The Packet Hacking Village will be on the 26th floor of Bally's Indigo Tower.

Speaker Workshops Schedule

  Friday, August 5th Saturday, August 6th Sunday, August 7th
10:10 Opening Ceremony To Catch An APT: YARA Jay DiMartino CLOSED
11:10 Presenting Security Metrics to the Board / Leadership
Walt Williams
How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really)
Larry Cashdollar
Building a Local Passive DNS Tool for Threat Intelligence Research
Kathy Wang
12:10 Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection
Omer Zohar
HTTP/2 & QUIC: Teaching Good Protocols To Do Bad Things
Catherine (Kate) Pearce, Carl Vincent
LTE and Its Collective Insecurity
Chuck McAuley and Chris Moore
13:10 Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening
Jay Beale
Now You See Me, Now You Don't
Joey Muniz and Aamir Lakhani
Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response
14:10 You Are Being Manipulated
Attacks on Enterprise Social Media
Mike Raggo
Closing Ceremony
15:10 Connections: Eisenhower and the Internet
Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)
Rod Soto and Joseph Zadeh
16:10 Automated Dorking for Fun and Profit^WSalary
Filip Reesalu
Fuzzing For Humans: Real Fuzzing in the Real World
Joshua Pereyda
17:10 Verifying IPS Coverage Claims: Here's How
Garett Montgomery
Mining VirusTotal for Operational Data and Applying a Quality Control On It
Gita Ziabari
18:10 Crawling for APIs
Ryan Mitchell
Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage
Morgan "Indrora" Gangwere

DJ Schedule

  Friday, August 5th Saturday, August 6th Sunday, August 7th
10:00 CLOSED Deep Therapy CLOSED
11:00 phreakocious Bc3 kampf
12:00 AliKat tense future VNA
13:00 djdead phreakocious yurk
14:00 tense future %27 Closing Ceremony
15:00 TK Moon In Gemini
16:00 Moon In Gemini TK CLOSED
17:00 %27 yurk CLOSED
18:00 VNA phreakocious CLOSED

Speaker Workshops Abstracts and Bios

Adding Ramparts to Your Bastille: An Introduction to SELinux Hardening

Jay Beale, CTO, COO at InGuardians, Inc.

Has your first action when acquiring a Red Hat system been to deactivate SELinux? In this fast-paced talk, you'll learn how to investigate and understand an SELinux-enabled system, and how to configure it. You'll learn how to build a policy for a new program and modify one for an existing. Finally, you'll learn about the boolean on-off switches built into the system that keep you from having to modify policies at all. If you want a speedy challenge, bring a CentOS 7 system with the packages listed on installed.

Jay Beale (Twitter: @jaybeale) has created several security tools, including Bastille Linux/UNIX and the CIS Linux Scoring Tool, both of which have been used throughout industry and government. He has served as an invited speaker, program chair and trainer at many industry and government conferences, a columnist for Information Security Magazine, SecurityPortal and SecurityFocus, and a contributor to nine books, including those in his Open Source Security Series and the ‘Stealing the Network' series. Jay is a founder and the CTO of the information security consulting company InGuardians. He has taught Linux hardening classes since the year 2001, when he got his start at Black Hat.

Attacks on Enterprise Social Media

Mike Raggo, Chief Research Scientist at ZeroFOX

Current threat vectors show targeted attacks on social media accounts owned by enterprises and their employees. Most organizations lack a defense-in-depth strategy to address the evolving social media threat landscape. The attacks are outside their network, commonly occur through their employee's personal accounts, and circumvent existing detection technologies. In this presentation we'll explore the taxonomy of social media impersonation attacks, phishing scams, information leakage, espionage, and more. We'll then provide a method to categorize these threats and develop a methodology to adapting existing incident response processes to encompass social media threats for your organization.

