News / packet hacking village

Preview of the Packet Hacking Village at DEF CON 26, All the Events

Capture The Packet (CTP)

The time for those of hardened mettle is drawing near; are you prepared to battle? Compete in the world’s most challenging cyber defense competition based on the Aries Security Cyber Range . In order to triumph over your competitors, contestants must be well rounded, like the samurai. Tear through the challenges, traverse a hostile enterprise class network, and diligently analyze what is found in order to make it out unscathed. Not only glory, but prizes await those that emerge victorious from this upgraded labyrinth.

The Dark Tangent has asked that we extend your time in the labyrinth and this has caused the difficulty of challenges to be amplified, so only the best prepared and battle hardened will escape the crucible. Follow us on Twitter or Facebook (links below) to get notifications for dates and times your team will compete, as well as what prizes will be awarded.

Wall Of Sheep

An interactive look at what could happen if you let your guard down when connecting to any public network, Wall of Sheep passively monitors the DEF CON network looking for traffic utilizing insecure protocols. Drop by, hang out, and see for yourself just how easy it can be! Most importantly, we strive to educate the “sheep” we catch, and anyone else interested in protecting themselves in the future. We will be hosting several ‘Network Sniffing 101’ training sessions using Wireshark, Ettercap, dsniff, and other traffic analyzers.

Wall of Sheep DJ Community - WoSDJCo

Come chill with us while we play all your favorite Deep, underground house, techno, breaks, and DnB beats mixed live all weekend by your fellow hacker DJs. We will provide the soundtrack for all your epic PHV hax, just like we do every year. Schedule of DJs available at: https://wallofsheep.com/pages/dc26

Packet Detective

Looking to upgrade your skills or see how you would fare in Capture The Packet? Come check out what Packet Detective has to offer! A step up in difficulty from Packet Investigator, Packet Detective will put your network hunting abilities to the test with real-world scenarios at the intermediate level. Take the next step in your journey towards network mastery in a friendly environment still focused on learning and take another step closer to preparing yourself for the competitive environment of Capture The Packet.

NEW FOR 2018: Packet Inspector

Taking the place of Packet Detective as your introduction to network analysis, sniffing, and forensics. Do you want to understand the techniques people use to tap into a network, steal passwords and listen to conversations? Packet Inspector is the place to develop these skills! For well over a decade, the Wall of Sheep has shown people how important it is to use end-to-end encryption to keep sensitive information like passwords private. Using a license of the world famous Capture The Packet engine from Aries Security, we have created a unique way to teach hands-on skills in a controlled real-time environment.

Join us in the Packet Hacking Village to start your quest towards getting a black belt in Packet-Fu.

NEW FOR 2018: Walkthrough Workshops - Learn to build Honey Pots

The Packet Hacking Village brings yet another Def Con premiere: Walkthrough Workshops, where you will go on a self-guided journey to building your own honey pot, taking it live and hopefully trapping some unsuspecting users. Fear not though, like with all our other training events, we will have helpful and knowledgeable staff on hand to assist you along the way!

PHV Talks

Back for a sixth year, we continue to accept presentations focusing on practice and process while emphasizing defense. Speakers will present talks and training on research, tools, techniques, and design, with a goal of providing skills that can be immediately applied during and after the conference. Our audience ranges from those who are new to security, to the most seasoned practitioners in the security industry. Expect talks on a wide variety of topics for all skill levels. Updated schedule available at: https://wallofsheep.com/pages/dc26

PHV Workshops

A returning favorite from last year, we have hands-on labs and training sessions from an amazing line-up of instructors covering beginner to advanced level material. See our website for updated schedules. Updated schedule available at: https://wallofsheep.com/pages/dc26

Read more →

Packet Hacking Village Workshops at DEF CON 26 Finalized

Link to register for our hands-on workshops: https://www.eventbrite.com/e/packet-hacking-village-hands-on-workshops-2018-tickets-47710826366

There will be three waves of registration:

  • Wave 1: 18:18 PST on Wednesday, July 18th
  • Wave 2: 08:00 AM PDT / 4 PM UK time on Wednesday, July 25th
  • Wave 3: 18:01:08 PDT on Wednesday, August 1st

Workshops Schedule

Friday

Saturday

Sunday

Advanced APT Hunting with Splunk

You wanna learn how to hunt the APTs? This is the workshop for you. Using a real-worldish dataset, this workshop will teach you how to hunt the "fictional" APT group Taedonggang. We discuss the Diamond model, hypothesis building, LM Kill Chain, and Mitre Att&ck framework and how these concepts can frame your hunting. Then we look deep in the data using Splunk and OSINT to find the APT activity riddling a small startup's network. We walk you through detecting lateral movement, the P of APT, and even PowerShell Empire. Then at the end, we give you a similar dataset and tools to take home and try newly learned techniques yourself.

Ryan Kovar fought in the cyberwars and has been doing cybery things for almost 20 years. Now he is a Principal Security Strategist at Splunk building cool stuff, talking about security thingies, and helping other people fight their battles. He hates printers.

John Stoner is a Principal Security Strategist at Splunk. During his career he has worked in operations, consulting and solutions engineering. In his current role, he leverages his many years of experience in log management, SIEM, security operations and threat intelligence to provide solutions that drive greater situational awareness for organizations.

Reverse Engineering Malware 101

This workshop provides the fundamentals of reversing engineering (RE) Windows malware using a hands-on experience with RE tools and techniques. Attendees will be introduced to RE terms and processes, followed by basic x86 assembly, and reviewing RE tools and malware techniques. It will conclude by attendees performing a hands-on malware analysis that consists of Triage, Static, and Dynamic analysis.
 Prerequisites: Basic understanding of programming C/C++, Python, or Java
. Provided: A virtual machine and tools will be provided.
 Features: 5 Sections in 1.5 hours:

  • ~15 min Fundamentals
  • ~15 min Tools/Techniques
  • ~30 min Triage Static Analysis + Lab
  • ~30 min Dynamic Analysis + Lab

Amanda (Twitter: @malwareunicorn) absolutely loves malware. She works as a Senior Malware Researcher at Endgame who focuses on threat research focusing in dynamic behavior detection both on Windows and OSX platforms.


Serious Intro to Python for Admins

Intended for an audience of IT managers and admins who are either responsible for systems with deployed Python apps and/or interested in the security implications of developing their own tools/scripts/apps in Python. This will be a hands-on exercise from start to finish designed to leave you with a sense of the mentality of Python and an ability to quickly look up what you need when expanding your knowledge of Python in the future. Prior programming experience not required. However it would be helpful if you've seen lots of Monty Python skits before.


Davin Potts is a Python Core Developer and lead dev for the multiprocessing module in the Python standard library. For a day job, Davin is a scientific software consultant working primarily on data science projects. Also refer to https://www.crunchbase.com/person/davin-potts.

Mallet, an intercepting proxy for arbitrary protocols

Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects.

This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages.

A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.

Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.

