users. It already has helped some of them to get thousands of dollars in bug bounty programs. He's always willing to help experienced researchers and newcomers to community as well with his well-known motto: do not learn to hack, # hack2learn.

YALDA - Large Scale Data Mining for Threat Intelligence

Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity

Presentation Slides: phv2017-gziabari.pdf

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization. This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We'll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them. Audiences would also learn about method of automatically identifying malicious data submitted to a malware analysis sandbox.

Gita Ziabari (Twitter: @gitaziabari) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks. Her expertise is writing automated tools for data mining. She has unique approaches and techniques in automation.

You're Going to Connect to the Wrong Domain Name

Sam Erb

Presentation Slides: phv2017-serb.pdf

Can you tell the difference between gооgle.com and google.com? How about xn--ggle-55da.com and google.com? Both domain names are valid and show up in the Certificate Transparency log. This talk will be a fun and frustrating look at typosquatting, bitsquatting and IDN homoglyphs. This talk will cover the basics, show real-world examples and show how to use Certificate Transparency to track down particularly malicious impersonating domain names which have valid X.509 certificates.

Sam Erb (Twitter: @erbbysam) is a software engineer hell-bent on making the internet a safer place. He is a Defcon Black Badge holder (badge challenge with @thecouncilof9, won 2x - DC23, DC24). Outside of Defcon he has co-authored two IETF draft documents.

DJ Bios

phreakocious (@phreakocious, https://mixcloud.com/phreakocious)

Inspired by experiences at Detroit raves and private parties in the 90s, phreakocious bought a pair of 1200s in Y2K and has shaken booties with the finest in funky techno, house, and breaks ever since. wosdjco founder and official beatkeeper for Wall of Sheep and Packet Hacking Village.

YURK (@yurkmeister, https://soundcloud.com/yurkmeister)

Some mysteries are not meant to be solved...

tense future (@tensefutur3, https://soundcloud.com/tensefuture)

Trapped in an autonomous car during gridlock. Anxiety attack over spying home appliances. General AI grappling over competing logical fallacies. Tense Future is the soundtrack to scenes of the not-too-distant future.

kampf (@nerd_show, https://www.mixcloud.com/NerdShow)

With over a decade of experience as a college radio DJ at KWCR on Nerd Show, kampf has waded long and deep through the muddied waters of electronic music, casting his rod time and again to obtain, then share the eclectic, the compelling, the sounds off the beaten path and those lesser know varieties or species. Resident DJ for the DEF CON Chillout Lounge and for DEF CON Radio on SomaFM.com. Spinning vinyl for WoS/Packet Hacking Village since DEF CON 20!

DJ %27 (@djpercent27, https://www.mixcloud.com/djpercent27)

DJing since the 80s, Performed at chill out and pool at DEFCON XX, XXI. DEFCON XXIII.

Deep Therapy (@therapy_life, https://www.mixcloud.com/SoundboxMiami)

Based out of South Florida (Miami, Ft. Lauderdale, and West Palm Beach) The duo began hosting and DJ'n their own college radio shows. Constantly achieving new heights of dancefloor energy and pushing the boundaries of convention, Deep Therapy is recognized as one of South Florida’s essential DJ’s. Deep Therapy has been featured on Sirius XM radio in Ultra Music Festival Radio, opening up for Infected Mushroom as well as performing at Ultra Music Festival Miami two years in a row and holds a residency at Club Space in Miami in the Technoloft.

Skittish and Bus (@skittishandbus, https://www.mixcloud.com/skittishandbus)

Married dj duo and Salt Lake City locals; Skittish and Bus have played all sorts of dance clubs, underground parties, and festivals throughout the west, but DEFCON is definitely their favorite. While particularly fond of house, breaks and techno, they wield a complete electronic music palate, thanks to almost 400 episodes of their radio show, Sonic-Electronic. You can find them online @skittishandbus

Joey Muniz (@SecureBlogger, https://soundcloud.com/joeymuniz)

In 1995, Joey started his Dj career in the Tampa, Florida area and has played multiple venues ranging his sound from house, techno, downtempo, hip hop and other genres depending on the type of booking. Joey has held DJ residencies at multiple venues across the east coast. He has released four albums under his label Funktribe Records and remix work for various artists. Joey has also produced music for Mathpanda and Thebedroom Rockers.

os.system (@csullivansound, https://soundcloud.com/shockedatmusic)

Dark, modern techno. "If network packets were to dance, they would surely dance to this..."

s7a73farm (@s7a73farm, https://www.mixcloud.com/s7a73farm/)

Hacking and music, My version of the yin and yang. I'll bring the sound track to guide you in and out of the rabbit hole!