Speaker Workshops at DEF CON 23

Friday, August 7th Saturday, August 8th Sunday, August 9th
10 - 11 AM Tools and Techniques Used at the Wall of Sheep (10 - 10:20 AM)
Ming Chow

Real World Automation for Rapid Response (10:20 - 11 AM)
Monzy Merza
How Machine Learning Finds Malware Needles in an AppStore Haystack
Theodora Titonis
11 AM - 12 PM Mobile Data Loss - Threats & Countermeasures
Mike Raggo
MITM 101: Easy Traffic Interception Techniques Using Scapy
Bob Simpson
802.11 Monitoring with PCAP2XML/SQLite
Vivek Ramachandran
12 - 1 PM Sniffing SCADA
Karl Koscher
I See You
Brian Wohlwinder, Andrew Beard
The Digital Cockroach Bait Station: How to Build Spam Honeypots
Robert Simmons
1 - 2 PM dnstap - A Standard Interface to Real Time DNS Transaction Flows
Paul Vixie
PowerShell for Penetration Testers
Nikhil Mittal
Fishing To Phishing: It's All About Slimy Creatures
Wayne Crowder
2 - 3 PM Hacker's Practice Ground
Lokesh Pidawekar
The Packets Made Me Do It: Getting Started with Distributed Full Packet Capture Using OpenFPC
Leon Ward
From XSS to Root on Your NAS
Tony Martin
3 - 4 PM Global Honeypot Trend
Elliott Brink
Is Your Android App Secure?
Sam Bowne
4 - 5 PM Remaining Covert in an Overt World
Mike Raggo, Chet Hosmer
sup3r s3cr3t CLOSED
5 - 6 PM Violating Web Services
Ron Taylor
Creating REAL Threat Intelligence With Evernote
6 - 7 PM Penetration Testing Using a Raspberry Pi
Joseph Muniz, Aamir Lakhani
Haking the Next Generation
David Schwartzberg

802.11 Monitoring with PCAP2XML/SQLite

Vivek Ramachandran, Founder, SecurityTube.net and Pentester Academy

802.11 monitoring, attack detection and forensics has always been hard. It's almost immpossible to get any meaningful inference if one relies only on Wireshark filters. This is why we created Pcap2XML/SQLite, a tool to convert 802.11 trace files into equivalent XML and SQLite formats. Every single packet header field is mapped to a corresponding SQLite column. This allows us to create arbitrary queries on the packet trace file and we will show how this can be used for attack detection and forensics with live examples.

Vivek Ramachandran (Twitter: @securitytube) Vivek discovered the Caffe Latte attack, broke WEP Cloaking and publicly demonstrated enterprise Wi-Fi backdoors. He is the author of two best selling books on Wi-Fi Security and Pentesting which have sold over 13,000+ copies worldwide. He is the founder of SecurityTube.net and runs SecurityTube Training & Pentester Academy which has trained professionals from 90 countries. He has spoken and trained at a number of conferences including DEF CON, Black Hat USA / Europe / Abu Dhabi, Brucon, Hacktivity.

Creating REAL Threat Intelligence With Evernote

grecs, Founder, NovaInfosec.com

In the presentation that threat intel vendors do not want you to see, threat data from open source and home grown resources meets Evernote as the ultimate braindump repository with the outcome of producing real actionable threat intelligence that your organization can leverage to stop the bad guys. This presentation discusses an experiment of using Evernote as a informal threat intelligence management platform, the specific concepts and strategies used, and its overall effectiveness. Specific topics covered include the advantages of using an open and flexible platform that can be molded into an open/closed source threat data repository, an information sharing platform, and an incident management system. Although using Evernote in this way in large enterprises is probably not possible, organizations can apply the same reference implementation to build similarly effective systems using open source or commercial solutions.

Salvador Grec (Twitter: @grecs) grecs has almost two decades of experience, undergraduate and graduate engineering degrees, and a really well known security certification. Despite his formal training, grecs has always been more of a CS person at heart going back to his VIC-20, Commodore 64, and high school computer club days. After doing the IT grind for five years, he discovered his love of infosec and has been pursuing this career ever since. Currently, he spends his days improving and architecting SOC solutions. At night he runs a local infosec website where he discusses his latest security research and offers his commentary on the world of cyber.