Kali Dojo Workshop

Kali Linux can be deeply and uniquely customized to specific needs and tasks. In this workshop, we will customize Kali Linux into a very specific offensive tool, and walk you through the process of customization step by step. We will create a custom Kali ISO that will: load very specific toolsets; define a custom desktop environment and wallpaper; leverage customized features and functions; launch custom tools and scripts; install Kali automatically, without user intervention as a custom "OS backdoor". This workshop will guide you through all the aspects of Kali customization and give you the skills to create your own highly-customized Kali ISO, like the much feared Kali "ISO of Doom".

Kali Live USB With Persistence And LUKS (2.5hrs)

In this section we will show you how to deploy your customized Kali ISO to a secure, encrypted, USB device. ➤ We will show you how to add standard and encrypted USB persistence so you can save your data and we will walk you through a custom LUKS "nuke" deployment that will obliterate your encrypted data when presented with a specific kill phrase. We will also will discuss strategies to help you safely and legally cross international borders with your encrypted data without compromising it. When you complete this course, you will have the skills to create a completely customized, powerful, portable Kali ISO or USB with full encryption, persistence and the peace of mind of LUKS nuke. And, to sweeten the deal, we will provide super-cool custom Kali-branded USB drives.

Johnny Long spent his career as a professional hacker. He is the author of numerous security books including No-Tech Hacking and Google Hacking for Penetration Testers and is a contributor to Kali Linux Revealed. He is the founder of Hackers for Charity and currently works with the Offensive Security team.

Intense Introduction to Modern Web Application Hacking

This course starts with an introduction to modern web applications and immediately starts diving directly into the mapping and discovery phase of testing. In this course, you will learn new methodologies used and adopted by many penetration testers and ethical hackers. This is a hands-on training where will use various open source tools and learn how to exploit SQL injection, command injection, cross-site scripting (XSS), XML External Entity (XXE), and cross-site request forgery (CSRF). We will wrap up our two hour fast-paced course by unleashing students on a vulnerable web application with their newly found skills.

Omar Santos (Twitter: @santosomar) is a Principal Engineer in the Cisco Product Security Incident Response Team (PSIRT) within Cisco's Security Research and Operations. He mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities in all Cisco products, including cloud services. Omar has been working with information technology and cyber security since the mid-1990s. Omar has designed, implemented, and supported numerous secure networks for Fortune 100 and 500 companies and the U.S. government. Prior to his current role, he was a Technical Leader within the World Wide Security Practice and the Cisco Technical Assistance Center (TAC), where he taught, led, and mentored many engineers within both organizations.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance. In 2012, he moved into a position with the Security Research & Operations group, where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. He then spent some time as a Consulting Systems Engineer specializing in Cisco's security product line. His current role is working within the Cisco Product Security Incident Response Team (PSIRT). He has held a number of industry certifications including GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP, and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Cofounder and President of the Raleigh BSides Security Conference, and an active member of the Packet Hacking Village team at DEF CON.

Finding and Attacking Undocumented APIs with Python

Write Python web bots using Selenium and BrowserMob Proxy to crawl the Internet looking for non-public APIs. We will look at several ways to identify vulnerabilities in discovered APIs as a means for penetration testing and large scale data gathering. Participants should have some Python experience, as well as a familiarity with HTTP requests.

Ryan Mitchell is a senior software engineer at HedgeServ in Boston, where she develops APIs and data analytics tools for hedge fund managers. She is a graduate of Olin College of Engineering and Harvard University Extension School with a master's in software engineering and certificate in data science. Since 2012 she has regularly consulted, lectured, and run workshops around the country on the topics of web scraping, Python automation tools, and data science.

Read more →

Packet Hacking Village Talks at DEF CON 26 Finalized

Friday, August 10th Saturday, August 11th Sunday, August 12th
10:00 Mallet: A Proxy for Arbitrary Traffic
Rogan Dawes
Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols
Esteban Rodriguez
CLOSED
10:30 How to Tune Automation to Avoid False Positives
Gita Ziabari
CLOSED
11:00 Rethinking Role-Based Security Education
Kat Sweet
wpa-sec: The Largest Online WPA Handshake Database
Alex Stanev
Microcontrollers and Single Board Computers for Hacking, Fun and Profit
gh057
11:30 Capturing in Hard to Reach Places
Silas Cutler
12:00 PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography
TryCatchHCF
An OSINT Approach to Third Party Cloud Service Provider Evaluation
Lokesh Pidawekar
Fishing for Phishers. The Enterprise Strikes Back!
Joseph Muniz, Aamir Lakhani
12:30 Bitsquatting: Passive DNS Hijacking
Ed Miles
13:00 Target-Based Security Model
Garett Montgomery
Turning Deception Outside-In: Tricking Attackers with OSINT
Hadar Yudovich, Tom Kahana, Tom Sela
What Do You Want to be When You Grow Up?
Damon "ch3f" Small
13:30 Defense in Depth: The Path to SGX at Akamai
Sam Erb
14:00 Protecting Crypto Exchanges From a New Wave of Man-in-the-Browser Attacks
Pedro Fortuna
Building a Teaching SOC
Andrew Johnson
CLOSED
14:30 Normalizing Empire's Traffic to Evade Anomaly-Based IDS
Utku Sen, Gozde Sinturk
CLOSED
15:00 Freedom of Information: Hacking the Human Black Box
Elliott Brink
Grand Theft Auto: Digital Key Hacking
Huajiang "Kevin2600" Chen, Jin Yang
CLOSED
15:30 CLOSED
16:00 Car Infotainment Hacking Methodology and Attack Surface Scenarios
Jay Turla
Ridealong Adventures: Critical Issues with Police Body Cameras
Josh Mitchell
CLOSED
16:30 CLOSED
17:00 Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801
Chris Hanlon
IoT Data Exfiltration
Mike Raggo, Chet Hosmer
CLOSED
17:30 CLOSED
18:00 Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns
Caleb Madrigal
  CLOSED

PHV Talks Abstracts and Bios

Bitsquatting: Passive DNS Hijacking

Ed Miles, Security Researcher at DiDi Labs

The Domain Name System is one of the foundational technologies that allow the internet to function, but unfortunately, DNS is surprisingly brittle to certain issues, such as bitsquatting.

Lookups to names that are a "bitflip" away from well-known sites (like 'amczon.com' instead of 'amazon.com' since 'c' and 'a have a single bit difference) can be caused by memory failing due to defect or overheating situations, rogue cosmic rays, or even (allegedly) radiation caused by nuclear reactions.

I was curious how realistic the last case really was - can we 'detect' active nuclear tests based solely on bitsquatting data? To find out, I revisited bitsquatting. First I'll briefly introduce the key concepts required for understanding bitsquatting (including ASCII, DNS and HTTP, Internet infrastructure, and memory error scenarios). I'll show the tools and techniques used to identify and register over 30 newly identified bitsquat domains, monitor DNS and HTTP requests, and process, enrich, and investigate the data. Finally, I will discuss any observations gathered from the data, with a focus on regional trends, specific devices, and current events - and try and see if I could prove any correlation.

In the end, attendees should leave with knowledge of the prevalence of bitsquatting and how it has evolved since the phrase was coined 8 years ago, as well as a few techniques for analyzing bitsquatting data and drawing some interesting conclusions.