Michael T. Raggo (Twitter: @MikeRaggo) has over 20 years of security research experience. Michael is the author of “Mobile Data Loss: Threats & Countermeasures" and “Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols" for Syngress Books, and contributing author for “Information Security the Complete Reference 2nd Edition". A former security trainer, Michael has briefed international defense agencies including the FBI and Pentagon, is a participating member of FSISAC/BITS, and is a frequent presenter at security conferences, including Black Hat, DEF CON, Gartner, RSA, DoD Cyber Crime, OWASP, HackCon, and SANS.

Automated Dorking for Fun and Profit^WSalary

Filip Reesalu, Security Researcher at Recorded Future

A dork is a specialized search engine query which reveals unintentional data leaks and vulnerable server configurations. In order to catalogue vulnerable hosts with minimal manual intervention we're now introducing an open-source framework for grabbing newly published dorks from various sources and continuously executing them in order to establish a database of exposed hosts. A similar project (SearchDiggity, closed source, Windows only) had its latest release in 2013 and the latest blog post was published in 2014.

Filip Reesalu (Twitter: @p1dgeon) is a Security Researcher at Recorded Future. He joined the Threat Intelligence team after switching over from a data scientist role and is now responsible for analyzing malware samples and traffic as well as creating tools that benefit the community at large.

Building a Local Passive DNS Tool for Threat Intelligence Research

Kathy Wang, Security Strategist and Researcher at Splunk, Inc.

Currently, many Security Operations capabilities struggle with obtaining useful passive DNS data post breach. Breaches are often detected months after the attack. Due to the ephemeral nature of malicious DNS domains, existing well-known passive DNS collections lack complete visibility to aid in conducting incident response and malware forensics. We will present a new tool to collect local passive DNS data, which will enable security operations capabilities to conduct more effective defense against malware, including APTs, zero days, and targeted attacks. Our presentation will consist of a demo of the tool, and the tool will be released for public use.

Kathy Wang (Twitter: @wangkathy) Kathy Wang is an internationally-recognized malware expert, who has researched, developed, evaluated, and operationalized various solutions for detecting and preventing client-side attacks used by advanced persistent threats (APT), as they target common platforms (e.g., browser, email, mobile phones). Prior to Splunk, Kathy has held past positions such as Director of Research and Development at ManTech International, and Principal Investigator of the Honeyclient Project at The MITRE Corporation, during which she pioneered a prototype that became the basis of current cutting-edge zero-day malware detection technologies. Kathy has spoken at many security conferences and panels internationally, including RSA, DEF CON, AusCERT, and REcon. She has co-authored a book, Beautiful Security, and holds a BS and MS in Electrical Engineering from The University of Michigan, Ann Arbor.

Connections: Eisenhower and the Internet

Damon "Chef" Small, Technical Project Manager at NCC Group

"Rise of the Machines" conjures thoughts of the evolution of technology from the exclusive domain of computer scientists in the early days of our industry to including everyday people using - and often wearing - Internet-connected devices. With that theme in mind, the speaker researches the history of one large, government-funded infrastructure and compares it to another. Specifically, the Eisenhower Interstate System and the Internet. "Connections: Eisenhower and the Internet" explores what the logistical challenges of moving vehicles across the Country can teach us about cybersecurity. Although these two topics seem unrelated, the speaker will take the audience on a journey that begins with early 20th century road-building projects, travels through ARPANET and the commercialization of the Internet, and arrives at current-day cyberspace. These two massive infrastructures have changed the world, and there are important lessons that the former can teach about the latter. The presentation concludes with predictions about the future of the the Information Superhighway and how information security professionals can prepare.

Chef (Twitter: @damonsmall) earned his handle from his use of cooking metaphors to describe infosec concepts to laypeople. He began his career studying music at Louisiana State University and took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Chef began focusing on cyber security. This has remained his passion, and over the past 16 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Chef completed the Master of Science in Information Assurance degree from Norwich University in 2005. His role as Technical Project Manager at NCC Group includes working closely with consultants and clients in delivering complex security assessments that meet varied business requirements. Recent speaking engagements include DEFCON 23, BSides Austin, BSides San Antonio, HouSecCon, and ISSA Houston.

