News / Defcon

Packet Hacking Village Talks at DEF CON 28 Call for Presentations Now Open


The Wall of Sheep would like to announce a call for presentations at DEF CON 28 in Las Vegas, NV from Thursday, August 6th to Sunday, August 9th. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.

Topics of interest include:

  • Tools and techniques on network sniffing, intrusion detection, monitoring, forensics, log analysis
  • General Digital Forensics and Incident Response (DFIR) talks
  • Threat hunting
  • Incident response process and procedures and/or recovery
  • Hands-on spy level makup art (e.g., wigs, prosthetic noses, etc.)
  • How to do refresh your system without losing all your stuff and eliminate malware
  • Setting up cloud backups that withstand ransomware attacks
  • How to justify hacking / security tools in the corporate world
  • How to use regulatory compliance requirements in your favor to enhance your overall funding and security posture
  • Security awareness program success and failure stories
  • Tools for data collection and visualization
  • Purple and blue teaming
  • Business continuity planning for cyber war

The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries Security, LLC. Please see our YouTube channel for all talks from previous years:

The Call for Presentations will close on Friday, June 12th at 11:59 PM PST. The list of talks will be finalized and published on Friday, June 28th.

Speaking Format

Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.

To submit a presentation, please provide the following information in the form below to cfp2020[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the conference):

Primary Speaker Twitter name (if you want it known if you are accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation: (20 minutes or 50 minutes)

Abstract (100 words MAXIMUM, absolutely necessary for printing purposes):

Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.

Equipment Needs & Special Requests:

The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.

Speaker's Bio(s):

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of concept, etc. must be sent along with this email to <strongcfp2020[at]wallofsheep[dot]com to be considered. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.

Terms and Conditions

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

Grant of Copyright Use

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication Aries Security, LLC. and that I will promptly supply Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Terms of Speaking Requirements

1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 26th, 2020.

2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 26th, 2020.

3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.

4. I will complete my presentation within the time allocated to me - not running over the time allocation.

5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.

6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.

Yes, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use.

I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements. In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations,, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

Read more →

Our DJ Schedule at DEF CON 27

Friday, August 9th Saturday, August 10th Sunday, August 11th
10:00 some people playing music probably TBD CLOSED
11:00 phreakocious kampf
12:00 Percent27 phreakocious
13:00 TBD Tineh Nimjeh TBD
14:00 Yesterday & Tomorrow Closed for teardown.
15:00 tense future
16:00 Percent27
17:00 Icetre Normal Icetre Normal
18:00 Yurk Terrestrial Access Network

DJ Bios

phreakocious (@phreakocious,

phreakocious is just this guy, you know?

Yurk (@yurkmeister,

DJ / Producer from San Juan, Puerto Rico. Now resides in Brooklyn, New York.

tense future (@tensefutur3,

Los Angeles, CA. The soundtrack to autonomous vehicle gridlock.

kampf (@nerd_show,

Resident Chillout DJ with SomaFM on Fluid and DEF CON Radio. Vinyl hangover cure.

DJ %27 (@djpercent27,

DJing since the 80s, Performed at chill out and pool at DEFCON XX, XXI. DEFCON XXIII.

Tineh Nimjeh (@tinehnimjeh,

With 20+ years djing, including residencies at various nightclubs, Tineh Nimjeh live sets will always get your body moving. Tineh is an active member of DC562, and works in Vulnerability Management.

Icetre Normal (,

Icetre has been dj'ing since defcon 13. One of Icetre's superpowers is rearranging space and time in the process of epic party creation. He isn't always available to chat, as he may be being smuggled past hotel security for his own safety. When not digging in the crate to field a request for Freebird, Icetre is usually being asked to turn down the volume on his house and electro beats.

Yesterday & Tomorrow (@wompapmow,

DJ duo inspired by the masters, they seek to bring listeners on a journey ranging from the depths of techno to the expansive sounds of progressive house

Terrestrial Access Network (,

Classic Electro - "If network packets were to dance, they would surely dance to this..."

Read more →

Packet Hacking Village Workshops Tickets Sales

We’ve got some rules around here! The first run of 20 tickets for Reverse Engineering Malware 101 will start at 0900PDT on Saturday, July 13, 2019.  The next workshop’s ticket sales will start one hour later with each of the following workshop sales becoming available at the top of the next hour.  The second and the last run of 20 tickets will begin on Wednesday, July 17, 2019 at 1700PDT.
Read more →

Packet Hacking Village Workshops at DEF CON 27 Finalized

The Packet Hacking Village will be located at The Tower of Doom, 26th Floor at Bally's.
Read more →