Ed Miles (Twitter: @criznash) is a researcher at DiDi Chuxing's California-based DiDi Labs. Working in technology professionally since 2001, and as a hobbyist since 1991, Ed has been focused on forensics, incident response, malware analysis, reverse engineering, and detection since 2010.

Building A Teaching SOC

Andrew Johnson, Information Security Officer at Carnegie Mellon University

Effective security monitoring is an ongoing process. How do you get everyone participating? How do you on-board junior colleagues to continuous improvement? The purpose of this presentation is to show methods for encouraging participation from all members of the security monitoring team as well as tactics for communicating effective with the organization.

Andrew Johnson (Twitter: @pierogipowered) is implementing a dedicated security operations team at Carnegie Mellon University. The security operations group has a dual focus on both the traditional aspect of securing the university as well as a focus on training student colleagues on the practical application of their degree. Prior to Carnegie Mellon University, Andrew was with HM Health Solutions. He had been responsible for creating a security operations platform in the heavily regulated health insurance/provider space. Andrew is a co-organizer for the BSides Pittsburgh (@bsidespgh) conference and enjoys recreational cycling and cooking when not participating in information security related activities.

Capturing in Hard to Reach Places

Silas Cutler, Senior Security Researcher at CrowdStrike

It's easy for us to take for granted when tools allow us to start capturing network traffic without any real hardships. However, what happens when the data you want isn't so easy to capture. This talk will look at two cases in which environments needed to be bent in order to capture the data needed for analysis.

Silas Cutler (Twitter: @silascutler) is a Senior Security Researcher at CrowdStrike, Project Director for MalShare and DEFCON 21 Black Badge (from Capture the Packet). Endorsed on LinkedIn by [REDACTED] for "tcpdump". His prior managers have described him as "a guy" and "meeting necessary skills to perform job functions."

Car Infotainment Hacking Methodology and Attack Surface Scenarios

Jay Turla, Application Security Engineer at Bugcrowd

The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities. In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.

Jay Turla (Twitter: @shipcod3) is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.

Defense in Depth: The Path to SGX at Akamai

Sam Erb, Software Engineer at Akamai Technologies

In this presentation you will learn how Akamai has spent the past 4 years working toward preventing the next TLS heartbleed incident. Nothing hypothetical --only deployed defense-in-depth systems will be discussed. This talk will include how we deployed Intel SGX at scale in our network.

Sam Erb (Twitter: @erbbysam) is a 2x black badge winner with Co9 in the Badge Challenge and is working to make the Internet a safer place.

Ducky-in-the-Middle: Injecting Keystrokes into Plaintext Protocols

Esteban Rodriguez, Security Consultant at Coalfire Labs

This talk will cover the basics of protocol analysis using Wireshark and lead into analyzing two custom application protocols used for extending the mouse and keyboard of a remote system. The two applications covered are HippoRemote, and iOS app to use a iPhone as a trackpad and keyboard, and Synergy, an application to allow for control of multiple operating systems with one mouse and keyboard. By performing a MITM attack, an attacker can abuse this protocols to send keystokes to a remote machine to gain remote code execution similar to a USB rubber ducky attack. The talk will also discuss mitigations and open source code will be provided for exploitation. The target audience should have a basic understanding of Wireshark, ARP spoofing, and reverse shells.

Esteban Rodriguez (Twitter: @n00py1) a Security Consultant at Coalfire Labs. He primarily perform network and web application penetration testing. Esteban worked previously at Apple Inc performing intrusion analysis and incident response. Outside of work, Esteban blog at n00py.io and perform independent security research. He have authored multiple penetration testing tools and have presented at BSides Puerto Rico covering penetration testing techniques.

Fishing for Phishers. The Enterprise Strikes Back!

Joseph Muniz, Cisco
Aamir Lakhani, Fortinet

Phishing and social engineering has been around since Han Solo has flown the Millennium Flacon. The typically response is deleting the messages and giving the middle finger however, what more could be done to strike back? This talk will cover how to build an artificial environment and develop anti phishing tools used to respond to phishing attempts. Results could include owning the attacker's box "hypothetically" since some legal boundaries could be crossed.

Joseph Muniz is an architect at Cisco Systems. Aamir Lakhani (Twitter: @SecureBlogger) is a lead researcher at Fortinet. Together, they have spoken at various conferences including the infamous Social Media Deception RSA talk quoted by many sources found by searching "Emily Williams Social Engineering." They are also making their fourth appearance for the DEF CON Wall of Sheep. Both speakers have written books together including a recent title Digital Forensics for Network Engineers released on Cisco Press late February 2018. They have been friends for years and continue to collaborate on research and other projects.

Freedom of Information - Hacking the Human Black Box

Elliott Brink, Senior Penetration Tester at RSM US LLP

FOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. In reality, submitting FOI requests can be a cumbersome and frustrating process for citizens.

For two years now I have been hacking this human black box - finding out what you can/cannot ask for and more importantly how to ask for information and get it! Have you ever asked the government for a log file, Cisco IOS running config or Active Directory group policies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! For the past couple of years I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilize freedom of information to enumerate technical information from government agencies? I present my research, findings and results of multiple years of submitting FOIA requests to various USA and Australian government institutions including multiple intelligence agencies. We will discover the fun times and challenges when performing such requests.

Attendees will gain practical knowledge about: what FOIA is, the caveats of FOIA, how you can utilize FOIA on red team engagements and other open source intelligence gathering activities and finally the results of my research in multiple requests to intelligence agencies.

Elliott Brink (Twitter: @ebrinkster) is an information security consultant based out of NYC. He specializes in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary, and traveling the globe.

Grand Theft Auto: Digital Key Hacking

Huajiang "Kevin2600" Chen, Security Research at Ingeek
Jin Yang, Independent Security Researcher

The security of automobiles accesses control system is a topic often discussed. Today's vehicles rely on key-fob control modules, to ensure the vehicle is accessible to authorized users only. While most traditional automobile key-fob systems have been shown to be insecure in the past, here comes a game changer. Instead of the regular key-fob system, some car owners will be able to access their vehicle by having their smartphone authenticates as a digital car key.In this talk, we will reveal the research and attacks for one of digital car keys system in the current market. By investigating how these features work, and how to exploit it through different possibles of attack vectors, we will demonstrate the security limitations of such system. By the end of this talk, the attendees will not only understand how to exploit these systems also which tools can be used to achieve our goals.

Huajiang "Kevin2600" Chen (Twitter: @kevin2600) is a security researcher at Ingeek. And a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. Team members have worked extensively with binary reverse engineering, mobile security, and hardware security. Kevin2600 has spoken at various conferences including XCON, KCON, OZSecCon, BSides, and Alibaba-Cloud-Zcon.

Jin Yang is a member of Team-Trinity. The Team-Trinity is a Non-profit group of security researchers, mainly focus on wireless and embedded systems vulnerability research. He work in network security industry for over 10 years and focus on the Automated Virus Analysis, IoT Security, Threat Intelligence and Rootkits. Jin has spoken at XCon; AVAR and KCon.