Crawling for APIs

Ryan Mitchell, Senior Software Engineer at HedgeServ

As client machines become more powerful and JavaScript becomes more ubiquitous, servers are increasingly serving up code for browsers to execute, rather than the display-ready pages of the past. This changes the face of web scraping dramatically, as simply wget'ing and parsing the response from a URL becomes useless without executing bulky JavaScript with third party plugins, reading through code logic manually, and/or digging through piles of browser junk.

However, moving page logic client side can also create data vulnerabilities, as companies leave internal APIs exposed to the world, in order for their client side code to make use of them. I'll show some examples of this practice on traditionally "impossible to scrape" pages, and also some tools I've developed to crawl domains and discover and document these hidden APIs in an automated way. While many bot prevention measures focus on traditional page scraping and site manipulation, scripts that crawl sites through API calls, rather than in a "human like" way through URLs, may present unique security challenges that modern web development practices do not sufficiently address.

Ryan Mitchell (Twitter: @kludgist)

Deceive and Succeed: Measuring the Efficiency of a Deception Eco-System in Post-Breach Detection

Omer Zohar, Head of Research at TopSpin Security

Today's networks are undergoing all sorts of sinister attacks from numerous sources and for myriad reasons. Security at the perimeter is inadequate for thwarting today's highly intelligent attacks as hackers routinely breach the perimeter and gain entry. It isn't long before the network is compromised and critical information is stolen. We must now assume that, despite significant investments in prevention, breaches are going to happen. An additional approach is required. Security teams must go on the offensive, creating a web of non-stop, real-time detection operations using multiple vectors against an ever-changing landscape of cyber threats. Deception technology now plays a critical role. Used as a strategy for many centuries in actual warfare, the concept of deception is becoming a significant weapon in network-protection schemes. Deception technology doesn't rely on known attack patterns and monitoring. Instead, it employs very advanced luring techniques to entice attackers away from valuable company assets and into pre-set traps, thus revealing their presence. It is able to detect threats in real time without relying on any signatures, heuristics or complex behavioral patterns. But how effective is a deception strategy in detecting breaches? What method works best? How does it integrate with current security operations already in place?

In this talk we will present findings from a first ever research which measured the efficiency of proactive deception using mini-traps and decoys in real-life threat scenarios. We have reconstructed a real enterprise environment complete with endpoints, servers, network traffic and data repositories as well as security tools such as IDS, firewall, SIEM etc. The deception layer was then integrated into the environment in 2 steps: (a) by placing decoys in the network and (b) by placing mini-traps on the assets which point to the decoys, set false credentials, trigger silent alarms and more. We then evaluated the effectiveness of the mini-traps and decoys against both automated, machine-based attacks as well as against sophisticated human attacks: The first stage involved checking the behavior of a variety of malware families against the environment and measuring the deception layer's success in detecting their activity. For the second phase, we invited red-team professionals and white hat hackers to employ real techniques and advanced tools with the task of moving laterally in the environment and exfiltrate high value data.

Omer Zohar has over a decade of experience as a developer and researcher in the data security market. As head of Research for TopSpin Security he is responsible for the research of malware and post-breach detection methods and for defining advanced detection schemes.

Dynamic Population Discovery for Lateral Movement Detection (Using Machine Learning)

Rod Soto, Senior Security and Researcher at Splunk UBA
Joseph Zadeh, Senior Security Data Scientist at Splunk UBA

The focus of this presentation is to describe ways to automate the discovery of different asset classes and behavioral profiles within an enterprise network. We will describe data driven techniques to derive fingerprints for specific types of individual and subgroup behaviors. The goal of these methods is to add context to communications taking place within an enterprise as well as being able to identify when certain asset profiles change there behavioral fingerprint in such a way as to indicate compromise. The type of profiles we want to discover can be tied to human behavior (User Fingerprinting) or particular asset classes like WebServers or Databases (Hardware/Software Fingerprinting). Finally enriching these profiles with a small amount of network context lets us break down the behaviors across different parts of the network topology.

