First Batch of Speaker Workshops at DEF CON 25 Announced

The Packet Hacking Village will be located in TBD at Caesars Palace.

Speaker Workshops Schedule

Friday, July 28th Saturday, July 29th Sunday, July 30th
10:10 Opening Ceremony / How Hackers Changed The Security Industry
Chris Wysopal
14:10 Closing Ceremony
16:10 CLOSED
17:10 CLOSED
18:10 CLOSED

Speaker Workshops Abstracts and Bios

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network's physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company's research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance . In 2012, he moved into a position with the Security Research & Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.

Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. Knowing the precise path needed to reach a target decreases the chances of an attacker making mistakes and being detected, putting defenders at a very clear disadvantage.

One traditional defensive approach is to make the ability to map the network more difficult by restricting access to information. However, such restrictions cannot be applied to all platforms, and even if they could be, it is not a trivial task in production environments.

In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected.

To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge. Effectively designed and placed bait would make it very difficult for the attacker to avoid detection, shifting the odds back in favor of defenders.

Tom Sela is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.

Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Our security team at Texas Department of Public Safety has proved this to be untrue. We run a full-fledged Security Operations Center and leverage some very proactive controls and incident response techniques while spending a fraction of what similar agencies are allocated.

This talk outlines many of the thought processes and "tricks" to doing security well, without breaking the bank. Some concepts include thinking critically about ROIs of existing equipment, not buying into every "shiny box", not being afraid to explore open source options, and where to spend your money for the highest ROI (people!).

This is not the typical "Problem, problem, problem...." talk.... This is a solution-based talk where I'll share SOLUTIONS to very real-world scenarios facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

Go Beyond Tabletop Scenarios by Building an Incident Response Simulation Platform

Eric Capuano, SOC Manager at Texas Department of Public Safety

Ask yourself - how prepared is your incident response team for a worse case scenario event on your network? How well can your team function as a cohesive unit while executing fast and effective incident response in an "all hell breaking loose" situation? Even seasoned blue teams often lack the experience performing in these situations because they are (hopefully) far and few. Most organizations approach to this is "if we're breached, we'll just rely on our policies and procedures"....that is akin to paramedics learning first responder skills by reading healthcare magazines. Waiting for a crisis to happen before training for a crisis is a losing approach. Not to mention, it is often during a crisis that critical blind spots present themselves--too little too late. Tabletop scenarios are a great option as they require zero resources aside from conversation. However, referring to my previous example, first responders do not learn CPR by talking about it. For things that must become muscle memory, instinctive, you must simulate the event and go through the motions. That is exactly what I am doing with my team - and we're doing it with in-house resources and spare equipment. This talk is a deep-dive technical discussion on how we built a mockup enterprise network so that we could unleash hell on it in order to practice operating as a focused IR team. Some of the concepts will be familiar, but I do have a few clever tricks and tools to share that will significantly increase the "realism" of the exercises. I will also share a few of the red team scenarios that we have employed in past events. Best part -- almost all of this can be accomplished with open source tools and inexpensive equipment, but I'll also share tips and tricks on getting free commercial hardware and software for use in your new simulation environment!

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Also, a member of the Packet Hacking Village team at DEF CON.

How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Gene Stafford famously said SSL between two PCs is like using an armored car to deliver money from one park bench to another. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does.

This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software.

Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

Hunting Down the Domain Admin and Rob Your Network

Keith Lee, Senior Security Consultant at Trustwave SpiderLabs

Portia: it's a new tool we have written at SpiderLabs to aid in internal penetration testing test engagements. The tool allows you to supply a username and password that you have captured and cracked from Responder or other sources as well as an IP ranges, subnet or list of IP addresses. The tool finds its way around the network and attempts to gain access into the hosts, finds and dumps the passwords/hashes, resuses them to compromise other hosts in the network. In short, the tool helps with lateral movements in the network and automating privilege escalation as well as find sensitive data residing in the hosts.

Keith Lee (Twitter: @keith55) is a Senior Security Consultant with Trustwave's SpidersLabs Asia-Pacific. SpiderLabs is one of the world's largest specialist security teams, with over 100 consultants spread across North America, South America, Europe and the Asia Pacific. Keith Lee has presented in Hack In The Box, BlackHat Arsenal and PHDays.

IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Iron Sights for Your Data

Leah Figueroa

Data breaches have become all too common. Major security incidents typically occur at least once a month. With the rise of both security incidents and full data breaches, blue teams are often left scrambling to put out fires and defend themselves without enough information. This is something that can be changed with the right tools. Tools now available allow blue teams to weaponize data and use it to their advantage. This talk reviews frameworks for clean, consistent data collection and provides an overview of how predictive analytics works, from data collection to data mining to predictive analytics to forecasts. The allows the blue team to focus on potential risks instead of trying to put out every fire.

Leah Figueroa (Twitter: @Sweet_Grrl) is a 13 year veteran of the data analytics field and works as a data analyst in higher education. She holds a Master's in Education, an ABD in research psychology, and taught kindergarten. A data aficionado, Leah focuses on research on improving students outcomes at the higher education level, including focusing on both minority students issues as well as issues pertaining to students who come from a background of poverty. While not at work, Leah is interested in improving blue teams by helping bring data analytics into the team. Leah also enjoys being a fiber artist (knitter), loves cats, InfoSec, picking locks, cooking, and reading.

Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting at NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user's activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil & Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.

Make Your Own 802.11ac Monitoring Hacker Gadget

Vivek Ramachandran, Founder of Pentester Academy and
Thomas d'Otreppe, Author of Aircrack-ng

802.11ac networks present a significant challenge for scalable packet sniffing and analysis. With projected speeds in the Gigabit range, USB Wi-Fi card based solutions are now obsolete! In this workshop, we will look at how to build a custom monitoring solution for 802.11ac using off the shelf access points and open source software. Our "Hacker Gadget" will address 802.11ac monitoring challenges such as channel bonding, DFS channels, spatial streams and high throughput data rates. We will also look different techniques to do live streaming analysis of 802.11 packets and derive security insights from it!

Vivek Ramachandran (Twitter: @securitytube) is the Founder and Chief Trainer at Pentester Academy. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi Backdoors, created Chellam - the world's first Wi-Fi Firewall and Chigula - a Wi-Fi data mining and IDS framework. He is also the author of multiple five star rated books which have together sold over 13,000+ copies worldwide and have been translated to multiple languages. Vivek started in 2007, a YouTube for security which current aggregates the largest collection of security research videos on the web. SecurityTube Training and Pentester Academy now serve thousands of customers from over 90 countries worldwide. Vivek's work on wireless security has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada etc. places. He has spoken/trained at top conferences around the world including Black Hat USA, Europe and Abu Dhabi, Defcon, Hacktivity, Brucon, Mundo Hacker Day and others.

Thomas d'Otreppe (Twitter: @aircrackng) is a wireless security researcher and author of Aircrack-ng, the most popular and complete suite of tools for WiFi network security assessments. He also created OpenWIPS-ng, an open source Wireless Intrusion Prevention System. Thomas is a contributor to the WiFi stack and toolset in Backtrack Linux, which has now become Kali Linux, the de facto top choice Linux distribution for penetration testing and vulnerability assessment across multiple technology domains. He is also known as an author of a pro-active wireless security course which has been delivered to large numbers of IT Security professionals worldwide. Thomas speaks and teaches in the Americas and Europe and is a well-known speaker at DefCon, BlackHat, DerbyCon, SharkFest, Mundo Hacker Day, BruCON and other venues

Modern Day CovertTCP with a Twist

Mike Raggo, CSO at 802 Secure, Inc.
Chet Hosmer, Owner of

Taking a modern day look on the 20 year anniversary of Craig Rowland's article on Covert TCP, we explore current day methods of covert communications and demonstrate that we are not much better off at stopping these exploits as we were 20 years ago. With the explosion of networked devices using a plethora of new wired and wireless protocols, the covert communication exploit surface is paving new paths for covert data exfiltration and secret communications. In this session we explore uPnP, Zigbee, WiFi, P25, Streaming Audio Services, IoT, and much more. Through real-world examples, sample code, and demos; we bring to light this hidden world of concealed communications.

Mike Raggo (Twitter: @MikeRaggo) Chief Security Officer, 802 Secure (CISSP, NSA-IAM, ACE, CSI) has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of “Mobile Data Loss: Threats & Countermeasures” and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols” for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition”. A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS and PCI, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @ChetHosmer) is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using the Python programming language. Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping, Python Forensics, and Data Hiding. Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year.

Past, Present and Future of High Speed Packet Filtering on Linux

Gilberto Bertin, CLoudflare

As internet DDoS attacks get bigger and more elaborate, the importance of high performance network traffic filtering increases. Attacks of hundreds of millions of packets per second are now commonplace. Unfortunately line rate filtering is still an open problem.