Packet Hacking Village Talks at DEF CON 27 Finalized

Friday, August 9th Saturday, August 10th Sunday, August 11th
10:00 4 years and 10,000+ Hours Later: Lessons Learned from Running a National Penetration Testing Competition
Tom Kopchak and Dan Borges
Hacking Corporate Org Socialization: One Day You Are Out and the Next Day You Pwn the Org!
Wi-Fi Threat Modeling and Monitoring
Besim Altinok and Can Kurnaz
11:00 Hacking Kubernetes: Choose Your Own Adventure Style
Jay Beale
Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics
Gleb Esman
Head in the Clouds
Matt Nash
12:00 StegoAugmented Malware
Mike Raggo and Chet Hosmer
"First-Try" DNS Cache Poisoning with IPv4 and IPv6 Fragmentation
Travis Palmer and Brian Somers
CIRCO: [Cisco Implant Raspberry Controlled Operations]
Emilio Couto
13:00 The Art of Detection
Jay Dimartino
Phishing Freakonomics
Russell Butturini
Augmenting the (Security) Onion: Facilitating Enhanced Detection and Response with Open Source Tools
Wes Lambert
14:00 Bestsellers in the Underground Economy: Measuring Malware Popularity by Forum
Winnona DeSombre
14:30 Hunting Certificates and Servers
Sam Erb
Security to Make the CFO Happy
15:00 Old Tech vs New Adversaries. Round 1... Fight!
Joseph Muniz and Aamir Lakhani
Generating Personalized Wordlists With NLP by Analyzing Tweets
Utku Sen
15:30 Sandbox Creative Usage For Fun and Pro...Blems
Cesare Pizzi
16:00 Patching: It's Complicated
Cheryl Biswas
(Re)Thinking Security Given the Spectre of a Meltdown (hold my beer)
Jeff Man
17:00 Your Phone is Using Tor and Leaking Your PII
Milind Bhargava and Adam Podgorski
State Sponsored Hacking: How to Intercept/Decrypt TLS Traffic and How to Prevent TLS Interception Attacks
Chris Hanlon
18:00 Beyond Sandboxes. How to Execute IoT Malware and Analyze Its Evolution
María José Erquiaga, Sebastian Garcia
Leveraging Passive Network Mapping with Raspberry Pi and Python
Chet Hosmer
19:00 The Cyberlous Mrs. Maisel: A Comedic (and slightly terrifying) Introduction to Information Warfare
Jessica "Zhanna" Malekos Smith
Read more →

Few More Accepted Packet Hacking Village Talks At DEF CON 27 Announced

CIRCO - [Cisco Implant Raspberry Controlled Operations]

Emilio Couto, eKio Security

Designed under Raspberry Pi and aimed for Red Team Ops, we take advantage of “Sec/Net/Dev/Ops” enterprise tools to capture network credentials in a stealth mode. Using a low profile hardware & electronics camouflaged as simple network outlet box to be sitting under/over a desk. CIRCO include different techniques for network data exfiltration to avoid detection. This tool gather information and use a combination of honeypots to trick Automation Systems to give us their network credentials!

Emilio Couto (Twitter: @ekio_jp) is a Security Consultant with more than 20 years of experience in the network and security field. Born and raised in Argentina, he is currently located in Japan where multitasking between language, culture and technologies is a must. Over the last decade focusing mainly on Finance IT. In his spare time he enjoys playing with RFID, computers and home made IoT devices. Over the last 5 years presenting tools in conferences (Black Hat Asia, HITB, AV Tokyo and SECCON)

Generating Personalized Wordlists With NLP by Analyzing Tweets

Utku Sen, R&D Lead at Tear Security

Adversaries need to have a wordlist or combination-generation tool while conducting password guessing attacks. To narrow the combination pool, researchers developed a method named "mask attack" where the attacker needs to assume a password's structure. Even if it narrows the combination pool significantly, it can be still too large to use for online attacks or offline attacks with low hardware resources. Rhodiola tool is developed to narrow the combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on application security, network security and tool development. He presented his different tools and researches in Black Hat USA Arsenal, DEF CON Demo Labs and Packet Hacking Village in recent years. He's also nominated for Pwnie Awards on "Best Backdoor" category in 2016. He is currently working for Tear Security.

Leveraging Passive Network Mapping with Raspberry Pi and Python

Chet Hosmer, Owner of Python Forensics

Mapping of network assets and their behaviors is a vital step needed for the prevention and response to cyber-attacks. Today active tools like NMAP are used to discover network assets, however, these methods take a momentary snapshot of network devices. By passively monitoring network activity the discovery of rogue devices, aberrant behavior, and emerging threats is possible. This talk and demonstration will utilize a Raspberry Pi and a custom Python solution to map network assets and their behaviors and demonstration the identification of rogue devices and unauthorized behaviors.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Read more →

First Batch of Accepted Packet Hacking Village Talks at DEF CON 27 Announced

Bestsellers in the Underground Economy - Measuring Malware Popularity by Forum

Winnona DeSombre, Threat Intelligence Researcher at Recorded Future

While you can patch against malware infecting your tech stack or targeting your competitors, what about malware that hasn't been in the news? This presentation will cover what malware and tools are popular among underground forum members based on prevalence in forum ads, how malware presence differs between forums, and why understanding that difference matters.

Winnona DeSombre (Twitter: @__winn) is an Asia Pacific threat intelligence researcher at Recorded Future, focusing on Chinese underground hacking communities and East Asian cyber espionage campaigns. She was recently featured in Threatcare's "Tribe of Hackers" book, containing career advice from some of the world's best information security professionals.

Phishing Freakonomics

Russell Butturini

This presentation is the story of the success and failures of building a security awareness program at a Top 20 CPA firm, and finding "the hidden side" of why users fail phishing exercises (both simulated and not!). The presentation will cover how Elasticsearch was used to correlate awareness training, phishing test, and HR data together, examine real results from this work, and the improvements that were made to improve user awareness and reduce phishing related security incidents.