The Digital Cockroach Bait Station: How to Build Spam Honeypots

Robert Simmons, Senior Threat Intelligence Researcher, ThreatConnect, Inc.

Spam honeypots are an excellent way to gather malware binaries as well as malicious URLs that attackers use to infect their targets. Many malware campaigns are shotgun blasts of emails sent to very large numbers of email addresses. If you can get your bait address on their list, they essentially send you a copy of the malware or the URL that leads to it. This talk will cover how to setup a spam honeypot for gathering these types of threats. It will also cover how to efficiently sort through the data coming in, what data points are valuable to include in your analysis, and finally how and where to share the threat data that you are gathering. The goal is to give one the tools they need to protect themselves from emerging threats as they appear in the wild.

Robert Simmons (Twitter: @MalwareUtkonos) Robert is a Senior Threat Intelligence Researcher for ThreatConnect, Inc. With an expertise in building automated malware analysis systems based on open source tools, he has been tracking malware and phishing attacks and picking them apart for years. Robert has a background in biology, linguistics, and Russian area studies. He has lived extensively in Russia and Ukraine and has been known to swear profusely and constantly in Russian.

dnstap - A Standard Interface to Real Time DNS Transaction Flows

Paul Vixie, CEO, Farsight Security, Inc.

DNS is a high volume low latency datagram protocol at the heart of the Internet -- it enables almost all other traffic flows. Any analysis of network traffic for security purposes will necessarily include contemporaneous DNS traffic which might have resulted from or directed that traffic. Netflow by itself can answer the question, "what happened?" but it cannot by itself answer the equally important question, "why?"

Collecting DNS query and response data has always been challenging due to the impedance mismatch between DNS as an asynchronous datagram service and available synchronous persistent storage systems. Success in DNS telemetry has historically come from the PCAP/BPF approach, where the collection agent reassembles packets seen 'on the wire' into DNS transaction records, with complete asynchrony from the DNS server itself. It is literally and always preferable to drop transactions from the telemetry path than to impact the operation a production DNS server in any way.

BPF/PCAP is not a panacea, though, since the complexity of state-keeping means that most passive DNS collectors are blind to TCP transactions, and all are blind to data elements which don't appear on the wire, such as cache purge or cache expiration events, or to "view" identifiers or current delegation point. The Farsight Security team has therefore designed a new open source and open protocol system called 'dnstap' with a transmission/reception paradigm that preserves the necessary lossiness of DNS transaction collection while avoiding the state-keeping of BPF/PCAP based systems.

This talk will cover passive DNS including collection, sharing, post-processing, database construction, and access, using the Farsight Security system as a model. 'dnstap' will be introduced in that context, including a status report and road-map.

Dr. Paul Vixie (Twitter: @paulvixie) Paul is the CEO of Farsight Security. He previously served as President, Chairman and Founder of Internet Systems Consortium (ISC), as President of MAPS, PAIX and MIBH, as CTO of Abovenet/MFN, and on the boards of several for-profit and non-profit companies. He served on the ARIN Board of Trustees from 2005 to 2013, as ARIN Chairman in 2008 and 2009, and was a founding member of ICANN Root Server System Advisory Committee (RSSAC) and ICANN Security and Stability Advisory Committee (SSAC). He operated the ISC's F-Root name server for many years, and is a member of Cogent's C-Root team. He is a sysadmin for Op-Sec-Trust.

Paul has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

Fishing To Phishing: It's All About Slimy Creatures

Wayne Crowder

Fishing at a professional level shares a lot of traits with security professionals. Deep analysis of the environment, weather, and water conditions. A passion and certain stubbornness are what successful professional fisherman have. A security analyst requires similar skills and motivations to achieve their objectives. Not surprisingly, if you can market yourself well, you don't have to be the best at either industry to make money. This talk will poke fun at both of the industries work in and love. The technology available now for those how like to chase slimy creatures is nothing short of amazing. The sonar and mapping market has made the learning curve on most lakes very short for those who can afford the devices. The growth of this industry has left these units open for an interesting security review.