How to Tune Automation to Avoid False Positives

Gita Ziabari, Senior Consultant Engineer at Verizon

Every SOC is deluged by massive amounts of logs, suspect files, alerts and data that make it impossible to respond to everything. It is essential to deploy automation to accelerate response time, consistency, scalability and efficiency. This talk will cover techniques to design a reliable automated tool in security. We will discuss about techniques of tunning the automation to avoid false positives and the many struggles we have had in creating appropriate whitelists. We will walk through steps of creating an automated tool and the essential factors to be considered to avoid any false positive.

Gita Ziabari (Twitter: @gitaziabri) is working at as a Senior Consultant Engineer at Verizon. She has more than 14 years of experience in threat research, networking, testing and building automated tools. Her main focus is creating automated tools in cybersecurity for mining data.

IoT Data Exfiltration

Mike Raggo, CSO of 802 Secure, Inc.
Chet Hosmer, Owner of Python Forensics

IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels. This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network. In this session we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as demo of a python tool for exploiting unused portions of protocol fields. From our research, we'll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real world testing.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

Mallet: A Proxy for Arbitrary Traffic

Rogan Dawes, Senior Researcher at SensePost

Mallet is an intercepting proxy for arbitrary protocols. More accurately, it is a framework for building proxies for arbitrary protocols. Mallet provides the basics required of all proxies: A way to receive the data, a way to send the data, and a user interface to intercept and edit the data. It builds on the Netty project, and as such has access to a large, well-tested suite of protocol implementations that can be used to transform a stream of bytes into useful, high-level protocol objects. This workshop will introduce attendees to Mallet, and show how to construct pipelines of arbitrary complexity, to successfully decode and intercept messages in various protocols, as well as automating modifications of the various messages. A basic familiarity with Java will enhance the delegate's understanding of what they are taught, but is not a requirement.

Rogan Dawes (Twitter: @RoganDawes) is a Senior Researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague's frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies, WebScarab.

Mapping Wi-Fi Networks and Triggering on Interesting Traffic Patterns

Caleb Madrigal, Applied Researcher at Mandiant/FireEye

Sure, WiFi hacking has been around for a while, and everyone knows about tools like airmon-ng, kismet, et al. But what if you just want to view a list of all networks in your area along with all devices connected to them? Or maybe you want to know who's hogging all the bandwidth? Or, what if you want to know when a certain someone's cell phone is nearby. Or perhaps you'd like to know if your Airbnb host's IP Camera is uploading video to the cloud?

For all these use-cases, I've developed a new tool called "trackerjacker". In this talk, we'll use this tool to explore some of the surprisingly-informative data floating around in the radio space, and you'll come away with a new skill point or two in your radio hacking skill tree, as well as a new magical weapon... I mean tool.

Caleb Madrigal (Twitter: @caleb_madrigal) is an Applied Researcher at Mandiant/FireEye.

Microcontrollers and Single Board Computers for Hacking, Fun and Profit

gh057

As security researchers, we are always looking for the next device that will make our jobs easier and our research more effective. In many cases, physical gear can be expensive and limited in capability which can be prohibitive, especially in engagements where dead drops are required. However, with the skyrocketing popularity of microcontrollers and single board computers, that barrier has been reduced significantly and has created a host of new possibilities for everything from dead drops to wired and wireless network intrusion and analysis. gh057 will introduce some of the more popular options in this genre and some live demonstrations of their more fun uses. gh057 will demonstrate three devices he built to solve specific problems and that are based on these platforms: ATtiny85, ESP8266 / ES32, Raspberry Pi Finally, and as a bonus, gh057 will demonstrate a simple technique that uses Applescript and Bash that can be used to create a simple USB trojan and can be useful for end-user training.

gh057 has worked on almost every aspect of the software development lifecycle. For the majority of his career, he worked as a front-end, full stack engineer specializing in UI/UX. During this time, he was involved in development and also testing efforts, which included quality and security best practices. In the last few years, gh057 completed a career transition to application security, most notably through security evangelism roles, where he worked closely with development teams. As an application security engineer, gh057 is responsible for security best practices, which encompasses both digital and physical threat vectors. Most recently, gh057 has been the concept creator and team lead for the Day of Shecurity conference which took place on June 16th in San Francisco, CA. In his free time, he is passionate about promoting equality in the cybersecurity industry and offering mentorship to young technologists. His goal is to leave behind a better industry than the one he found when he first began his career.

Normalizing Empire's Traffic to Evade Anomaly-based IDS

Utku Sen, Senior R&D Engineer at Tear Security
Gozde Sinturk, R&D Engineer at Tear Security

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). In this session, we will discuss one of the most famous post-exploitation tool, Empire's situation against payload-based anomaly detection systems. We will explain how to normalize Empire's traffic with polymorphic blending attack (PBA) method. We will also cover our tool, "firstorder" which is designed to evade anomaly-based detection systems. firstorder tool takes a traffic capture file of the network, tries to identify normal profile and configures Empire's listener in such way.

Utku Sen (Twitter: @utkusen) is a security researcher who is mostly focused on following areas: application security, network security, tool development. He presented his tool, Leviathan Framework in Black Hat USA Arsenal and DEF CON Demo Labs in 2017. He also nominated for Pwnie Awards on "Best Backdoor" category in 2016.

Gozde Sinturk is Security Researcher and Python Developer who involved in projects related to machine learning, natural language processing, and big data. She is developing security tools in her current position.

An OSINT Approach to Third Party Cloud Service Provider Evaluation

Lokesh Pidawekar, Senior Cloud and Application Security Engineer at Cisco

In the era of third party cloud service providers where enterprise critical data is hosted and shared with various vendors, third party security reviews have become essential part of Information Security. It has become a challenge for security teams to ensure parity is maintained between security controls that are available on premise, to those offered by the cloud provider. Typically, companies send a word document or excel sheet to get answers from cloud providers, however, this process is done only once and the review is point in time. In this talk, the attendees will learn about various methods of identifying security posture of the third-party cloud service using information available on Internet, how to use this information for performing cloud service review and improve their own cloud offerings. This can also supplement the tedious questionnaire process and provide an option to fast track the vendor reviews.

Lokesh Pidawekar (Twitter: @MaverickRocky02) work as Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information Assurance & Cyber Security from Northeastern University, Boston. Previously, he has spoken at BSides Las Vegas, DEFCON Packet Hacking Village talks, OWASP Boston chapter and CarolinaCon. He likes to read about application vulnerabilities in free time and has reported security bugs to vendors as part of their bug bounty program.

PacketWhisper: Stealthily Exfiltrating Data and Defeating Attribution Using DNS and Text-Based Steganography

TryCatchHCF

Data exfiltration through DNS typically relies on the use of DNS query fields to exfiltrate data via the attacker's DNS server. This approach has several shortcomings. The first is attribution, since attackers end up creating a trail back to their own infrastructure. The second is awareness, as DFIR analysts have made careful study of DNS fields as exfiltration vectors. The third is access, since companies are increasingly using DNS server whitelisting to prevent or alert on outgoing DNS queries to servers controlled by attackers. But what if data could be transferred using the target's own whitelisted DNS servers, without the communicating systems ever directly connecting to each other or a common endpoint? Even if the network boundary employed data whitelisting to block data exfiltration?

