Speaker Workshops at DEF CON 21

Wall of Sheep Speaker Workshops 2013

Tools and techniques to succeed at the Wall of Sheep

Ming Chow, Wall of Sheep

Ming will give brief history of the Wall of Sheep: how it has been a mainstay at DEF CON and how it has evolved over the years: from the peek-a-boo booth to Juice Jacking.

He will then show how to capture and analyze packets and show a number of the tools that are used by the shepherds at the Wall of Sheep.

At the end of the session, Ming will introduce Packet Detective, a new way for attendees to hone their newly learned skills. 

Attendees do not need to have any networking or security experience but are expected to bring their own laptops.

Ming Chow (@tufts_cs_mchow) Ming is a Lecturer at the Tufts University Department of Computer Science. His areas of work are in web and mobile engineering and web security. He teaches courses largely in the undergraduate curriculum including the second course in the major sequence, Web Programming, Music Apps on the iPad, and Introduction to Computer Security. He was also a web application developer for ten years at Harvard University. Ming has spoken at numerous organizations and conferences including the High Technology Crime Investigation Association - New England Chapter (HTCIA-NE), the Massachusetts Office of the Attorney General (AGO), John Hancock, OWASP, InfoSec World (2011 and 2012), DEF CON 19 (2011), the Design Automation Conference (2011), Intel, and the SOURCE Conference (Boston 2013). Ming's projects in information security include building numerous CTF challenges, Internet investigations, HTML5 and JavaScript security, and Android forensics.

Presentation: 2013_WOS_ToolsAndTechniques.pdf


SO HOpelessly Broken: The Implications of Pervasive Vulnerabilities in SOHO router products

SOHO networking devices are used in millions of homes and small businesses around the world for network access; these devices are purchased and installed by consumers with the expectation that their network and digital assets will be protected from attackers.

ISE discovered and identified critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. Our research is directed at identifying the ubiquity and criticality of vulnerabilities in these devices. We initially evaluated 13 off-the-shelf routers, and demonstrated that 11 of 13 were exploitable by a remote adversary—and that all 13 were exploitable by a local adversary on the (W)LAN and Guest (W)LAN. The *critical* vulnerabilities that persist in this class of devices expose an urgent need for deeper security scrutiny.

Our attacks demonstrate varying levels of criticality from unauthenticated router take over, to authenticated takeover that requires minimal participation from users. We will demonstrate a great magnitude of root vulnerabilities ISE discovered during the analysis of SOHO router network services and further breakdown the anatomy of exploitation. Attacks include Buffer Overflows, Cross-Site Request Forgery, Command Injection, DirectoryTraversal, Authentication Bypass, Backdoors and more!

The primary focus of this presentation will be full router compromise by an adversary and its implications, but we will also discuss the evolution of SOHO device functionality, and how the SOHO industry’s lack of attention to security has left millions of networks vulnerable to exploitation. Attendees should leave this presentation with increased awareness of SOHO router security and understand how to find and exploit various vulnerabilities found in SOHO network equipment.

Jacob Holcomb (@rootHak42) OSCP, CEH: Residing in Baltimore, MD, Jacob works as a Security Analyst for Independent Security Evaluators. At ISE, Jacob works on projects that involve penetration testing, application security, network security, and exploit research and development. In addition to work related projects, python coding, and his favorite pastime of EIP hunting, Jacob loves to hack his way through the interwebz and has responsibly disclosed several 0-day vulnerabilities in commercial products.


Juice Jacking Unearthed

Robert Rowley Security Researcher, Trustwave

This presentation will cover the history of juice jacking, or "malicious" mobile phone charging kiosks, as well as get into technical and physical aspects of the attack. Discussion includes what has changed, what countermeasures exist and details on how to write your own scripts/tools that could be used in conjunction with such an apparatus, or used legally as mobile forensics utilities.

Robert Rowley (@iamlei) Currently a Security Researcher for Trustwave SpiderLabs, Robert has been part of the California security scene for the past decade. He have been best known for his part in developing the first Juice Jacking Kiosk, released with the Wall of Sheep and staff during DEF CON 19.


Owning a Fully Patched Windows 7 Machine with RDP

Saturday, August 3rd, 1 - 2 PM

This presentation will demonstrate how to use tools that are normal for good use and turn them into weapons for evil purpose. By using Microsoft terminal server, I will show how you can get remote command line on a fully patched Windows 7 machine and in the process bypassing top of the range IPS/IDS system, all without any 0days, just using Microsoft products!

Wicked Clown (@wickedclownuk) Wicked Clown is a 'jack-of-all-trades' ethical security researcher from the UK who has presented at Bsides London, DefCON London and BruCON. He has over 20 years personal research and enjoys ways of exploiting systems without using 0days but just a little out of box thinking. He has only been working in the security industry and active in the hacking community for the past 5 years.


Got spies in your wires?

Evan Peña, Chuck Willis Mandiant Corporation

This talk will cover malware beaconing techniques Mandiant has observed that avoid typical signature-based network IDS/IPS detection. We will discuss advanced malware techniques used for command and control communication using common protocols such as HTTP, DNS, and more. These techniques are used to avoid standard IDP/IPS detection. The presentation will provide examples of that behavior, as well as a case study of signature based IDS/IPS evasion techniques. Tools and techniques used to detect and disrupt these mechanisms will also be discussed, including use of DNS blackholes and honeypots, as well as deployment of a local CA to intercept SSL traffic. This ain’t no Robert Morris malware!

Evan Peña Evan works at MANDIANT as an Associate Consultant doing incident response, forensics, and penetration testing. Evan has years of experience in enterprise information technology administration, employing covert penetration testing to evaluate incident response procedures, and assessing enterprise network defense capabilities from the perspective of an attacker. In addition, Evan participates in penetration testing engagements of large government agencies and Fortune 500 companies. These networks consist of an online presence of hundreds of thousands of address space around the world.

Chuck Willis (@chuckatsf) Chuck Willis is a Senior Technical Director with MANDIANT, a full spectrum information security company in Alexandria, Virginia. At MANDIANT, Mr. Willis concentrates in application and network security, where he assesses the security of sensitive software and systems through penetration testing, static analysis, and “white box” review. His past experiences include study of source code analysis tools, security software engineering, computer forensics, network intrusion investigations, research, and tool development. Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.


Reverse Engineering with DOSBox for LOLz and Profit

Michael Spicer