We will take a fun journey researching a powerful, yet poorly implemented network device found on a lot of fishing boats. Abuse of the lack of controls can lead to a bad day on the water. Imagine a fishing pole that could also double as an omnidirectional Wi-Fi antennae showing the poached signals and "hot spots" of other anglers. The talk will be fun, a little tongue-in-cheek, but more importantly should show the risks of enabling Wi-Fi for just about every device with a display. The underlying hardware and software of the units will be discussed. If the fish aren't biting, the "custom" build loaded on a device can pass the time as if you were home. The talk will conclude with thoughts about a few other examples where screen sharing over Wi-Fi could lead to problems. I will challenge attendees to think differently about the Internet of Things and how hacking and security research is crucial to make things safer, smarter and better. Or, just come to watch fishing porn.

Wayne Crowder (Twitter: @wacbass) After the dream of becoming a fisheries biologist was crushed under the reality of low pay for 8+ years of school, Wayne turned to his love of technology. IT and Security have been very kind to Wayne's fishing habit. For many years it supported him while he moonlighted as a professional fisherman. Stints on TV, radio and seminars for boat or outdoor shows has led to at least a dozen autographs. Incident response and threat intel keep him busy. Wayne is proud he has more fishing poles than certifications.

From XSS to Root on Your NAS

Tony Martin, Software Security Architect

Home Network Attached Storage devices (NAS) are gaining in popularity because of the simplicity they offer to manage ever-growing amounts of personal data. The device's functionality is extending beyond a data store, adding functionality to become the central content management system, multimedia center, network management point and even automation hub for the home and small business. The devices offer accessibility to local and remote users as well as to untrusted users via data shares. These capabilities expose all stored data and the device itself to outside/remote attackers. This talk will demonstrate NEON TOOL; by leveraging multiple vulnerabilities, it allows a remote attacker to gain root access on a popular home NAS device. The talk will cover the problems that XSS, in conjunction with other weaknesses, can create. It will address how these vulnerabilities were uncovered, possible mitigations, how to work responsibly with the vendor to ensure a timely resolution and an investigation into the fixes employed.

Tony Martin (https://www.linkedin.com/in/martintony) Tony is a security architect at Fortune 100 networking company as part of the secure development lifecycle team. He likes green font with a black background and when bored, stuff tends to get broken –ethically. His areas of learning include software and system architecture / design with a flair for trying to build security from the start, implementing and breaking (or trying) applied crypto, and pen testing (hence this talk). Additionally, he loves training / teaching and enabling teams to build secure products. Tony volunteers many places including the Packet Hacking / Wall of Sheep Village.

Global Honeypot Trends

Elliot Brink

Many of my computer systems are constantly compromised, attacked, hacked, 24/7. How do I know this? I've been allowing it. This presentation will cover over one year of research running several vulnerable systems (or honeypots) in multiple countries including the USA, mainland China, Russia and others. We'll be taking a look at: a brief introduction to honeypots, common attacker trends (both sophisticated and script kiddie), brief malware analysis and the statistical analysis of attackers based on GeoIP. Are there differences in attacks based on where a computer system is located? Let's investigate this together! Beginners to the topic of honeypots fear not, the basics will be covered.

Elliott Brink (Twitter: @ebrinkster) Elliott is an Information Security Consultant based out of Chicago, IL. He specializes in internal/external pentesting, security architecture, and social engineering engagements. He loves computer history, tracking bad guys, honeypots, an expertly crafted bloody mary and traveling the globe.

Hacker's Practice Ground

Lokesh Pidawekar, Cisco, Inc.

Learning Hacking legally and economically is not a myth anymore. You will witness how to create a practice ground to hone the skills of hacking. The talk will take you through infrastructure, tools and techniques of practicing hacking. It will also cover information about online hacking challenges and breaking into bug bounty programs. Expect lot of demos.

Lokesh Pidawekar (Twitter: @MaverickRocky02) Lokesh is Master's student in Information Assurance at Northeastern University, Boston. He has more than 4 years of experience in System hardening, Network architecture assessments and web application penetration testing. During last summer, he was software security intern at Cigital, Inc. where he worked on various mobile and web application penetration testing projects. He actively participates in bug bounty programs and responsibly disclosed vulnerabilities to various companies. He is president of ISSA-Northeastern University student chapter and recipient of ISC2 Graduate research scholarship.