Through a combination of DNS queries and text-based steganography, we'll cover the methods used to transfer data across a network, hidden in plain sight, without direct connectivity between systems, while employing multiple levels of deception to avoid generating alerts as well as to mislead analysis attempts. The presentation will include a demonstration of PacketWhisper, a new tool written in Python, that automates all of these steps for you. PacketWhisper will be made available on GitHub to coincide with this session (https://github.com/TryCatchHCF).

TryCatchHCF (Twitter: @TryCatchHCF) is Red Team Lead at a Fortune 500 company, and creator of the Cloakify Exfiltration and DumpsterFire Incident Automation Toolsets (https://github.com/TryCatchHCF). Previous roles have included Lead Pentester and AppSec Team Lead. He hacked into his first systems in 1981 and wrote his first malware the following year, all while nearly being eaten by a grue. He has 25+ years of security and software engineering experience, and served as an Intelligence Analyst and Counterintelligence Specialist in the United States Marine Corps. Education includes a bachelors degree in Cognitive Science, a masters degree in Information Assurance, and the collective HiveMind of the global hacking community.

Protecting Crypto Exchanges from a New Wave of Man-in-the-Browser Attacks

Pedro Fortuna, CTO and Co-Founder of Jscrambler

In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp. Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as Coinbase.com or Blockchain.info. In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We'll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.

Pedro Fortuna (Twitter: @pedrofortuna) is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.

Rethinking Role-Based Security Education

Kat Sweet, Duo Security

How do we scale a deeper level of security awareness training without sacrificing efficacy? This talk will explore strategies and tactics for developing security education based on employees' roles, access, and attack surface while designing not only for efficiency but also for effectiveness. By prioritizing the highest-risk teams, pooling teams to collaboratively threat-model, and contextualizing universal truths of security hygiene to those threat models, we can deliver training that leverages employees' roles, fosters retention via active participation, and eases the burden on trainers within the security team. Attendees will walk away with a roadmap for building scalable, contextual, and collaborative role-based employee security education within their organizations.

Kat Sweet (Twitter: @TheSweetKat) works for Duo Security's corporate security team as an information security analyst (and senior pun architect). A passionate security educator, she is heavily involved in building her team's employee security awareness and engagement program, and is frequently the first security team member that new Duo employees meet. She also serves as the lockpick village coordinator for BSides Las Vegas, a mentor for the SANS Women's Immersion Academy, and a teaching assistant for the Ann Arbor chapter of Girl Develop It. When she's not in security mode, you can often find her bursting into song or picking unsuspecting locks.

Ridealong Adventures: Critical Issues with Police Body Cameras

Josh Mitchell, Principal cybersecurity Consultant at Nuix

The police body camera market has been growing in popularity over the last few years. A recent (2016) Johns Hopkins University market survey found 60 different models have been produced specifically for law enforcement use. Rapid adoption is fueling this meteoric increase in availability and utilization. Additionally, device manufactures are attempting to package more and more technology into these devices. This has caused a deficiency in local municipalities' skills and budget to accurately assess the attack surface and exposure to the organization. Furthermore, departmental policies and procedures governing the secure deployment of these devices is largely insufficient.

At DEF CON, we will be introducing tactics, techniques, and procedures to assess the security of these devices. We will cover attacks against the physical devices, RF components, smartphone app's, and desktop software. The capabilities demonstrated and discussed will encompass publicly and privately available technologies. Additionally, the talk will cover multiple products and vendors, shedding light on industry wide issues and trends. Finally, we will be releasing software to detect and track various devices and tie these issues into real world events.

Josh Mitchell has more than a decade's experience as an information security researcher. He has authored numerous technical documents and presented his findings at conferences, academic discussions, and in the classroom. Josh is an expert at discovering and exploiting vulnerabilities and writing code to protect operating systems and programs. He holds patents in classifying computer files and executable files as malware or whiteware. Josh has served in the United States Air Force and held numerous defense contracting roles covering electronic signals intelligence exploitation, electronic warfare, malware analysis, exploit development, and reverse engineering. He also provided security services for General Dynamics Advanced Information Systems, Endgame, and Accuvant and assisted multiple computer emergency response teams with investigations vital to national security.

Swiss Cheese Holes in the Foundation of Modern Security - CERT VU#919801

Chris Hanlon, Founder of SecurityAlliance.ca

In this talk we briefly introduce common SMTP/TLS implementation weaknesses explain how governments, criminals, and malicious insiders can exploit them to remotely reset account passwords, create/update/delete firewall rules, control windows desktops/laptops, access online backup systems, download full-disk Encryption Keys, watch security cameras, listen to security camera microphones, control social media accounts, and takeover AWS virtual machines.

Chris Hanlon (Twitter: @ChrisHanlonCA) has been maintaining Unix, Linux, and Windows Servers since 1998 and submitting vulnerability reports since 2000. Chris's submissions have resulted in security and privacy enhancements in Google Apps, the Linux Kernel, and Interac email transfers.

Target-Based Security Model

Garett Montgomery, Principal Security Research Engineer at BreakingPoint (Ixia/KeySight)

Have you ever been asked 'what is the best way to protect against $ATTACK'? (usually shortly after $ATTACK makes headlines). Have you ever been challenged to provide the reasoning behind your suggestion? If you were in a room full of experts, would your reasoning hold up under scrutiny? When you discuss with your security-savvy peers, you're quickly come to a consensus on the 'best' control (!= device) to protect against $ATTACK. But do you know WHY it's the 'best'? The Target-Based Security Model is essentially a framework that breaks down attacks to their component level. This breakdown makes it easy to see what the 'best' security controls are - as well as alternative security controls that could also be applied. Its not so much something new, as it is a new way for the industry to communicate about security. In much the same way that the OSI model allows for developers to know they are talking about the same thing, a common security model allows security professionsals to communicate in a vendor-agnostic manner. Think of it as a translation tool for vendor-speak. In this talk we'll present the Target-Based Security model and discuss the following: how it came to be, what it is, and how to use it. And of course, we'll talk about how it can be used to make the world a better place - provided we all agree to use it.

Garett Montgomery (Twitter: @garett_monty) has been a Security Researcher at BreakingPoint (since acquired by Ixia; since acquired by KeySight) for the last 6+ years. Prior to joining BreakingPoint he had been employed as a Security Analyst at the Naval Postgraduate School and then an IPS Signature Developer. He holds an MS in Information Assurance and numerous (likely since-expired) security certifications. A self-described packet-monkey, he enjoys automating all the things.

