DEF CON 25

The Packet Hacking Village will be located in TBD at Caesars Palace.

Speaker Workshops Schedule

Friday, July 28th Saturday, July 29th Sunday, July 30th
10:10 Opening Ceremony / How Hackers Changed The Security Industry
Chris Wysopal
CLOSED
11:10
12:10
13:10
14:10 Closing Ceremony
15:10
16:10 CLOSED
17:10 CLOSED
18:10 CLOSED

Speaker Workshops Abstracts and Bios

The Black Art of Wireless Post-Exploitation: Bypassing Port-Based Access Controls Using Indirect Wireless Pivots

Gabriel Ryan, Security Engineer at Gotham Digital Science

Most forms of WPA2-EAP have been broken for nearly a decade. EAP-TTLS and EAP-PEAP have long been susceptible to evil twin attacks, yet most enterprise organizations still rely on these technologies to secure their wireless infrastructure. The reason for this is that the secure alternative, EAP-TLS, is notoriously arduous to implement. To compensate for the weak perimeter security provided by EAP-TTLS and EAP-PEAP, many organizations use port based NAC appliances to prevent attackers from pivoting further into the network after the wireless has been breached. This solution is thought to provide an acceptable balance between security and accessibility.

The problem with this approach is that it assumes that EAP is exclusively a perimeter defense mechanism. In a wireless network, EAP actually plays a subtle and far more important role. WPA2-EAP is the means through which the integrity of a wireless network’s physical layer is protected. Port-based access control mechanisms rely on the assumption that the physical layer can be trusted. Just as NACs can be bypassed on a wired network if the attacker has physical access to the switch, they can also be bypassed in a wireless environment if the attacker can control the physical layer using rogue access point attacks.

In this presentation, we will apply this concept by presenting a novel type of rogue access point attack that can be used to bypass port-based access control mechanisms in wireless networks. In doing so, we will challenge the assumption that reactive approaches to wireless security are an acceptable alternative to strong physical layer protections such as WPA2-EAP using EAP-TLS.

Gabriel Ryan (Twitter: @s0lst1c3) is a penetration tester and researcher with a passion for wireless and infrastructure testing. His career began as a systems programmer at Rutgers University, where he assessed, diagnosed, and resolved system and application issues for a user community of over 70,000 faculty, students, and staff. Gabriel then went on to work as a penetration tester and researcher for the Virginia-based defense contractor OGSystems. While at OGSystems, he worked as a lead engineer on the Mosquito project, a geospatial intelligence tool that leverages wireless technology to track potential threats. Gabriel currently works for the international security consulting firm Gotham Digital Science at their New York office, where he performs full scope red team penetration tests for a diverse range of clients. He also contributes heavily to his company’s research division, GDS Labs. Some of his most recent work includes a whitepaper on rogue access point detection, along with the popular tool Eaphammer, which is used for breaching WPA2-EAP networks. On the side, he serves as a member of the BSides Las Vegas senior staff, coordinating wireless security for the event. In his spare time, he enjoys live music, exploring the outdoors, and riding motorcycles.

Demystifying the OPM Breach: WTF Really Happened

Ron Taylor

In September 2016 the House Committee on oversight finally released their report. Four years after the original breach, we are still asking how the f*#! did this happen. This talk with go over the key findings of the report and the impact on those who were effected.

Ron Taylor (Twitter: @Gu5G0rman) has been in the Information Security field for almost 20 years. Ten of those years were spent in consulting where he gained experience in many areas. In 2008, he joined the Cisco Global Certification Team as an SME in Information Assurance . In 2012, he moved into a position with the Security Research & Operations group (PSIRT) where his focus was mostly on penetration testing of Cisco products and services. He was also involved in developing and presenting security training to internal development and test teams globally. Additionally, he provided consulting support to many product teams as an SME on product security testing. In his current role, he is a Consulting Systems Engineer specializing in Cisco's security product line. Certifications include GPEN, GWEB, GCIA, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. Ron is also a Cisco Security Blackbelt, SANS mentor, Co-Founder and President of the Raleigh BSides Security Conference, and member of the Packet Hacking Village team at DEF CON.

Fooling the Hound: Deceiving Domain Admin Hunters

Tom Sela, Head of Security Research at illusive networks

The conflict between cyber attackers and defenders is too often in favor of attackers. Recent results of graph theory research incorporated into red-team tools such as BloodHound, shift the balance even more dramatically towards attackers Any regular domain user can map an entire network and extract the precise path of lateral movements needed to obtain domain admin credentials or a foothold at any other high-value asset. Knowing the precise path needed to reach a target decreases the chances of an attacker making mistakes and being detected, putting defenders at a very clear disadvantage.

One traditional defensive approach is to make the ability to map the network more difficult by restricting access to information. However, such restrictions cannot be applied to all platforms, and even if they could be, it is not a trivial task in production environments.

In this talk, we present a new practical defensive approach: deceive the attackers. Since the time of Sun Tzu, deceptions have been used on the battlefield to win wars. In recent years, the ancient military tactic of deceptions has been adopted by the cyber-security community in the form of HoneyTokens. Cyber deceptions, such as fictitious high-privilege credentials, are used as bait to lure the attackers into a trap where they can be detected.