Haking the Next Generation

David Schwartzberg, Senior Security Engineer, MobileIron

Kids are wired to learn. They are learning while they are playing, so why not give them an environment where they can play while they are learning. A combination of a speaking track, workshops, and an open area of stations complementing each other enables the attendees to expand and enlighten their technical interests. For innovation to perpetuate, it's imperative that today's young users are exposed to the bigger picture of how we got here and to help realize their potential. You can come learn more about how Hak4Kidz is making a difference and how you can potentially organize a Hak4Kidz in your local city.

David Schwartzberg (Twitter: @DSchwartzberg) David is a Senior Security Engineer at MobileIron, a mobile security company, where he specializes in mobile and network security. Utilizing his 6 years accounting experience and combined 17 years InfoTech and InfoSec experience, he speaks regularly with technology executives and professionals to help protect their corporate secrets and stay compliant. In his spare time he co-founded Hak4Kidz, www.hak4dkiz.com, and has blogged for Dark Reading, Naked Security and Barracuda Labs. He has spoken at conferences such as Black Hat Arsenal, BSides, Converge, DerbyCON, GrrCON, OWASP AppSec, THOTCON, Wall of Sheep Village, (ISC)2 Congress and several others. David has earned several certifications in the field of Information Technology and Information Security. If you need to know the list of certifications, that's what Linkedin is for.

How Machine Learning Finds Malware Needles in an AppStore Haystack

Theodora Titonis, Vice President of Mobile Security at Veracode

Machine learning techniques are becoming more sophisticated. Can these techniques be more affective at assessing mobile apps for malicious or risky behaviors than traditional means? This session will include a live demo showing data analysis techniques and the results machine learning delivers in terms of classifying mobile applications with malicious or risky behavior. The presentation will also explain the difference between supervised and unsupervised algorithms used for machine learning as well as explain how you can use unsupervised machine learning to detect malicious or risky apps.

What you will learn:

  • Understand the difference between advanced machine learning techniques vs. traditional means.
  • Recognize different types of algorithms used to improve mobile security.
  • Understand how you can use unsupervised machine learning to detect malicious or risky apps.

Theodora Titonis Theodora is an innovative entrepreneur whose passion for technology began when she started programming computers at the age of seven. While pursuing computer science at The Ohio State University she focused her efforts on the challenging field of security. During the dotcom-era, Theodora architected systems and provided security expertise to federal government intelligence and defense agencies, leading financial institutions and Fortune 500 Companies.

Theodora served as the Founder, CEO, sole investor, and a patent assignee of Marvin Mobile. Veracode, Inc., the leader in cloud-based application security testing, acquired Marvin in September 2012. Ms. Titonis now serves as Veracode's Vice President of Mobile Security.

I See You

Brian Wohlwinder, Manager of Threat Analysis, Fidelis Cybersecurity; Andrew Beard, Manager of Threat Systems, Fidelis Cybersecurity

In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environmen --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.

Brian Wohlwinder In his role as Manager of Threat for Fidelis Cybersecurity Systems, Brian is responsible for developing and evolving the company's threat detection strategy while synchronizing it with product strategy.  Before "retiring," Brian also held a number of roles, in a wide range of cyber programs within the Department of Defense and associated Joint Community; his military service includes stints as a Cyberspace Strategist for the Air Force Space Command, Mission Commander at the Joint Functional Component Command - Network Warfare, Chief of Space Systems Integration, Network Engineer, Programmer, Systems Analyst, and Rated Flight Engineer. In addition to extensive training in the military, Brian also received his Bachelor's degree in Computer Science from Charleston Southern University and a Master's degree in Business Administration from The Citadel Military College.

Andrew Beard Andrew is the Manager of Threat Systems for Fidelis Cybersecurity and is a native of the DC metro area. In his role, he manages a small team that is primarily responsible for processing threat intel at scale. He holds a B.S. in Computer Engineering from the University of Maryland, College Park, with a minor in Dance Dance Revolution. He is a connoisseur of astronaut ice cream and somewhat begrudgingly takes slow, meandering walks with his French Bulldog, Fudge. He is often accused of being Gordon Freeman's evil twin and insists that no one is too old to own action figures.

Is Your Android App Secure?

Sam Bowne, Instructor, City College San Francisco

It's easy to audit Android app security, and very important, because most of them have one or more of the OWASP Mobile Top Ten Risks. I tested the top ten US bank apps, stock trading apps, and insurance apps, and 70% of them were insecure. I'll demonstrate how to find SSL validation failures and how to add Trojans to vulnerable apps to create a Proof-of-Concept. Complete instructions for all these tests are available free at https://samsclass.info/.