Russell Butturini (Twitter: @tcstoolhax0r) is head of information security for a top 20 CPA and financial services firm. He has authored tools for both red and blue teams with his C- and Python coding skills. His most popular tool, NoSQLMap, was featured in the Hacker Playbook 2.

Solving Crimes with Wireless GeoFencing and Multi-Zone Correlation Analytics

Gleb Esman, Senior Project Manager, Fraud Analytics and Research at Splunk Inc.

The presentation will introduce viewer to geofencing - the technique successfully used by law enforcement agencies to pinpoint suspects in an array of anonymous metadata coming from wireless devices. The presentation will teach viewer how to build such system from scratch using freely downloadable analytical tools. Different ways to visually define GeoFencing zones and investigation constraints will be explained. Samples of working scripts, search queries, data formats and working dashboard layouts will be provided.

Gleb Esman (Twitter: @gesman) helps to guide research, product planning and development efforts in the areas of fraud detection, data security analytics and investigations at Splunk Inc. Currently Gleb manages number of security projects in healthcare space such as drugs and opioids diversion platform and healthcare privacy monitoring platform. Before Splunk Gleb was engaged at Morgan Stanley overseeing fraud detection platform and enterprise wide data analytics systems within retail banking space. During his career, Gleb worked in a various positions at a number of enterprises involved in research and development of solutions against advanced malware and computer viruses as well as solutions for secure payments and data protection in e-commerce space. Gleb is an author of several patents in Deep Learning, Security, Behavior Biometrics and Healthcare Data Analytics.

StegoAugmented Malware

Mike Raggo, CSO at 802 Secure
Chet Hosmer, Owner of Python Forensics

As adversaries look for new methods of creating malware, steganography has seen a resurgence. In this session, we'll review this black art and uncover recent steganographic malware weaponizing techniques. We'll cover techniques that include file and image embedding techniques invisible to malware and intrusion detection systems, methods of exploiting weak networking protocols for covert communications, mischievous IoT devices, and cloud data hiding methods. But we don't stop there, our organic research has uncovered numerous other ways in which malware could be embedded in an effort to prepare threat researchers with the knowledge to improve their tools and fortify their networks.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer (Twitter: @chethosmer) is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Wi-Fi Threat Modelling and Monitoring (WiNT)

Besim Altinok, Barikat Internet Security
Can Kurnaz, Senior Cybersecurity Consultant at KPMG Netherlands

With the widespread use of wireless Internet access, we see that the use of portable technologies is rapidly increasing. Increasing public networks and facilitating access to these networks have attracted the attention of attackers. Due to easy availability of mature honeypot creation tools, this attack is a slam dunk for even the most novice of Wi-Fi attackers. Enterprise security products have tried but failed to solve this problem with rule and lockdown based approaches. In this talk, we are going to tell a story experienced about Wi-Fi network attackers. We will practically demonstrate how using new detection and deception techniques we can make Wi-Fi clients and environmentally secure.

Besim Altinok (Twitter: @AltnokBesim) has been researching Wi-Fi security for over a decade. He created WiPi-Hunter project against Wi-Fi hackers. He is the author of a book on Wi-Fi security. Besim's work on wireless security has been published in ArkaKapi Magazine and others. He has also spoken at top conferences including BlackHat Europe, ASIA, Defcon, and others. Besim ALTINOK works currently at BARIKAT Internet Security in Turkey. Besim also founded Pentester Training project.

Can Kurnaz (Twitter: @0x43414e) is conducting penetration tests from internet and internal networks to web-based applications, network infrastructures, wireless devices, IoT devices and operational technology infrastructures such as ICS/SCADA systems and components.

Read more →

Call for Workshops at Packet Hacking Village at DEF CON 27

The Wall of Sheep would like to announce a call for workshops at DEF CON 27 in Las Vegas, NV from Thursday, August 8th to Sunday, August 11th.. The Packet Hacking Village Workshop's goal is to deliver hands-on training sessions that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory workshops are welcome! A very nominal fee will be charged for advanced registration of these workshops. However, all proceeds will go directly to Hackers for Charity. This is your chance to give back to the community in multiple ways!
Read more →

Preview of the Packet Hacking Village at DEF CON 26, All the Events

Capture The Packet (CTP)

The time for those of hardened mettle is drawing near; are you prepared to battle? Compete in the world’s most challenging cyber defense competition based on the Aries Security Cyber Range . In order to triumph over your competitors, contestants must be well rounded, like the samurai. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth.

The Dark Tangent has asked that we extend your time in the labyrinth and this has caused the difficulty of challenges to be amplified, so only the best prepared and battle hardened will escape the crucible. Follow us on Twitter or Facebook (links below) to get notifications for dates and times your team will compete, as well as what prizes will be awarded.

Wall Of Sheep

An interactive look at what could happen if you let your guard down when connecting to any public network, Wall of Sheep passively monitors the DEF CON network looking for traffic utilizing insecure protocols. Drop by, hang out, and see for yourself just how easy it can be! Most importantly, we strive to educate the “sheep” we catch, and anyone else interested in protecting themselves in the future. We will be hosting several ‘Network Sniffing 101’ training sessions using Wireshark, Ettercap, dsniff, and other traffic analyzers.