These techniques become important when we want to passively monitor for certain attacks against server hardware even without visibility into the local logs running on the server. For example we will cover the automated discovery and enrichment of DMZ assets and how we use these techniques to profile when a server has been planted with a Webshell or when an asset has been used to covertly exfil data. The methods we propose should be generic to apply to a wide variety of any kind of Layer 4/ Layer 7 traffic or just PCAP data alone.

Rod Soto (Twitter: @rodsoto) has over 15 years of experience in information technology and security. Currently working as a Security Researcher at Splunk User Behavioral Analytics. He has spoken at ISSA, ISC2, OWASP, DEF CON, Hackmiami, Bsides and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the 2012 Black Hat Las Vegas CTF competition and is the founder and lead developer of the Kommand & KonTroll competitive hacking Tournament series.

Joseph Zadeh (Twitter: @josephzadeh) studied mathematics in college and received a BS from University California, Riverside and an MS and PhD from Purdue University. While in college, he worked in a Network Operation Center focused on security and network performance baselines and during that time he spoke at DEF CON and Torcon security conferences. Most recently he joined Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal helping focused on Cyber Security analytics and also part of Kaiser Permanente's first Cyber Security R&D team.

Fiddler on the Roof: A No-Nonsense Look at Fiddler and Its Usage

Morgan "Indrora" Gangwere

Fiddler lives in the same family as mitmproxy, Burp, and other "man in the middle" tools. Topics covered in this talk include: scripting the Fiddler proxy, making arbitrary requests, redirection and attacking Windows 8 and UAP applications.

Morgan "Indrora" Gangwere (Twitter: @indrora) is a student at the University of New Mexico. He breaks things for fun when not studying.

Fuzzing For Humans: Real Fuzzing in the Real World

Joshua Pereyda

Fuzzing tools are frequently seen in big-name conferences, attached to big-name hacks and big-name hackers. Fuzzers are an incredibly useful offensive tool, and equally critical for a defensive player. But anyone who has tried to use these big-name fuzzers to secure their own software has seen how ineffective they can be. The fuzzing world is plagued with over-hyped and under-developed fuzzers that will suck the life out of anyone who dares try to sort through their waterlogged codebase. Meanwhile, commercial players stand by ready to support big businesses, but not open source. Commercial fuzzers may be good business, and their existence is a boon for the industry, but they are not sufficient for widespread security. They keep the power of fuzzing locked up for those willing to pay big bucks. And the closed source nature stamps out community, leaving each business to develop their own practices. In this talk, Joshua will provide a practical perspective on fuzzing, explore the hurdles confronting current open source tools and pave a path forward. Attendees will also receive an introduction to DIY fuzzers using modern frameworks.

Joshua Pereyda (Twitter: @jtpereyda) is a software engineer specializing in information and network security. He currently works in the critical infrastructure industry with employers heavily invested in software and hardware security. Among his passions are hacking, teaching kids to program, Netflix with his wife, and figuring out how he can get paid to do it all --legally.

Joshua is the maintainer of boofuzz, a fork of the renowned Sulley fuzzing framework. He has a hole in his heart to pour into the open source hacking community.

HTTP/2 & QUIC - Teaching Good Protocols To Do Bad Things

Catherine (Kate) Pearce, Senior Security Consultant at Cisco Security Services
Vyrus, Senior Security Consultant at Cisco Security Services

The meteoric rise of SPDY, HTTP/2, and QUIC has gone largely unremarked upon by most of the security field. QUIC is an application-layer UDP-based protocol that multiplexes connections between endpoints at the application level, rather than the kernel level. HTTP/2 (H2) is a successor to SPDY, and multiplexes different HTTP streams within a single connection. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites. Whether you multiplex out across connections with QUIC, or multiplex into fewer connections with HTTP/2, the world has changed. We have a strong sensation of Déjà vu with this work and our 2014 Black Hat USA MPTCP research. We find ourselves discussing a similar situation in new protocols with technology stacks evolving faster than ever before, and Network Security is largely unaware of the peril already upon it. This talk briefly introduces QUIC and HTTP/2, covers multiplexing attacks beyond MPTCP, discusses how you can use these techniques over QUIC and within HTTP/2, and discusses how to make sense of and defend against H2/QUIC traffic on your network. We will also demonstrate, and release, some tools with these techniques incorporated.