Sam Bowne (Twitter: @sambowne) Sam has been teaching computer networking and security classes at CCSF since 2000. He has given talks at DEFCON, HOPE, BayThreat, LayerOne, and Toorcon, and taught classes and many other schools and teaching conferences. He has these things: BS, PhD, CEH, CISSP, WCNA, and a lot of T-shirts.

MITM 101: Easy Traffic Interception Techniques Using Scapy

Bob Simpson, CIO, Finley & Cook, PLLC

Performing man-in-the-middle attacks takes a little planning and practice, but you will soon find that it is one of the most powerful and useful skills you can develop. Once you get the hang of it, Scapy makes it easy to target a specific box or a whole network, and whether you have physical access or remote penetration, you can use MITM to open up new possibilities.

Bob Simpson (Twitter: @bobby_simpson) Bob is CIO for Finley & Cook, PLLC, a private accounting firm. He has been with the company for 8 years. Previously, he served as Security Architect for the Oklahoma Department of Human Services, and Senior Systems Engineer at iPolicy Networks, an intrusion prevention firm. Bob has system-wide design and project lead experience, including network architecture, security assessment and enforcement, and network software development. Mr. Simpson holds the CISSP, GCIH, GCIA, and GPEN, as well as MCSE and CCNA certifications. He serves on the SANS Advisory board and is a member InfraGard. Most recently, Bob has developed GhostSentry, a device for remote access logging and compliance.

Mobile Data Loss - Threats & Countermeasures

Michael Raggo, Director, Security Research, MobileIron

Current attack vectors indicate that malware, spyware, and other nefarious attacks are targeting mobile devices for financial gain, cyber espionage, or to simply damage company reputation. Additionally, the threat from the inside has also increased, leading to intentional and unintentional data leakage for many companies. This presentation will review best practices and strategies for controlling the dissemination of data on mobile devices by analyzing current mobile attack vectors and countermeasures.

Michael Raggo (Twitter: @MikeRaggo) Michael applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo's technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. His publications include books for Syngress titled "Data Hiding" and McGraw Hill as a contributing author for "Information Security the Complete Reference 2nd Edition", as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.

The Packets Made Me Do It: Getting Started with Distributed Full Packet Capture Using OpenFPC

Leon Ward

Network security analysts love to see packets, however most commercial security products don't record them, instead they provide packet-less event messages that can leave you asking yourself "Did that event really happen?" This talk investigates this situation and covers the history that lead the speaker to start an Open Source project that has helped him to enrich security detection events with packets as required.

OpenFPC is a packet capture framework that is designed to help retro-fit full packet data into external existing packet-less event generating tools (think Intrusion detection, firewalls, SIEMs, or log managers). Learn how to rapidly deploy a distributed full packet capture system using only a few commands, and then enrich other tools with it to augment your current event analysis process.

Leon Ward Leon has spent over ten years in "day jobs" working closely with both open source and proprietary network security tools. Following years of experience of helping to design and deploy large intrusion prevention deployments, he decided to focus on trying to advance the products themselves. While working as Director of Product Management at Sourcefire, he became responsible for network detection technologies including the famous Snort open source intrusion prevention engine. OpenFPC was started is a spare time "passion" project for Leon (read "not his day job") that enables him to stay knee-deep in packets and code.

Penetration Testing Using a Raspberry Pi

Joseph Muniz, Consultant at Cisco Systems and Security Researcher; Aamir Lakhani, Senior Cyber Security Researcher, Fortinet and FortiGuard Labs.

The Raspberry Pi is an $35 computer that can be used for small computing tasks and education purposes. However it can also be used as a penetration testing platform that allows for social engineering, advanced attacks, and other forms of evil. This talk will cover how we have used a raspberry pi to exploit networks.

Joseph Muniz Joseph is a consultant at Cisco Systems and security researcher. Joseph started his career in software development and later managed networks as a contracted technical resource. Joseph moved into consulting and found a passion for security while meeting with a variety of customers. He has been involved with the design and implementation of multiple projects ranging from Fortune 500 corporations to large federal networks. Joseph is the author and contributor of several books as well as speaker for popular security conferences. Check out his blog http://www.thesecurityblogger.com showcasing the latest security events, research and technologies.