Turning Deception Outside-In: Tricking Attackers with OSINT

Hadar Yudovich, Security Researcher at Illusive Networks
Tom Sela, Head of Security Research at Illusive Networks
Tom Kahana, Security Researcher at Illusive Networks

Deceptions use attackers' own tactics to force them to reveal themselves. Deception techniques are typically used inside the network once attackers have broken in. Once inside, attackers use credentials to move laterally. But before penetrating their target, attackers often study publicly available data to plan their attack. Can we assume that attackers continue to use public information once they've broken in? Could externally-planted deceptions expand our range of visibility on the adversary's activity? In this session, we will present research we conducted to answer these questions, and introduce a tool you can use to "try it at home." We first took a deeper look at various OSINT resources-social media, paste sites, public code repositories, etc.-to refine our picture of the types of publicly-available data, attackers might use to further an attack. Then we planted various deceptive information. For example, on PasteBin we created a fake "paste" page containing a dump of fake credentials. On GitHub we created a fake repository of code containing "accidental" commits (git commit -am 'removed password'). Next, we paired these deceptions with relevant data and user objects within a simulated network environment. We then started monitoring and waited for an attacker to bite.

Hadar (Twitter: @hadar0x) is a Security Researcher at Illusive Networks. He has eight years of experience in cyber security, with six of those years focused on digital forensics and incident response (DFIR), both in the Israeli Air Force and in the private sector. Before joining Illusive Networks, he was a malware researcher for IBM Security where he hunted for new malware families and researched new techniques for malware detection. Hadar holds a Bachelor's degree in Computer Science from the Holon Institute of Technology, and several certifications, including the GIAC Certified Forensic Analyst (GCFA). In his free time he likes to develop open source forensic tools and solve forensic challenges.

Tom Sela (Twitter: @4x6hw) is Head of Security Research at Illusive Networks. He specializes in reverse engineering, malware research, deception development and OS internals. Prior to joining Illusive, Tom headed the Malware Research team at Trusteer (acquired by IBM), where he was responsible for Trusteer's anti-fraud endpoint product. At Trusteer he also led a team of reverse-engineers, researching the internals of advanced malware. As an active contributor to the security research community, Tom has spoken at DefCon and IEEE events. He attended the Israeli Naval Academy at the University of Haifa and holds a B.Sc. from Ben-Gurion University.

Tom Kahana (Twitter: @tomkahana1) is a Security Researcher at Illusive Networks, with over nine years in cybersecurity. He specializes in Windows internals. Prior to Illusive Networks, Tom worked for Trusteer, where he specialized in exploitation techniques. Among other accomplishments, he is credited with discovery of ASLR security bypass vulnerability CVE-2016-0012. Tom served five years in an elite unit of the Israel Defense Force (IDF), specializing in Cyber Security Research and Development. Tom is studying for his Bachelor's of Computer Science degree at the Open University of Israel.

What Do You Want to be When You Grow Up?

Damon "ch3f" Small, Technical Director at NCC Group North America

Many industries have well-defined points of entry and well-understood education and training requirements. Information Security is not one of those industries. Successful infosec pros often have wildly diverse backgrounds so it is difficult to know which is the "correct" way to enter this field. As our industry has evolved and matured, what do organizations now look for in a candidate? What combination of skills, experience, and education will get you in your "dream job?" SPOILER - there are many predictors of success, and organizations have different priorities, so there is no single answer.

The speaker will describe his experiences as a 22-year veteran of IT and infosec, both from the perspective of working for internal support teams and as a client-facing consultant. In addition to direct observations, this presentation will include the perspectives of other infosec pros that currently work in various capacities in our industry. The goal is not to answer the question of how to successfully develop one's career, as such, but rather to continue the dialogue of what is important to us as we develop our future experts and leaders.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Over the past 18 years as a security professional he has supported infosec initiatives in the healthcare, defense, aerospace, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Director includes working closely with NCC Group consultants and clients in delivering complex security assessments that meet varied business requirements.

wpa-sec: The Largest Online WPA Handshake Database

Alex Stanev, CTO of Information Services at JSC

Started as pet project in 2011, wpa-sec collects WPA handshake captures from all over the world. Contributors use client script to download handshakes and special crafted dictionaries to initiate attack against PSKs. With more than 115 GB captures from 240 000 submissions, collected samples represent invaluable source for wireless security research. This includes:

  • Many improvements for emerging wireless security tools like hcxtools suite (https://github.com/ZerBea/hcxtools)
  • Identified default PSK key generation algorithms, used by various ISPs. Those, along with fixes for current implementations get in RouterKeygen project (https://github.com/routerkeygen/routerkeygenPC). Many more to come, based on current research activities
  • Performance optimizations for WPA crackers
  • Identified some linux kernel driver bugs

During the talk I will explain how wpa-sec works, provide statistics and a lot internals on optimization and how to use the database as OSINT source during pentests and red team actions.

wpa-sec is opensource project available at https://github.com/RealEnder/dwpa.

Live installation at https://wpa-sec.stanev.org.

Alex Stanev (Twitter: @RealEnderSec) started as a software developer in late 90s working on a wide range of projects - from specialized hardware drivers to large scale information systems for private and public sectors, including e-government services, elections management and smart cities. Going through virtually all mainstream enterprise platforms, Alex also took some time to explore various niche technologies and did a lot of low level stuff.

As a security consultant, Alex led penetration test audits in Europe, America and Africa for financial and government institutions.

Currently Alex serves as CTO in largest Bulgarian systems integrator Information Services JSC.

Read more →

Four More Talks Added to Packet Hacking Village Talks at DEF CON 26

Car Infotainment Hacking Methodology and Attack Surface Scenarios

Jay Turla, Application Security Engineer at Bugcrowd

The battle for supremacy for the control of the dashboard display or infotainment systems has always been a race. Most of these systems run on Linux, Android, Windows (customized dashboards - perhaps Windows ME or CE) and Blackberry's QNX. In-Vehicle Infotainment (IVI) or In-car entertainment (ICE) Systems are indeed fun consoles where you can play media, movies, or work with your car's navigational system. But somehow it also comes with a risk of being hacked or attacked because they have also been plagued with vulnerabilities. In this talk, join Jay as he presents his own Car Hacker's Methodology in finding security bugs in order to pwn a car's infotainment system without having to do a drive by wire or CANbus hacking tools but will simply point out the common attack surfaces e.g WiFi, Bluetooth, USB Ports, etc. and some scenarios on how to exploit it just like how he popped a shell or issue an arbitrary command in his car which he tweeted in Twitter before.

Jay Turla (Twitter: @shipcod3) is an application security engineer at Bugcrowd Inc., and one of the goons of ROOTCON. He has been acknowledged and rewarded by Facebook, Adobe, Yahoo, Microsoft, Mozilla, etc. for his responsible disclosures. He has also contributed auxiliary and exploit modules to the Metasploit Framework and presented at ROOTCON, Nullcon, and TCON. He used to work for HP Fortify where he performs Vulnerability Assessment, Remediation and Advance Testing.

IoT Data Exfiltration

Mike Raggo, CSO of 802 Secure, Inc.
Chet Hosmer, Owner of Python Forensics

IoT offers new protocols and frequencies over which communication travels. Due to lack of familiarity amongst most enterprises, most organizations are ill-equipped to monitor or detect these mysterious channels. This introduces a plethora of covert channels by which data could be exfiltrated, or malware to be infiltrated into the network. In this session we explore this new frontier by focusing on new methods of IoT protocol exploitation by revealing research conducted over the last 2 years. Detailed examples will be provided, as well as demo of a python tool for exploiting unused portions of protocol fields. From our research, we'll also reveal new methods of detecting aberrant behavior emanating to/from these devices gathered from our lab and real world testing.