Catherine (Kate) Pearce (Twitter: @secvalve) is a Senior Security Consultant for Cisco, who is based in Wellington, New Zealand. Formerly a Security Consultant for Neohapsis in the USA, she has engaged with a widespread and varied range of clients to assist them in understanding their current security state, adding resilience into their systems and processes, and managing their ongoing security risk. Day-to-day she undertakes a mix of advising clients around their security, client-focused security assessments (such as penetration tests), and security research. She has spoken at her work at many security conferences, including Black Hat USA, Source Boston, Nolacon, Kiwicon, ACSC and several others. While she has recently presented on Network Security, her true loves are application security enablement, complex systems security, and cross-discipline security analogues.

Carl Vincent (Twitter: @vyrus001) is a Customer Solutions Consultant for the recently consolidated Cisco Security Solutions group, where he performs a variety of security assessment types. As an information security professional, as well as personal hobbyist, his passion is to continually research ever increasingly elaborate methods of elegantly executed hypothetical crime. He also practices personal information warfare, and most of his biographic details online are somewhat exaggerated.

How to Find 1,352 WordPress XSS Plugin Vulnerabilities in 1 Hour (not really)

Larry W. Cashdollar, Senior Security Intelligence Response Team Engineer at Akamai Technologies.

I'll discuss my methodology in attempting to download all 50,000 WordPress plugins, automated vulnerability discovery, automated proof of concept creation and automated proof of concept verification. I'll go into where I went wrong, what I'd change and where I succeeded.

Larry W. Cashdollar (Twitter: @_larry0) has been working in the security field and finding vulnerabilities for over 15 years. With over 100 CVEs to his name, he is a known researcher in the field. You can see many of the disclosed vulnerabilities at He is a member of the SIRT at Akamai Technologies.

Incident Code Name: When SkyFalls A Shaken, Not Stirred, James Bond Tale on Incident Response

Plug, Security Operations and DFIR at Verizon Digital Media Services

The headlines shout the latest exploits of rogue actors and nation states. The hunters, cloaked in anonymity, strike without warning, devouring Intellectual Property and destroying corporate reputations. Potential victims cower in Fear, Uncertainty and Doubt, hoping they can hide in plain view. But can we learn from the hunters strategies to mount an effective defense? In this talk we'll take a look at events that took place on the James Bond film Skyfall. We will look at the film from the Incident Response point of view, and analyze the events and actions that took place in the film with comparisons of real life examples. Finally, we'll create a profile of the "evil" characters in the film along with James Bond and the team behind him at MI6. What team member would you be? Q, the weapons geek? Moneypenny, sidekick and junior field agent? M, the shrewd manager? Or James Bond, the tip of the spear, utilizing multiple strategies and tools to defeat his opponents.

Plug (Twitter: @plugxor) is currently a Senior Security Analyst at Verizon Digital Media Services (EdgeCast Networks). He started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually that lead him to his first LA2600 meeting in 1998. From that point forward he has been involved in computer security. With over 16 years of IT experience, he has worked as Systems Administrator, Security Analyst and Security Engineer in the Finance and Telecom sector. In his free time he enjoys building Legos, playing with synthesizers and modular systems, when possible he volunteers his time to computer security events.

LTE and Its Collective Insecurity

Chuck McAuley, Security Researcher at Ixia Communications
Chris Moore, Engineer at Ixia Communications

The world of LTE is enshrouded in acronym soup, mystery, and technical documents that implement security by obscurity. In this talk, we will shed light on the magic that is the evolved packet core, otherwise known as the EPC. The EPC is the packet routing engine that connects the tower to the Internet. We will discuss the network communication protocols, core infrastructure elements, and basic architecture of this system. In closing, we will disclose successful crashes and kills that we have had in this network and discuss the potential for large scale communication disruption.