Aamir Lakhani Aamir is a senior cyber security researcher and practitioner with Fortinet and FortiGuard Labs. He is responsible to provide IT security solutions to major global organizations. Lakhani has designed cyber solutions for defense and intelligence agencies, and has assisted organizations in defending themselves from active strike back attacks perpetrated by underground cyber groups.

PowerShell for Penetration Testers

Nikhil Mittal

PowerShell has changed the way Windows networks are attacked. It is Microsoft's shell and scripting language available by default in all modern Windows computers. It can interact with .NET, WMI, COM, Windows API, Registry and other computers on a Windows network. This makes it imperative for Penetration Testers and Red Teamers to learn PowerShell. This talk looks at various attacks and tasks performed by penetration testers and red teamers during different phases of an assessment and utilize PowerShell to make them easy and much more powerful. Various techniques like in-memory shellcode execution from a Word macro, dumping system secrets in plain, using innovative communication channels, lateral movement, network relays, using Metasploit payloads without detection etc. would be discussed.

Nikhil Mittal (Twitter: @nikhil_mitt) Nikhil is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defence strategies and post exploitation research. He has 6+ years of experience in penetration testing for his clients which include many global corporate giants. He is also a member of red teams of selected clients. He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is creator of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks. He has spoken at conferences including DEF CON, BlackHat USA, BlackHat Europe, RSA China, and EuSecWest.

Real World Automation for Rapid Response

Monzy Merza, Chief Security Evangelist, Splunk

This talk will discuss how you can automate incident response, with an emphasis on the foundational capabilities required for auto-response and how those capabilities are integrated. It will also highlight specific examples of end-to-end threat detection, response and mitigation. Note that it is very challenging for a talk of this nature to be 'immediately useful' and still be vendor neutral. We are not promoting any specific vendor, but we have to use some specific examples in the security ecosystem to make the content actionable – otherwise it’s too generic.

We will not be promoting any specific vendor as cyber operations require an ecosystem solution. We will use specific, real world examples of threat-intel, endpoint, network and identity management systems from a number of open source and closed source providers. Splunk is not in the network business, or the threat-intel business or the asset and identity management business, so examples will include other open source and closed source technology vendors.

The audience will learn why a balanced approach is required across the infrastructure; how and why to tie the pieces together; and how to conduct faster threat detection and incident response.

Even if attendees don't have the exact product/vendor mix as our examples, they will learn how to think through and apply these tactics in their own environments.

Monty Merza (Twitter: @monzymerza) Monzy serves as the Chief Security Evangelist at Splunk Inc. He has more than 15 years of tactical and cyber security research experience in government and commercial organizations. His experience includes vulnerability management, security product testing, penetration testing, adversary modeling, cyber tools and infrastructure development. Merza has served as content developer and instructor for cyber trainings and red/blue team exercises. He has also been an invited speaker at government and open conferences. Merza's current research is focused on integrated approaches to human driven and automated responses to targeted cyber attacks.

Remaining Covert in an Overt World

Michael Raggo, Director, Security Research, MobileIron; Chet Hosmer, Founder of WetStone Technologies, Inc.

With the explosion of social media, sharing apps, and an overall world of overtness, some of us are seeking ways to communicate covertly and protect our privacy. This has prompted the emergence of new and enhanced covert communications. This includes methods for hiding data within apps, communication protocols, and even enhanced techniques for hiding data within data. In this talk we'll explore the most recent techniques for secret communications and hiding data, while also exploring new ideas for covert storage in wearables, mobile devices, and more with walkthroughs and demos.

Michael Raggo (Twitter: @MikeRaggo) Michael applies over 20 years of security technology experience and evangelism to the technical delivery of Mobile Security Solutions. Mr. Raggo's technology experience includes mobile device security, penetration testing, wireless security assessments, compliance assessments, incident response and forensics, security research, and is a former security trainer. His publications include books for Syngress titled "Data Hiding" and McGraw Hill as a contributing author for "Information Security the Complete Reference 2nd Edition", as well as multiple magazine and online articles. He is also a participating member of the PCI Mobile Task Force. Mr. Raggo has presented on various security topics at numerous conferences around the world (BlackHat, DefCon, SANS, Gartner, DoD Cyber Crime, OWASP, InfoSec, etc.) and has even briefed the Pentagon and FBI.