To shift the odds back in favor of the defenders, the same BloodHound graphs that are generated by attackers should be used by defenders to determine where and how to place bait with maximum effectiveness. In this way, we ensure that any shortest path to a high-value asset will include at least one deceptive node or edge. Effectively designed and placed bait would make it very difficult for the attacker to avoid detection, shifting the odds back in favor of defenders.

Tom Sela is Head of Security Research at illusive networks, specializing in Reverse Engineering, Malware Research, and OS internals. Prior to joining illusive, Tom lead the Malware Research team at Trusteer (acquired by IBM). Tom majored in Computer Science at Ben-Gurion University and studied at the Israeli Naval Academy, University of Haifa.

Fortune 100 InfoSec on a State Government Budget

Eric Capuano, SOC Manager at Texas Department of Public Safety

A common misconception is that it takes spending millions to be good at security. Our security team at Texas Department of Public Safety has proved this to be untrue. We run a full-fledged Security Operations Center and leverage some very proactive controls and incident response techniques while spending a fraction of what similar agencies are allocated.

This talk outlines many of the thought processes and "tricks" to doing security well, without breaking the bank. Some concepts include thinking critically about ROIs of existing equipment, not buying into every "shiny box", not being afraid to explore open source options, and where to spend your money for the highest ROI (people!).

This is not the typical "Problem, problem, problem...." talk.... This is a solution-based talk where I'll share SOLUTIONS to very real-world scenarios facing SOC teams everywhere.

Eric Capuano (Twitter: @eric_capuano) is an Information Security professional serving state and federal government as well as SMBs, start-ups and non-profits. Eric is also a member of the Packet Hacking Village team at DEF CON.

How Hackers Changed The Security Industry

Chris Wysopal, CTO and Co-Founder of Veracode

Before hackers got involved in cybersecurity the industry was focused on products and compliance. Security was security features: firewalls, authentication, encryption. Little thought was given to vulnerabilities that allowed the bypassing of those features. Gene Stafford famously said SSL between two PCs is like using an armored car to deliver money from one park bench to another. Hackers came along with the idea that you use offensive techniques to simulate how an attacker would discover vulnerabilities in a networks, a system, or an application. Offensive skills have been on the rise ever since and now the best way to secure something it to try and break it yourself before the attacker does.

This history will be told from a member of the hacker group The L0pht who lived the arc from the underground, to consumer advocates, to speaking at the U.S. Senate, to forming a 200 employee security consultancy, to schooling Microsoft and changing how people build software.

Attendees will learn why we need the kind of tools hackers build to secure our systems and why we need people who are taught to think like hackers, 'security champions', to be part of software development teams.

Chris Wysopal (Twitter: @WeldPond) Chris Wysopal is currently Veracode's CTO and co-founder. He is one of the original vulnerability researchers and an early member of L0pht Heavy Industries, which he joined in 1992. He is the author of netcat for Windows and one of the authors of L0phtCrack. He has testified on Capitol Hill in the US on the subjects of government computer security and how vulnerabilities are discovered in software. He published his first advisory in 1996 on parameter tampering in Lotus Domino and has been trying to help people not repeat this type of mistake for 15 years. He is also the author of "The Art of Software Security Testing" published by Addison-Wesley.

IP Spoofing

Marek Majkowski, Cloudflare

At Cloudflare we deal with DDoS attacks every day. Over the years we've gained a lot of experience in defending from all different kinds of threats. We have found that the largest attacks that cause the internet infrastructure to burn are only possible due to IP spoofing.

In this talk we'll discuss what we learned about the L3 (Layer 3 OSI stack) IP spoofing. We'll explain why L3 attacks are even possible in today's internet and what direct and reflected L3 attacks look like. We'll describe our attempts to trace the IP spoofing and why attack attribution is so hard. Our architecture allows us to perform most attack mitigations in software. We'll explain a couple of effective L3 mitigation techniques we've developed to stop our servers burning.

While L3 attacks are a real danger to the internet, they don't need to be. With a bit of cooperation and couple of technical tricks maybe we can fix the IP spoofing problem for all.

Marek Majkowski (Twitter: @majek04). After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Layer 8 and Why People are the Most Important Security Tool

Damon Small, Technical Director, Security Consulting, NCC Group North America

People are the cause of many security problems, but people are also the most effective resource for combating them. Technology is critical, but without trained professionals, it is ineffective. In the context two case studies, the presenter will describe specific instances where human creativity and skill overcame technical deficiencies. The presenter believes this topic to be particularly relevant for the Packet Hacking Village, as many techniques used are the same that are pertinent for Capture the Packet and Packet Detective.

Technical details will include the specific tools used, screenshots of captured data, and analysis of the malware and the malicious user’s activity. The goal of the presentation is show the importance of technical ability and critical thinking, and to demonstrate that skilled people are the most important tool in an information security program.

Damon Small (Twitter: @damonsmall) began his career studying music at Louisiana State University. Pursuing the changing job market, he took advantage of computer skills learned in the LSU recording studio to become a systems administrator in the mid 1990s. Following the dotcom bust in the early 2000s, Small began focusing on cyber security. This has remained his passion, and over the past 17 years as a security professional he has supported infosec initiatives in the healthcare, defense, and oil and gas industries. In addition to his Bachelor of Arts in Music, Small completed the Master of Science in Information Assurance degree from Norwich University in 2005. As Technical Director for NCC Group, Small has a particular interest in research and business development in the Healthcare and Oil & Gas industries. His role also includes working closely with NCC consultants and clients in delivering complex security assessments that meet varied business requirements.