Chuck McAuley is a Principal Security Researcher at Ixia Communications. For the last ten years Chuck has been doing performance and security testing of inline networking devices. If it passes packets and does deep packet inspection, he's probably tested it. In his spare time he stares at Wireshark trying to decipher the tea leaves.

Chris Moore is an SE Dev Manager for a network test company. He was an SE for around a decade before this breaking, dissecting, and exposing every sort of network box under the guise of performance and security testing.

Mining VirusTotal for Operational Data and Applying a Quality Control On It

Gita Ziabari, Senior Threat Research Engineer at Fidelis Cybersecurity

More than one million samples are being submitted and analyzed by more than 50 AV engines in VirusTotal on daily basis. Factors such as filtering, scaling the detected engines, scaling the categories in network data, scaling the HTTP responses are being used in conjunction of an algorithm for constructing an operational data. The filtered data are being clustered based on their malware type with indication of their malware names. The obtained data is also being evaluated by another algorithm for removing the aged and less scaled data on daily basis. The used APIs, algorithms and source code will be presented to the audiences. The tool could be downloaded for immediate use.

Gita Ziabari (Twitter: @gitaziabri) is working at Fidelis Cybersecurity as a Senior Threat Research Engineer. She has more than 12 years of experience in threat research, networking, testing and building automated frameworks.

Now You See Me, Now You Don't

Joseph Muniz, Architect and Researcher at Cisco
Aamir Lakahni, Senior Security Researcher at Fortinet

Many people leave behind bread crumbs of their personal life on social media, within systems they access daily, and on other digital sources. Your computer, your smartphone, your pictures and credit reports all create a information rich profile about you. This talk will discuss all the different threats that leak your information and how attackers can use open source intelligence to find you. We will discuss techniques used by law enforcement and private investigators to track individuals. Learn how you can protect your online footprint, reduce your digital trail, and securing your privacy.

Joseph Muniz (Twitter: @SecureBlogger) is a architect at Cisco Systems and researcher. He has extensive experience in designing security solutions for the top Fortune 500 corporations and US Government. Joseph's current role gives him visibility into the latest trends in cyber security both from leading vendors and customers. Joseph runs The Security Blogger website, a popular resource for security and product implementation. He is the author and contributor of several publications including a recent Cisco Press book focused on security operations centers (SOC).

Aamir Lakhani (Twitter: @aamirlakhani)

Presenting Security Metrics to the Board / Leadership

Walt Williams

The board of directors and corporate leadership is not interested in how many attacks your firewall has blocked, and frankly, that is not a metric, that is a measure. Difference between metrics and measurements, how metrics are constructed, and the kinds of metrics the board of directors are interested in will be discussed. In other words, how to identify how to align security metrics with business goals and objectives. The use of frameworks such as ISO 27004 to construct metrics, the pragmatic framework and its uses will also be discussed.

Walt Williams (Twitter: @LESecurity) CISSP, SSCP, CPT has served as an infrastructure and security architect at firms as diverse as GTE Internetworking, State Street Corp, Teradyne, The Commerce Group, and EMC. He has since moved to security management, where he now manages security at Lattice Engines. He is an outspoken proponent of design before build, an advocate of frameworks and standards, and has spoken at Security B-Sides on risk management as the cornerstone of a security architecture. He maintains a blog on security metrics and has presented to boards of three different organizations in diverse industries.

To Catch An APT: YARA

Jay DiMartino. Senior Cyber Threat Researcher at at Fidelis Cybersecurity

Go from hunted to hunter using your hands. It's time to reclaim your networks and start hunting for big game APT armed with the pattern matching Swiss knife called YARA. Learn how to author YARA rule signatures with techniques used by malware researchers to mercilessly hunt down the elusive adversary of advanced threat actors, and discover patterns in their code. We will review a real world case example using the components from PlugX APT malware to explain writing beginner to advanced YARA rules. Those who are already familiar with YARA can still come to improve their rule signature writing skills by learning how to catch different malware family variants, all the while keeping false positives to a minimum.

Jay DiMartino is a Senior Threat Researcher for Fidelis Cybersecurity. He enjoys being a malware defender and has been doing Malware Reverse Engineering for over 5 years, with several industry certifications.