Mike Raggo (Twitter: @DataHiding) is Chief Security Officer at 802 Secure and has over 20 years of security research experience. 
His current focus is wireless IoT threats impacting the enterprise. Michael is the author of "Mobile Data Loss: Threats & Countermeasures" and "Data Hiding" for Syngress Books, and contributing author for "Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, DoD Cyber Crime, OWASP, HackCon, and SANS.

Chet Hosmer is an international author, educator & researcher, and founder of Python Forensics, Inc., a non-profit research institute focused on the collaborative development of open source investigative technologies using the Python programming language. Chet is also a Visiting Professor at Utica College in the Cybersecurity Graduate Program, where his research and teaching is focused on data hiding, active cyber defense and security of industrial control systems. Additionally, Chet is an Adjunct Professor at Champlain College in the Digital Forensics Graduate Program, where his research and teaching is focused on solving hard digital investigation problems using the Python programming language.

An OSINT Approach to Third Party Cloud Service Provider Evaluation

Lokesh Pidawekar, Senior Cloud and Application Security Engineer at Cisco

In the era of third party cloud service providers where enterprise critical data is hosted and shared with various vendors, third party security reviews have become essential part of Information Security. It has become a challenge for security teams to ensure parity is maintained between security controls that are available on premise, to those offered by the cloud provider. Typically, companies send a word document or excel sheet to get answers from cloud providers, however, this process is done only once and the review is point in time. In this talk, the attendees will learn about various methods of identifying security posture of the third-party cloud service using information available on Internet, how to use this information for performing cloud service review and improve their own cloud offerings. This can also supplement the tedious questionnaire process and provide an option to fast track the vendor reviews.

Lokesh Pidawekar (Twitter: @MaverickRocky02) work as Senior Cloud and Application Security Engineer in Cisco InfoSec team where he is responsible for designing secure architecture for applications, evaluating third party cloud service providers, and providing training to enterprise architects. He has Master's in Information Assurance & Cyber Security from Northeastern University, Boston. Previously, he has spoken at BSides Las Vegas, DEFCON Packet Hacking Village talks, OWASP Boston chapter and CarolinaCon. He likes to read about application vulnerabilities in free time and has reported security bugs to vendors as part of their bug bounty program.

Protecting Crypto Exchanges from a New Wave of Man-in-the-Browser Attacks

Pedro Fortuna, CTO and Co-Founder of Jscrambler

In the last year or so, we have seen a massive increase in the value of cryptocurrencies and the emergence of hundreds of new coins and ICOs, getting millions of people into an investment frenzy. A lot of them being non-technical regular consumers that rushed to create new accounts in the most popular crypto exchanges like Coinbase or Bitstamp. Crypto exchanges are naturally appealing for attackers and have been targeted since as long as we can remember. However, since last year, they are also being targeted by Man-in-the-Browser (MITB) attacks. Malware families such as Zeus Panda, Ramnit and Trickbot are already aiming at websites such as Coinbase.com or Blockchain.info. In this talk, we will detail how these attacks work, from account takeover to moving out the coins to attacker-controlled wallets. We’ll discuss current defenses e.g. multi-factor authentication or strong SSL encryption and why they are failing to mitigate this type of attacks.

Pedro Fortuna (Twitter: @pedrofortuna) is CTO and Co-Founder of Jscrambler where he leads the technical vision for the product suite and contributes with his cybersecurity knowledge for R&D. Pedro holds a degree in Computing Engineering and a MSc in Computer Networks and Services, having more than a decade of experience researching and working in the application security area. He is a regular speaker at OWASP AppSec events and other cybersecurity conferences but also contributes to web development events. His research interests lie in the fields of Application Security, Reverse Engineering and Malware and Software Engineering. Author of several patents in application security.

Read more →

Packet Hacking Village Talks at DEF CON 26 Call for Presentations Now Open

Overview

The Wall of Sheep would like to announce a call for presentations at DEF CON 26 at the Caesars Palace in Las Vegas, NV from Thursday, August 9th to Sunday, August 12th. Speaker Workshops has been renamed Packet Hacking Village Talks as we now offer hands-on workshops. Packet Hacking Village Talks goal is to deliver talks that increase security awareness and provide skills that can be immediately applied after the conference. Our audience ranges from those who are new to security to the most seasoned practitioners in the security industry. Introductory talks are welcome.

Topics of interest include:

  • Tools on network sniffing, intrusion detection, monitoring, forensics
  • How to find and evict people harvesting cryptocurrency on your devices
  • How to do refresh your PC without losing all your stuff and eliminate the malware
  • Incident response recovery
  • Justifying hacking / security tools in the corporate world
  • Finding rootkits and malware
  • General Digital Forensics and Incident Response (DFIR) talks
  • How to use regulatory compliance requirements in your favor to enhance your overall funding and security posture
  • Security awareness program success and failure stories
  • Enterprise defense using open source tools (e.g., Yara, Cuckoo Sandbox)
  • Tool / task automation and optimization
  • New and innovative ways of using old tools
  • Incident response process and procedures
  • Tools for data collection and visualization
  • Purple teaming

The Wall of Sheep will not accept product or vendor related pitches. If your talk is a thinly-veiled advertisement for a product or service your company is offering, please do not apply!

All accepted talks will be announced, recorded, and published by Aries Security, LLC. and DEF CON Communications, Inc. Please see our YouTube channel for all talks from previous years: https://www.youtube.com/channel/UCnL9S5Wv_dNvO381slSA06w.

The Call for Presentations will close on Friday, June 15th at 11:59 PM. The list of talks will be finalized and published on Saturday, June 30th.

Speaking Format

Each presentation slot is 1 hour maximum, including time for Q&A. If we have time and it is in line with our goals mentioned above, then there is a good chance you will be selected.

To submit a presentation, please provide the following information in the form below to cfp2018[at]wallofsheep[dot]com

Primary Speaker Name:

Primary Speaker Title and Company (if applicable):

Primary Speaker Email Address:

Primary Speaker Phone Number (to contact you if necessary during the conference):

Primary Speaker Twitter name (if you want it known if you are accepted):

Primary Speaker Facebook page (if you want it known if you are accepted):

Additional Speakers' name(s), titles, and social information:

Additional Email Addresses:

Is there a specific day or time you MUST speak by?

Name of Presentation:

Length of presentation:

(20 minutes or 50 minutes)

Abstract:

Your abstract will be used for the website and printed materials. Summarize what your presentation will cover. Attendees will read this to get an idea of what they should know before your presentation, and what they will learn after. Use this to inform about how technical your talk is. This abstract is the primary way people will be drawn to your session. CFP reviews like to see what tools will be used and what materials you suggest to read in advance to get the most out of your presentation.

Equipment Needs & Special Requests:

The Wall of Sheep will provide 1 projector feed, and microphones. If you need to use multiple outputs for a demo, please mention this below.