Wall of Sheep DJ Community - WoSDJCo

Come chill with us while we play all your favorite Deep, underground house, techno, breaks, and DnB beats mixed live all weekend by your fellow hacker DJs. We will provide the soundtrack for all your epic PHV hax, just like we do every year. Schedule of DJs available at:

Packet Detective

Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Investigator, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.

NEW FOR 2018: Packet Inspector

Taking the place of Packet Detective as your introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.

Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu.

NEW FOR 2018: Walkthrough Workshops - Learn to build Honey Pots

The Packet Hacking Village brings yet another Def Con premiere: Walkthrough Workshops, where you will go on a self-guided journey to building your own honey pot, taking it live and hopefully trapping some unsuspecting users. Fear not though, like with all our other training events, we will have helpful and knowledgeable staff on hand to assist you along the way!

PHV Talks

Back for a sixth year, we continue to accept presentations focusing on practice and process while emphasizing defense. Speakers will present talks and training on research, tools, techniques, and design, with a goal of providing skills that can be immediately applied during and after the conference. Our audience ranges from those who are new to security, to the most seasoned practitioners in the security industry. Expect talks on a wide variety of topics for all skill levels. Updated schedule available at:

PHV Workshops

A returning favorite from last year, we have hands-on labs and training sessions from an amazing line-up of instructors covering beginner to advanced level material. See our website for updated schedules. Updated schedule available at:

Read more →

Packet Hacking Village Talks at DEF CON 26 Finalized

Friday, August 10th Saturday, August 11th Sunday, August 12th
10:00 Mallet: A Proxy for Arbitrary Traffic
Rogan Dawes
Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols
Esteban Rodriguez
10:30 How to Tune Automation to Avoid False Positives
Gita Ziabari
11:00 Rethinking Role-Based Security Education
Kat Sweet
wpa-sec: The Largest Online WPA Handshake Database
Alex Stanev
Microcontrollers and Single Board Computers for Hacking, Fun and Profit
11:30 Capturing in Hard to Reach Places
Silas Cutler
12:00 PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography
An OSINT Approach to Third Party Cloud Service Provider Evaluation
Lokesh Pidawekar
Fishing for Phishers. The Enterprise Strikes Back!
Joseph Muniz, Aamir Lakhani
12:30 Bitsquatting: Passive DNS Hijacking
Ed Miles
13:00 Target-Based Security Model
Garett Montgomery
Turning Deception Outside-In: Tricking Attackers with OSINT
Hadar Yudovich, Tom Kahana, Tom Sela
What Do You Want to be When You Grow Up?
Damon "ch3f" Small
13:30 Defense in Depth: The Path to SGX at Akamai
Sam Erb
14:00 Protecting Crypto Exchanges From a New Wave of Man-in-the-Browser Attacks
Pedro Fortuna
Building a Teaching SOC
Andrew Johnson
14:30 Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Utku Sen, Gozde Sinturk
15:00 Freedom of Information: Hacking the Human Black Box
Elliott Brink
Grand Theft Auto: Digital Key Hacking
Huajiang "Kevin2600" Chen, Jin Yang
15:30 CLOSED
16:00 Car Infotainment Hacking Methodology and Attack Surface Scenarios
Jay Turla
Ridealong Adventures: Critical Issues with Police Body Cameras
Josh Mitchell
16:30 CLOSED
17:00 Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801
Chris Hanlon
IoT Data Exfiltration
Mike Raggo, Chet Hosmer
17:30 CLOSED
18:00 Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns
Caleb Madrigal

PHV Talks Abstracts and Bios

Bitsquatting: Passive DNS Hijacking

Ed Miles, Security Researcher at DiDi Labs

The Domain Name System is one of the foundational technologies that allow the internet to function, but unfortunately, DNS is surprisingly brittle to certain issues, such as bitsquatting.

Lookups to names that are a "bitflip" away from well-known sites (like '' instead of '' since 'c' and 'a have a single bit difference) can be caused by memory failing due to defect or overheating situations, rogue cosmic rays, or even (allegedly) radiation caused by nuclear reactions.

I was curious how realistic the last case really was - can we 'detect' active nuclear tests based solely on bitsquatting data? To find out, I revisited bitsquatting. First I'll briefly introduce the key concepts required for understanding bitsquatting (including ASCII, DNS and HTTP, Internet infrastructure, and memory error scenarios). I'll show the tools and techniques used to identify and register over 30 newly identified bitsquat domains, monitor DNS and HTTP requests, and process, enrich, and investigate the data. Finally, I will discuss any observations gathered from the data, with a focus on regional trends, specific devices, and current events - and try and see if I could prove any correlation.

In the end, attendees should leave with knowledge of the prevalence of bitsquatting and how it has evolved since the phrase was coined 8 years ago, as well as a few techniques for analyzing bitsquatting data and drawing some interesting conclusions.

Ed Miles (Twitter: @criznash) is a researcher at DiDi Chuxing's California-based DiDi Labs. Working in technology professionally since 2001, and as a hobbyist since 1991, Ed has been focused on forensics, incident response, malware analysis, reverse engineering, and detection since 2010.

Building A Teaching SOC

Andrew Johnson, Information Security Officer at Carnegie Mellon University

Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.