Verifying IPS Coverage Claims: Here's How

Garett Montgomery, Security Team Lead: Application and Threat Intelligence Research Center (ATIRC) at Ixia

IPS devices are now an accepted, integral part of a defense-in-depth InfoSec strategy; by strategically positioning them on the network, attacks can be blocked before they ever reach their intended targets. But with the explosion of public exploits, polymorphic malware and an ever-increasing attack surface, how can IPS devices keep up? They all seem to have heuristic detection capabilities, which are supposed to protect you from unknown exploits, and frequent updates to protect against known vulnerabilities. But just how effective are those defenses? Sure, you can check out the Gartner magic quadrant or pay for the latest NSS Test report. Just because an IPS claims to protect you from a vulnerability doesn'tmean thats the case. In this talk, I'll talk about some of the strengths and weakness of IPS devices, as well entire classes of exploits that cause serious problems for IPS devices. While I happen to work for a company sells a very expensive device for testing IPS devices (which is where the data and my opinions come from), I plan to focus on how the same testing methodologies can be applied and the results can be duplicated using open-source tools.

Garett Montgomery (Twitter: @garett_monty) is Security Team Lead at Ixia's ATI Research Center, where the primary focus is on simulating attacker behaviors in order to provide realistic test scenarios for network-based protection devices. He has been simulating network-based attacks for BreakingPoint/Ixia for the last 4 years. Prior to joining BreakingPoint in 2012 he spent 2 years as a Research Engineer at TippingPoint/HP Enterprise Security. Before TippingPoint, he spent 9 years in the Navy, with last 3+ as a Security Analyst for the Naval Postgraduate School in Monterey, CA. He holds a Masters Degree in Information Assurance, as well as an active CISSP certifications (multiple others having long since lapsed).

You Are Being Manipulated

GrayRaven, Senior Software Engineer at Cisco Systems

You are being manipulated. There is constant pressure coming from companies, people, and attackers. Millions are spent researching and studying your weaknesses. The attack vectors are subtle. Most times we don't realize that manipulation has occurred until it is too late. Fear not, we can harden our defenses. We can put safeguards in place to help avoid being the victim. For me, the answer came from an unlikely source: my daughter. Small children are fantastic. Society has not yet influenced their development; therefore, children are relentless in pursuing their aims. Since they are naive to right and wrong, they will use any tool available to get their goal. How does this help? My daughter became my trainer, and this talk discusses how interacting with her has improved my defenses. Comparing her strategies to real world examples will show how to build a training framework of your own. Access to small children is not needed.

GrayRaven (Twitter: @_grayraven_) is a senior software engineer at Cisco Systems. He has been fascinated with manipulation since his childhood. Despite receiving a degree in psychology, he spent 18 years as a professional in the Information Technology space. GrayRaven spent the first seven years of his career as a system and network administrator before moving to the dark art of programming. Two years ago he stopped dabbling and tumbled down the security rabbit hole. This journey makes him believe that he is finally using his degree professionally. During his downtime, GrayRaven can be found practicing martial arts, brewing beer and mead, or writing.

DJ Bios

phreakocious (@phreakocious,,

Inspired by experiences at Detroit raves and private parties in the early 90s, phreakocious bought a pair of 1200s in Y2K and has shaken booties with the finest in funky techno, house, and breaks ever since. WoSDJCo founder and official beatkeeper for Wall of Sheep and Packet Hacking Village.

YURK (@yurkmeister,

Some mysteries are not meant to be solved...

DJ %27 (@djpercent27,

DJing since the 80s, Performed at chill out and pool at DEFCON XX, XXI. DEFCON XXIII.

AliKat (@djalikat_,

DJ AliKat was born under the rainy lights of Vancouver's nightlife with a pawful of skills that were passed down to her from some high profile mentors on the scene. A champion in the lost art of crate digging, AliKat's passion for music is rooted in a history of endlessly searching for those hidden vinyl gems that taught her the art of mixing, scratching and working the room. She's brought her process with her into the digital world, putting in the hours searching for those Internet gems that'll light up the dance floor.