Speaker's Bio(s):

This text will be used for the website and printed materials and should be written in the third person. Cover any professional history that is relevant to the presentation, including past jobs, tools that you have written, etc. Let people know who you are and why you are qualified to speak on your topic. Presentations that are submitted without biographies will not be considered.

Detailed Outline:

You must provide a detailed outline containing the main points and navigation through your talk. Show how you intend to begin, where you intend to lead the audience and how you plan to get there. The outline may be provided in a separate attachment and may be as simple as a text file or as detailed as a "bare bones" presentation. The better your outline then the better we are able to best review your presentation against other submissions (and the higher chance you have of being accepted). SUBMISSION NOTE: Presentations that are submitted without abstracts, outlines, or speaker bios (e.g., that have only PDFs, PPTs, or white papers attached or only point to a URL) will not be considered.

Supporting File(s):

Additional supporting materials such as code, white papers, proof of concept, etc. should be sent along with this email to cfp2018[at]wallofsheep[dot]com. Note that additional files that may help in the selection process should be included. We are not asking for a complete presentation for this initial submission. That will only be required if you are selected for presenting.

Terms and Conditions

By submitting you agree to the Terms and Conditions below. Please read and accept these terms by inserting your name in the appropriate area, otherwise your application will be considered incomplete and returned to you.

Grant of Copyright Use

I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and Aries Security, LLC. and that I will promptly supply DEF CON Communications, Inc. and Aries Security, LLC. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. and Aries Security, LLC. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes.

Terms of Speaking Requirements

1. I will submit a completed (and possibly updated) presentation and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission by noon PST, June 30th, 2018.

2. I will submit a final Abstract and Biography to the Wall of Sheep by noon PST, June 30th, 2018.

3. I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation.

4. I will complete my presentation within the time allocated to me - not running over the time allocation.

5. I understand that the Wall of Sheep will provide 1 LCD projector feed, 2 screens, and microphones. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation.

6. I understand that I will be responsible for my own hotel and travel expenses, and admissions to the DEF CON Conference.

Yes, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use.

I, (insert your name here), have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

In the case that a speaker is a child under the age of 13 years old: in compliance with the Children's Online Privacy Protection Act (COPPA) regulations, http://www.coppa.org, any child under age 13 must have parental consent for the collection, use, or disclosure of that child's personal information by a website. Parent/Guardian Consent: I (insert parent/guardian's name here) am the parent or guardian of the minor/s named above. I have read and understand and agree to the terms as detailed in the Agreement to Terms of Speaking Requirements.

Read more →

Text of the Opening Remarks / Introduction at the Speaker Workshops (DEF CON 25)

Good morning and welcome to the Packet Hacking Village at DEF CON 25 in Las Vegas, Nevada! We cannot thank you enough for your support and for your continuing support for all these years. The Wall of Sheepʼs mission is and has always been security awareness. This year, the Packet Hacking Village have a number of events and learning opportunities including the venerable Packet Detective and Capture The Packets. We have a fantastic slate of DJs to entertain and keep this village lively. Sheep City and Honeypots have returned this year.  We are also excited for something new this year: hands-on workshops as there is a tremendous demand for training and continuing education in this cyber security. We hope that you will take advantage of the many opportunities here at the Packet Hacking Village and ultimately at DEF CON to learn, to collaborate, and to be inspired.

And of course, here we are at the Speaker Workshops. This is a special year: this is the fifth anniversary of the Speaker Workshops at the Packet Hacking Village. We are going to kick it off right-off-the-bat with a very special keynote. Dan Geer said in his keynote at Black Hat 2014: "cyber security is now a riveting concern, a top issue in many venues more important than this one." Or as Matt Blaze said bluntly at The Eleventh HOPE: "we are in a national cybersecurity crisis." So what does this have to do with our keynote? There are many people now starting to study or entering the field of cyber security which is very welcoming to see. However, the body of knowledge is now too deep and intimidating to grasp and history is easily forgotten. So how did we get into the mess we are in now? In May of 1998, a group of hackers testified in front of a panel of US Senators. The hacker group was L0pht. One of the members of L0pht who testified was Weld Pond, Chris Wysopal. L0pht warned that the Internet, software, and hardware are not safe and security is an afterthought. Their warning was a disaster foretold and tragically ignored (please read the stellar Washington Post article "A Disaster Foretold --And Ignored"). Their warning and efforts also paved way for many of our careers and lifestyles in this field, and why most of us are here today at DEF CON. It is my fantastic honor to introduce you all to Chris Wysopal.

Read more →

Super Secret DEF CON 25 MAP - How to get to the Packet Hacking Village - SHHHHH!!!

Secret Map - How to get to the Packet Hacking Village
Read more →

New Batch of Accepted Speakers and Our Schedule at DEF CON 25 Now Available

Read more →

Speaker Workshops at DEF CON 25 Call for Presentations Now Open

The Wall of Sheep would like to announce a call for presentations at DEF CON 25 at the Caesars Palace in Las Vegas, NV from Thursday, July 27th to Sunday, July 30th. This will be the 5th anniversary of our Speaker Workshops.

Read more →

Packet Hacking Village Equipment Check for DEF CON 24

[Written by @donds.  Originally posted at http://hackvault.blogspot.com/2016/07/phv-equipment-check.html.]

They say not to bring any electronic devices at DEFCON!? .... what's the fun in that? Well, your mother also said not to get in a strange car with a stranger... UBER, anyone?

It’s time to prep your gear for the Packet Hacking Village (PHV) at DEFCON 24. Although, the PHV staff will have some gear for you to use, I highly recommend to bring your own "FOR DEFCON USE ONLY" gear. 

For the Wall of Sheep and WiFi Sheep Hunt you'll need a laptop with wired and wireless sniffing capabilities.  I spent about $200 for a used laptop from eBay. Also invested on an Alpha wireless USB card from Amazon. Load Kali on the laptop and you're basically good to go. Most tools you'll need are already included in Kali.  The PHV staff can help you refine your setup and config depending on what event you want to try out.

For Sheep City, you can use the same laptop you plan to use for WoS and WIFISH.  But it will require a bit more creativity and possibly a visit to the vendor area or Fry's.  Prep for Bluetooth, ZigBee, IrDa, RF...etc. Be ready for anything.

Packet Detective runs like a classroom format. IMHO, this is a "MUST DO" event at PHV. PHV will have laptops setup for PD Agent trainees to use... Yes, you don't have to bring your own laptop to participate.  This is a very popular event and laptops are limited. Sign up early.

WiFi Sheep Hunt will also have a sign-up sheet for the FoxHunt gear. You can use your own equipment to join the FoxHunt and code breaking fun.  There will also be a couple of laptops for players to use, but only for limited time slots. 

Capture the Packet has produced Black Badge winners at DEFCON. If you're just prepping now, you're already behind... you get my drift.

If you're asking which one to do first, I'd say do it all! But if it's your first ever visit at PHV, here's the order of events I'd suggest..

1. Packet Detective
2. Wall of Sheep
3. WiFi Sheep Hunt
4. Sheep City
5. Capture The Packet

Our DEF CON 24 schedule is available at https://www.wallofsheep.com/pages/dc24

Read more →