Chet Hosmer Chet is the Founder of Python Forensics, Inc. a non-profit organization focused on the collaborative development of open-source investigative technologies using Python.  Chet is also the founder of WetStone Technologies, Inc. and has been researching and developing technology and training surrounding forensics, digital investigation and steganography for over two decades. He has made numerous appearances to discuss emerging cyber threats including National Public Radio's Kojo Nnamdi show, ABC's Primetime Thursday, NHK Japan, CrimeCrime TechTV and ABC News Australia. He has also been a frequent contributor to technical and news stories relating to cyber security and forensics and has been interviewed and quoted by IEEE, The New York Times, The Washington Post, Government Computer News, Salon.com and Wired Magazine. He is the author of three recent Elsevier/Syngress Books: Python Passive Network Mapping (ISBN-13: 978-0128027219), Python Forensics (ISBN-13: 978-0124186767), and Data Hiding which is co/authored with Mike Raggo (ISBN-13: 978-1597497435). Chet serves as a visiting professor at Utica College where he teaches in the Cybersecurity Graduate program. He is also an Adjunct Faculty member at Champlain College in the Masters of Science in Digital Forensic Science Program. Chet delivers keynote and plenary talks on various cyber security related topics around the world each year. Chet resides with Wife Janet, Son Matthew along with his four legged family near Myrtle Beach, South Carolina.

Sniffing SCADA

Karl Koscher, Postdoctoral Researcher, University of California San Diego

Over the past few years, interest in ICS/SCADA systems security has grown immensely. However, most of this interest has been focused on IP-connected SCADA networks, largely ignoring numerous deployments relying on other technologies such as wireless serial links. In this talk, I'll introduce a new GNU Radio module which lets you sniff (and potentially speak with) SCADA networks that use a popular RF modem for their communications. I'll also describe the process of reverse-engineering the proprietary RF protocol used. Finally, I'll talk about the higher-layer protocols used in SCADA networks, including ModBus and DNP3, demonstrate how we are able to monitor the (unencrypted and unauthenticated) sensing and control systems used by a large electricity distribution network, and discuss some of its implications.

Karl Koscher (Twitter: @supersat) Karl is a postdoctoral researcher at the University of California San Diego where he specializes in embedded systems security. In 2011, he and his collaborators were the first to demonstrate a complete remote compromise of a car over cellular, Bluetooth, and other channels. In addition to breaking systems, he also works on creating tools and technologies to enable developers to automatically find (and fix) potential security vulnerabilities in their embedded systems. Since earning his ham license at DEF CON 22 (and later upgrading to Amateur Extra), he has become interested in many aspects of wireless communications.

Tools and Techniques Used at the Wall of Sheep

Ming Chow, Wall of Sheep

Ming will demonstrate how to capture and analyze packets using the tools that are used by the shepherds at the Wall of Sheep. The tools include Wireshark, tcpdump, dsniff, and ettercap. Attendees do not need to have any networking or security experience but are expected to bring their own laptop. For the purpose of this session, a *nix environment will be used (e.g., Linux, Mac OS X).

Ming Chow (Twitter: @0xmchow) Ming has been involved with the Wall of Sheep since DEF CON 15 (2007).

Violating Web Services

Ron Taylor

The majority of today's mobile applications utilize some type of web services interface (primarily SOAP and REST) for connecting to back end servers and databases. Properly securing these services is often overlooked and makes them vulnerable to attacks that might not be possible via the traditional web application interface. This talk will focus on methods of testing the security of these services while utilizing commercial and open source tools. We will also highlight some web services of well-known sites that have been recently violated.

Ron Taylor (Twitter: @Gu5G0rman) Ron has been working in the information security field for the past 16 years. He spent 10 years in consulting, gaining experience in many areas. For the past 7 years he has been working as an engineer for Cisco Systems in RTP. His focus is on Pen Testing Cisco products and working with the development teams to implement high security standards. He also holds certifications including GPEN, GCIH, GWAPT, RHCE, CCSP, CCNA, CISSP and MCSE. He is a SANS Mentor and one of the founders of BSides Raleigh.