Andrew Johnson (Twitter: @pierogipowered) is implementing a dedicated security operations team at Carnegie Mellon University. The security operations group has a dual focus on both the traditional aspect of securing the university as well as a focus on training student colleagues on the practical application of their degree. Prior to Carnegie Mellon University, Andrew was with HM Health Solutions. He had been responsible for creating a security operations platform in the heavily regulated health insurance/provider space. Andrew is a co-organizer for the BSides Pittsburgh (@bsidespgh) conference and enjoys recreational cycling and cooking when not participating in information security related activities.

Capturing in Hard to Reach Places

Silas Cutler, Senior Security Researcher at CrowdStrike

It's easy for us to take for granted when tools allow us to start capturing network traffic without any real hardships. However, what happens when the data you want isn't so easy to capture. This talk will look at two cases in which environments needed to be bent in order to capture the data needed for analysis.

Silas Cutler (Twitter: @silascutler) is a Senior Security Researcher at CrowdStrike, Project Director for MalShare and DEFCON 21 Black Badge (from Capture the Packet). Endorsed on LinkedIn by [REDACTED] for "tcpdump". His prior managers have described him as "a guy" and "meeting necessary skills to perform job functions."

Car Infotainment Hacking Methodology and Attack Surface Scenarios

Jay Turla, Application Security Engineer at Bugcrowd

The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities. In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.

Jay Turla (Twitter: @shipcod3) is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.

Defense in Depth: The Path to SGX at Akamai

Sam Erb, Software Engineer at Akamai Technologies

In this presentation you will learn how Akamai has spent the past 4 years working toward preventing the next TLS heartbleed incident. Nothing hypothetical --only deployed defense-in-depth systems will be discussed. This talk will include how we deployed Intel SGX at scale in our network.

Sam Erb (Twitter: @erbbysam) is a 2x black badge winner with Co9 in the Badge Challenge and is working to make the Internet a safer place.

Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols

Esteban Rodriguez, Security Consultant at Coalfire Labs

This talk will cover the basics of protocol analysis using Wireshark and lead into analyzing two custom application protocols used for extending the mouse and keyboard of a remote system. The two applications covered are HippoRemote, and iOS app to use a iPhone as a trackpad and keyboard, and Synergy, an application to allow for control of multiple operating systems with one mouse and keyboard. By performing a MITM attack, an attacker can abuse this protocols to send keystokes to a remote machine to gain remote code execution similar to a USB rubber ducky attack. The talk will also discuss mitigations and open source code will be provided for exploitation. The target audience should have a basic understanding of Wireshark, ARP spoofing, and reverse shells.

Esteban Rodriguez (Twitter: @n00py1) a Security Consultant at Coalfire Labs. He primarily perform network and web application penetration testing. Esteban worked previously at Apple Inc performing intrusion analysis and incident response. Outside of work, Esteban blog at and perform independent security research. He have authored multiple penetration testing tools and have presented at BSides Puerto Rico covering penetration testing techniques.

Fishing for Phishers. The Enterprise Strikes Back!

Joseph Muniz, Cisco
Aamir Lakhani, Fortinet

Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.

Joseph Muniz is an architect at Cisco Systems. Aamir Lakhani (Twitter: @SecureBlogger) is a lead researcher at Fortinet. Together, they have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering." They are also making their fourth appearance for the DEF CON Wall of Sheep. Both speakers have written books together including a recent title Digital Forensics for Network Engineers released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.

Freedom of Information - Hacking the Human Black Box

Elliott Brink, Senior Penetration Tester at RSM US LLP

FOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. In reality, submitting FOI requests can be a cumbersome and frustrating process for citizens.

For two years now I have been hacking this human black box - finding out what you can/cannot ask for and more importantly how to ask for information and get it! Have you ever asked the government for a log file, Cisco IOS running config or Active Directory group policies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! For the past couple of years I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilize freedom of information to enumerate technical information from government agencies? I present my research, findings and results of multiple years of submitting FOIA requests to various USA and Australian government institutions including multiple intelligence agencies. We will discover the fun times and challenges when performing such requests.

Attendees will gain practical knowledge about: what FOIA is, the caveats of FOIA, how you can utilize FOIA on red team engagements and other open source intelligence gathering activities and finally the results of my research in multiple requests to intelligence agencies.

Elliott Brink (Twitter: @ebrinkster) is an information security consultant based out of NYC. He specializes in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary, and traveling the globe.

Grand Theft Auto: Digital Key Hacking

Huajiang "Kevin2600" Chen, Security Research at Ingeek
Jin Yang, Independent Security Researcher

The security of automobiles accesses control system is a topic often discussed. Today's vehicles rely on key-fob control modules, to ensure the vehicle is accessible to authorized users only. While most traditional automobile key-fob systems have been shown to be insecure in the past, here comes a game changer. Instead of the regular key-fob system, some car owners will be able to access their vehicle by having their smartphone authenticates as a digital car key.In this talk, we will reveal the research and attacks for one of digital car keys system in the current market. By investigating how these features work, and how to exploit it through different possibles of attack vectors, we will demonstrate the security limitations of such system. By the end of this talk, the attendees will not only understand how to exploit these systems also which tools can be used to achieve our goals.

Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a security researcher at Ingeek. And a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. Team members have worked extensively with binary reverse engineering, mobile security, and hardware security. Kevin2600 has spoken at various conferences including XCON, KCON, OZSecCon, BSides, and Alibaba-Cloud-Zcon.