Bc3 (,

Chicago Based Computer Nerd turned DJ - Propagating as much positive energy as I can in whatever ways possible; music included. Connect at

djdead (@djdead,

Station manager and DJ for / since 2000. tormented radio is one of the top international streaming industrial / dark electronic stations going on 14 years. DJ'd for DEF CON 19 Black & White Ball and the following artists in concert: Combichrist, Clan of Xymox, the Crxxshadows, System Syn, Provision. Remixes and production for electronic bands, Provision and Asmodeus X. Ex-resident DJ @ Underworld (a goth/industrial themed night at the infamous Numbers Nightclub in Houston, TX). Also, I'm a recently graduated mathematician (2010) and veteran UNIX Systems Administrator!

Deep Therapy (@therapy_life,,

Based out of South Florida (Miami, Ft. Lauderdale, and West Palm Beach) The duo began hosting and DJ'n their own college radio shows. Constantly achieving new heights of dancefloor energy and pushing the boundaries of convention, Deep Therapy is recognized as one of South Florida's essential DJ's. Deep Therapy has been featured on Sirius XM radio in Ultra Music Festival Radio, opening up for Infected Mushroom as well as performing at Ultra Music Festival Miami two years in a row and holds a residency at Club Space in Miami in the Technoloft.

kampf (@nerd_show,

With over a decade of experience as a college radio DJ at KWCR on Nerd Show, kampf has waded long and deep through the muddied waters of electronic music, casting his rod time and again to obtain, then share the eclectic, the compelling, the sounds off the beaten path and those lesser know varieties or species. Resident DJ for the DEF CON Chillout Lounge and for DEF CON Radio on Spinning vinyl for WoS/Packet Hacking Village since DEF CON 20!

Moon in Gemini (,

Michael Walsh is a DJ and music producer who builds dance floor momentum by way of house, acid, and electro sounds aimed at the future. As a catalyst for electronic music's growth, he has been involved in record stores, labels, events, and educational outlets for over two decades. Walsh has been releasing released his first 12", Before When It Was New, with LA imprint Plastic Love in 2014 and has another release scheduled with the label for 2016. Walsh was also the co-founder of the Ritual Recordings house imprint in Boston, has curated music for corporate clients such as Puma and Betsy Johnson, and currently writes for Ableton and Dubspot.

tense future (damagedaniel,

It goes largely unnoticed, but most people spend a majority of their waking hours pondering, planning, stressing about what may come... it's been this way forever. Gathering, searching, learning, negotiating... Every action we take is an attempt to make the next one less labored. Tense Future is the result of this recursive internal monologue inside the mind of Daniel Samarin, who can only find relief from the neural thrashing in the regular beat of synthesized percussion.

TK (

Hailing from Austin with a smooth mixing style incorporating various facets of dance music, TK's primary focus has been house. Wrecking the decks since 2001 with funky, jazzy, groovy, techy, get up and go music heavily influenced by producers such as Derrick Carter, Inland Knights and DJ Dan. At the height of the funky house movement he has been told by fans, "I started listening to funky house because of you." TK's roots are grounded in the Houston underground house scene and venues like the Underground Lounge, Lotus Lounge, Clarks and Deans, as well as Karma Lounge, Bambu Lounge and Red Eyed Fly in Austin. Pumped to be back for DEF CON 23 alongside VNA, pheakocious, yurk and all the others. Hack all the things!


VNA has been spinning in the Houston area since the turn of the century. His flexible musical palette encompasses blends of prog, tech, funky house, electro, occasionally some cut-and-scratch breaks. This DJ's mission is to keep the night going by infusing his eclectic style into the sounds he pumps into the crowd. VNA has spun at various clubs in the Houston area, the longest of which being Revolve @ Numbers, and also frequently guested many other residencies of his assorted crewmates in the Texas scene. Classically a vinyl DJ and member of the legendary Traffic Crew, he stays true to his origins. VNA is super glad to be back again for another DEF CON.