In this session we will introduce modern techniques for high speed network packet filtering on Linux. We will follow the evolution of the subject, starting with Iptables and userspace offload solutions (such as EF_VI and Netmap), discussing their use cases and their limitations. We will then move on to a new technology recently introduced in the Linux kernel called XDP (express data path), which works by hooking an eBPF program into the lowest possible layer in the Linux kernel network stack, allowing network traffic to be filtered at high speeds. We will discuss the strengths of this solution, show some sample XDP programs and give operational tips.

Gilberto Bertin (Twitter: @jibi42) originally from a little Italian town near Venice, loves tinkering with low level systems, especially networking code. After working on variety of technologies like P2P VPNs and userspace TCP/IP stacks, he decided to move to London to help the Cloudflare DDoS team filter all the bad internet traffic.

When the Current Ransomware and Payload of the Day (CRAP of the day) Hits the Fan: Breaking the Bad News

Catherine Ullman, Senior Information Security Analyst at University at Buffalo
Chris Roberts, Chief Security Architect at Acalvio Technologies

Enabling better communications between geeks and management. As humans we have had 60,000 years to perfect communication, but those of us working in IT, regardless of which side (Blue or Red Team), still struggle with this challenge. We have done our best over the centuries to yell "FIRE!" in a manner befitting our surroundings, yet today we seem utterly incapable of providing that very basic communication capability inside organizations. This talk will endeavor to explain HOW we can yell "FIRE!" and other necessary things across the enterprise in a language both leadership, managers and end-users understand.

Dr. Catherine Ullman (Twitter: @investigatorchi) began her IT career nearly 20 years ago as a Technical Support Specialist for Corel Word Perfect. After gaining valuable experience, as well as several technical certifications while working for Ingram Micro and subsequently Amherst Systems, she was offered and accepted a position at UB as a Systems Administrator in 2000 in which she provided both server and workstation support for several departments within Undergraduate Education. While she enjoyed her support role, she began to specialize in computer security and computer forensics. As a result, Cathy was often utilized by the Information Security Office to assist in the investigation of security breaches. Ultimately, she was asked to join the Information Security Office full time in 2009. In her current role as a Senior Information Security Analyst, Cathy is responsible for performing computer forensic investigative services for compliance on potentially compromised machines as well as personnel issues. She also assists with incident management involving intrusion detection and analysis and provides security awareness training to departments on campus upon request. In her (minimal) spare time, she enjoys researching death and the dead, and learning more about hacking things.

Chris Roberts (Twitter: @sidragon1) is considered one of the world's foremost experts on counter threat intelligence within the Information security industry. At Acalvio, Roberts helps drive Technology Innovation and Product Leadership. In addition, Roberts directs a portfolio of services within Acalvio designed to improve the physical and digital security posture of both enterprise, industrial and government clients. With increasingly sophisticated attack vectors, Roberts' unique methods of addressing the evolving threat matrix and experience with a variety of environments - Enterprise, Industrial, and IoT, make Roberts and his team an indispensable partner to organizations that demand robust, reliable, resilient and cost-effective protection.

YALDA - Large Scale Data Mining for Threat Intelligence

Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to find the signal in the noise to be able to best protect an organization. This talk will cover techniques to automate the processing of data mining malware to derive key indicators to find active threats against an enterprise. Techniques will be discussed covering how to tune the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We'll also discuss techniques for organizations to find and process intelligence for attacks targeting them specifically that no vendor can sell or provide them. Audiences would also learn about method of automatically identifying malicious data submitted to a malware analysis sandbox.

Gita Ziabari (Twitter: @gitaziabari) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 13 years of experience in threat research, networking, testing and building automated frameworks. Her expertise is writing automated tools for data mining. She has unique approaches and techniques in automation.

You're Going to Connect to the Wrong Domain Name.

Sam Erb

Can you tell the difference between gоо and How about and Both domain names are valid and show up in the Certificate Transparency log. This talk will be a fun & frustrating look at typosquatting, bitsquatting and IDN homoglyphs. This talk will cover the basics, show real-world examples and show how to use Certificate Transparency to track down particularly malicious impersonating domain names which have valid X.509 certificates.

Sam Erb (Twitter: @erbbysam) is a software engineer hell-bent on making the internet asafer place. He is a Defcon Black Badge holder (badge challenge with @thecouncilof9, won 2x - DC23, DC24). Outside of Defcon he has co-authored two IETF draft documents.