Jin Yang is a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. He work in network security industry for over 10 years and focus on the Automated Virus Analysis, IoT Security, Threat Intelligence and Rootkits. Jin has spoken at XCon; AVAR and KCon.

How to Tune Automation to Avoid False Positives

Gita Ziabari, Senior Consultant Engineer at Verizon

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to deploy automation to accelerate response time, consistency, scalability and efficiency. This talk will cover techniques to design a reliable automated tool in security. We will discuss about techniques of tunning the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We will walk through steps of creating an automated tool and the essential factors to be considered to avoid any false positive.

Gita Ziabari (Twitter: @gitaziabri) is working at as a Senior Consultant Engineer at Verizon. She has more than 14 years of experience in threat research, networking, testing and building automated tools. Her main focus is creating automated tools in cybersecurity for mining data.

IoT Data Exfiltration

Mike Raggo, CSO of 802 Secure, Inc.
Chet Hosmer, Owner of Python Forensics

IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels. This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network. In this session we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as demo of a python tool for exploiting unused portions of protocol fields. From our research, we'll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real world testing.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Mallet: A Proxy for Arbitrary Traffic

Rogan Dawes, Senior Researcher at SensePost

Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects. This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages. A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.

Rogan Dawes (Twitter: @RoganDawes) is a Senior Researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.

Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns

Caleb Madrigal, Applied Researcher at Mandiant/FireEye

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?

For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.

Caleb Madrigal (Twitter: @caleb_madrigal) is an Applied Researcher at Mandiant/FireEye.

Microcontrollers and Single Board Computers for Hacking, Fun and Profit


As security researchers, we are always looking for the next device that will make our jobs easier and our research more effective. In many cases, physical gear can be expensive and limited in capability which can be prohibitive, especially in engagements where dead drops are required. However, with the skyrocketing popularity of microcontrollers and single board computers, that barrier has been reduced significantly and has created a host of new possibilities for everything from dead drops to wired and wireless network intrusion and analysis. gh057 will introduce some of the more popular options in this genre and some live demonstrations of their more fun uses. gh057 will demonstrate three devices he built to solve specific problems and that are based on these platforms: ATtiny85, ESP8266 / ES32, Raspberry Pi Finally, and as a bonus, gh057 will demonstrate a simple technique that uses Applescript and Bash that can be used to create a simple USB trojan and can be useful for end-user training.

gh057 has worked on almost every aspect of the software development lifecycle. For the majority of his career, he worked as a front-end, full stack engineer specializing in UI/UX. During this time, he was involved in development and also testing efforts, which included quality and security best practices. In the last few years, gh057 completed a career transition to application security, most notably through security evangelism roles, where he worked closely with development teams. As an application security engineer, gh057 is responsible for security best practices, which encompasses both digital and physical threat vectors. Most recently, gh057 has been the concept creator and team lead for the Day of Shecurity conference which took place on June 16th in San Francisco, CA. In his free time, he is passionate about promoting equality in the cybersecurity industry and offering mentorship to young technologists. His goal is to leave behind a better industry than the one he found when he first began his career.

Normalizing Empire's Traffic to Evade Anomaly-based IDS

Utku Sen, Senior R&D Engineer at Tear Security
Gozde Sinturk, R&D Engineer at Tear Security

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). In this session, we will discuss one of the most famous post-exploitation tool, Empire's situation against payload-based anomaly detection systems. We will explain how to normalize Empire's traffic with polymorphic blending attack (PBA) method. We will also cover our tool, "firstorder" which is designed to evade anomaly-based detection systems. firstorder tool takes a traffic capture file of the network, tries to identify normal profile and configures Empire's listener in such way.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.

Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position.

An OSINT Approach to Third Party Cloud Service Provider Evaluation

Lokesh Pidawekar, Senior Cloud and Application Security Engineer at Cisco

In the era of third party cloud service providers where enterprise critical data is hosted and shared with various vendors, third party security reviews have become essential part of Information Security. It has become a challenge for security teams to ensure parity is maintained between security controls that are available on premise, to those offered by the cloud provider. Typically, companies send a word document or excel sheet to get answers from cloud providers, however, this process is done only once and the review is point in time. In this talk, the attendees will learn about various methods of identifying security posture of the third-party cloud service using information available on Internet, how to use this information for performing cloud service review and improve their own cloud offerings. This can also supplement the tedious questionnaire process and provide an option to fast track the vendor reviews.

Lokesh Pidawekar (Twitter: @MaverickRocky02) work as Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information Assurance & Cyber Security from Northeastern University, Boston. Previously, he has spoken at BSides Las Vegas, DEFCON Packet Hacking Village talks, OWASP Boston chapter and CarolinaCon. He likes to read about application vulnerabilities in free time and has reported security bugs to vendors as part of their bug bounty program.

PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography


Data exfiltration through DNS typically relies on the use of DNS query fields to exfiltrate data via the attacker's DNS server. This approach has several shortcomings. The first is attribution, since attackers end up creating a trail back to their own infrastructure. The second is awareness, as DFIR analysts have made careful study of DNS fields as exfiltration vectors. The third is access, since companies are increasingly using DNS server whitelisting to prevent or alert on outgoing DNS queries to servers controlled by attackers. But what if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?

Through a combination of DNS queries and text-based steganography, we'll cover the methods used to transfer data across a network, hidden in plain sight, without direct connectivity between systems, while employing multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts. The presentation will include a demonstration of PacketWhisper, a new tool written in Python, that automates all of these steps for you. PacketWhisper will be made available on GitHub to coincide with this session (

TryCatchHCF (Twitter: @TryCatchHCF) is Red Team Lead at a Fortune 500 company, and creator of the Cloakify Exfiltration and DumpsterFire Incident Automation Toolsets ( Previous roles have included Lead Pentester and AppSec Team Lead. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. He has 25+ years of security and software engineering experience, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective HiveMind of the global hacking community.

Protecting Crypto Exchanges from a New Wave of Man-in-the-Browser Attacks

Pedro Fortuna, CTO and Co-Founder of Jscrambler

In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp. Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as or In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We'll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.

Pedro Fortuna (Twitter: @pedrofortuna) is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.

Rethinking Role-Based Security Education

Kat Sweet, Duo Security

How do we scale a deeper level of security awareness training without sacrificing efficacy? This talk will explore strategies and tactics for developing security education based on employees' roles, access, and attack surface while designing not only for efficiency but also for effectiveness. By prioritizing the highest-risk teams, pooling teams to collaboratively threat-model, and contextualizing universal truths of security hygiene to those threat models, we can deliver training that leverages employees' roles, fosters retention via active participation, and eases the burden on trainers within the security team. Attendees will walk away with a roadmap for building scalable, contextual, and collaborative role-based employee security education within their organizations.

Kat Sweet (Twitter: @TheSweetKat) works for Duo Security's corporate security team as an information security analyst (and senior pun architect). A passionate security educator, she is heavily involved in building her team's employee security awareness and engagement program, and is frequently the first security team member that new Duo employees meet. She also serves as the lockpick village coordinator for BSides Las Vegas, a mentor for the SANS Women's Immersion Academy, and a teaching assistant for the Ann Arbor chapter of Girl Develop It. When she's not in security mode, you can often find her bursting into song or picking unsuspecting locks.

Ridealong Adventures: Critical Issues with Police Body Cameras

Josh Mitchell, Principal cybersecurity Consultant at Nuix

The police body camera market has been growing in popularity over the last few years. A recent (2016) Johns Hopkins University market survey found 60 different models have been produced specifically for law enforcement use. Rapid adoption is fueling this meteoric increase in availability and utilization. Additionally, device manufactures are attempting to package more and more technology into these devices. This has caused a deficiency in local municipalities' skills and budget to accurately assess the attack surface and exposure to the organization. Furthermore, departmental policies and procedures governing the secure deployment of these devices is largely insufficient.

At DEF CON, we will be introducing tactics, techniques, and procedures to assess the security of these devices. We will cover attacks against the physical devices, RF components, smartphone app's, and desktop software. The capabilities demonstrated and discussed will encompass publicly and privately available technologies. Additionally, the talk will cover multiple products and vendors, shedding light on industry wide issues and trends. Finally, we will be releasing software to detect and track various devices and tie these issues into real world events.

Josh Mitchell has more than a decade's experience as an information security researcher. He has authored numerous technical documents and presented his findings at conferences, academic discussions, and in the classroom. Josh is an expert at discovering and exploiting vulnerabilities and writing code to protect operating systems and programs. He holds patents in classifying computer files and executable files as malware or whiteware. Josh has served in the United States Air Force and held numerous defense contracting roles covering electronic signals intelligence exploitation, electronic warfare, malware analysis, exploit development, and reverse engineering. He also provided security services for General Dynamics Advanced Information Systems, Endgame, and Accuvant and assisted multiple computer emergency response teams with investigations vital to national security.

Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801

Chris Hanlon, Founder of

In this talk we briefly introduce common SMTP/TLS implementation weaknesses explain how governments, criminals, and malicious insiders can exploit them to remotely reset account passwords, create/update/delete firewall rules, control windows desktops/laptops, access online backup systems, download full-disk Encryption Keys, watch security cameras, listen to security camera microphones, control social media accounts, and takeover AWS virtual machines.

Chris Hanlon (Twitter: @ChrisHanlonCA) has been maintaining Unix, Linux, and Windows Servers since 1998 and submitting vulnerability reports since 2000. Chris's submissions have resulted in security and privacy enhancements in Google Apps, the Linux Kernel, and Interac email transfers.

Target-Based Security Model

Garett Montgomery, Principal Security Research Engineer at BreakingPoint (Ixia/KeySight)

Have you ever been asked 'what is the best way to protect against $ATTACK'? (usually shortly after $ATTACK makes headlines). Have you ever been challenged to provide the reasoning behind your suggestion? If you were in a room full of experts, would your reasoning hold up under scrutiny? When you discuss with your security-savvy peers, you're quickly come to a consensus on the 'best' control (!= device) to protect against $ATTACK. But do you know WHY it's the 'best'? The Target-Based Security Model is essentially a framework that breaks down attacks to their component level. This breakdown makes it easy to see what the 'best' security controls are - as well as alternative security controls that could also be applied. Its not so much something new, as it is a new way for the industry to communicate about security. In much the same way that the OSI model allows for developers to know they are talking about the same thing, a common security model allows security professionsals to communicate in a vendor-agnostic manner. Think of it as a translation tool for vendor-speak. In this talk we'll present the Target-Based Security model and discuss the following: how it came to be, what it is, and how to use it. And of course, we'll talk about how it can be used to make the world a better place - provided we all agree to use it.

Garett Montgomery (Twitter: @garett_monty) has been a Security Researcher at BreakingPoint (since acquired by Ixia; since acquired by KeySight) for the last 6+ years. Prior to joining BreakingPoint he had been employed as a Security Analyst at the Naval Postgraduate School and then an IPS Signature Developer. He holds an MS in Information Assurance and numerous (likely since-expired) security certifications. A self-described packet-monkey, he enjoys automating all the things.

Turning Deception Outside-In: Tricking Attackers with OSINT

Hadar Yudovich, Security Researcher at Illusive Networks
Tom Sela, Head of Security Research at Illusive Networks
Tom Kahana, Security Researcher at Illusive Networks

Deceptions use attackers' own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they've broken in? Could externally-planted deceptions expand our range of visibility on the adversary's activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to "try it at home." We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake "paste" page containing a dump of fake credentials. On GitHub we created a fake repository of code containing "accidental" commits (git commit -am 'removed password'). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.

Hadar (Twitter: @hadar0x) is a Security Researcher at Illusive Networks. He has eight years of experience in cyber security, with six of those years focused on digital forensics and incident response (DFIR), both in the Israeli Air Force and in the private sector. Before joining Illusive Networks, he was a malware researcher for IBM Security where he hunted for new malware families and researched new techniques for malware detection. Hadar holds a Bachelor's degree in Computer Science from the Holon Institute of Technology, and several certifications, including the GIAC Certified Forensic Analyst (GCFA). In his free time he likes to develop open source forensic tools and solve forensic challenges.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at Illusive Networks. He specializes in reverse engineering, malware research, deception development and OS internals. Prior to joining Illusive, Tom headed the Malware Research team at Trusteer (acquired by IBM), where he was responsible for Trusteer's anti-fraud endpoint product. At Trusteer he also led a team of reverse-engineers, researching the internals of advanced malware. As an active contributor to the security research community, Tom has spoken at DefCon and IEEE events. He attended the Israeli Naval Academy at the University of Haifa and holds a B.Sc. from Ben-Gurion University.

Tom Kahana (Twitter: @tomkahana1) is a Security Researcher at Illusive Networks, with over nine years in cybersecurity. He specializes in Windows internals. Prior to Illusive Networks, Tom worked for Trusteer, where he specialized in exploitation techniques. Among other accomplishments, he is credited with discovery of ASLR security bypass vulnerability CVE-2016-0012. Tom served five years in an elite unit of the Israel Defense Force (IDF), specializing in Cyber Security Research and Development. Tom is studying for his Bachelor's of Computer Science degree at the Open University of Israel.

What Do You Want to be When You Grow Up?

Damon "ch3f" Small, Technical Director at NCC Group North America

Many industries have well-defined points of entry and well-understood education and training requirements. Information Security is not one of those industries. Successful infosec pros often have wildly diverse backgrounds so it is difficult to know which is the "correct" way to enter this field. As our industry has evolved and matured, what do organizations now look for in a candidate? What combination of skills, experience, and education will get you in your "dream job?" SPOILER - there are many predictors of success, and organizations have different priorities, so there is no single answer.

The speaker will describe his experiences as a 22-year veteran of IT and infosec, both from the perspective of working for internal support teams and as a client-facing consultant. In addition to direct observations, this presentation will include the perspectives of other infosec pros that currently work in various capacities in our industry. The goal is not to answer the question of how to successfully develop one's career, as such, but rather to continue the dialogue of what is important to us as we develop our future experts and leaders.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Over the past 18 years as a security professional he has supported infosec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.

wpa-sec: The Largest Online WPA Handshake Database

Alex Stanev, CTO of Information Services at JSC

Started as pet project in 2011, wpa-sec collects WPA handshake captures from all over the world. Contributors use client script to download handshakes and special crafted dictionaries to initiate attack against PSKs. With more than 115 GB captures from 240 000 submissions, collected samples represent invaluable source for wireless security research. This includes:

  • Many improvements for emerging wireless security tools like hcxtools suite (
  • Identified default PSK key generation algorithms, used by various ISPs. Those, along with fixes for current implementations get in RouterKeygen project ( Many more to come, based on current research activities
  • Performance optimizations for WPA crackers
  • Identified some linux kernel driver bugs

During the talk I will explain how wpa-sec works, provide statistics and a lot internals on optimization and how to use the database as OSINT source during pentests and red team actions.

wpa-sec is opensource project available at

Live installation at

Alex Stanev (Twitter: @RealEnderSec) started as a software developer in late 90s working on a wide range of projects - from specialized hardware drivers to large scale information systems for private and public sectors, including e-government services, elections management and smart cities. Going through virtually all mainstream enterprise platforms, Alex also took some time to explore various niche technologies and did a lot of low level stuff.

As a security consultant, Alex led penetration test audits in Europe, America and Africa for financial and government institutions.

Currently Alex serves as CTO in largest Bulgarian systems integrator Information Services JSC.

Read more →