Conference

The Conference portion of ToorCon San Diego will kick off with a reception on Friday Night, Sept 1st and will be followed by one day of 50 minute talks and a second day of 20 minute talks. Online registration closes on Aug. 25, 2017. Tickets can still be purchased at the door. Our pricing schedule is listed below:

ROUND PRICE TOTAL AVAILABLE
Round 1 $120 150 – SOLD OUT
Round 2 $180 150 – SOLD OUT
Door Rate $220 300

 

Preliminary Schedule

Friday – Sept 1, 2017

TIME EVENT
1900 Friday Night Reception
Come check-in for the conference and meet up with everyone! Free drinks and snacks will be provided by our wonderful sponsors.

Saturday – Sept 2, 2017

TIME TRACK 1 TRACK 2
0900 Registration
0930 Opening Remarks
1000 Keynote: Lance James
1100 Dominic Spill & Kyle Temkin
FaceDancer 2.0 – next generation USB hacking
James Barclay
From Zero to Zero-Trust: Lessons Learned Building a BeyondCorp SSH Proxy
1200 Lunch Break
1300 Robert Portvliet
Open Up and Say 0x41414141: Attacking Medical Devices
Aaron Hnatiw
How to Move Mountains
1400 Mohamad Mokbel / @MFMokbel
ShellPcapFication (SPF) – A Sophisticated Interactive Shell Framework
Ernest Y. Wong (Cozy Panda)
Defending Cyberspace by Thinking “1n51d3-th3-B0x”
1500 Chema Alonso
DirtyTooth: Put music & lose your contacts
Gurney Halleck
Cyber Wargames: Table Top Exercises
1600 Snack Break
1630 Will Caput
Cash in the aisles: How gift cards are easily exploited
Tyler Cook
False Advertising: How Modern Ad Platforms Can Be Used for Targeted Exploitation
1730 Marc Newlin, Logan Lamb, Chris Grayson
████████████████████████████ Your█████████████
Chris Thompson
MS Just Gave the Blue Team Tactical Nukes
1830 Dinner Break
2200 Saturday Night Party 

 

Sunday – Sept 3, 2017

TIME TRACK 1 TRACK 2
1130 Samy Kamkar
Vehicle Keyfob Reconnaissance & Attacks
1200 Ric Messier
Hacking Around ICS and Modbus
Aditya Balapure / @adityabalapure
Agile Security in WordPress Deployments
1230 Ulrich Lang
Dynamic whitelisting and security policy automation – pipe-dream or not?
Kashish Mittal
No one left behind : Security Defense through Gamification including CTFs
1300 Lunch Break
1400 Kai Lu(@k3vinlusec)
Dig Deep into FlexiSpy for Android
Billy / Cannibal
The state of Security in the Medical Industry
1430 Rafael Fontes Souza aka b4ckd00r
My dog is a hacker and will steal your data!
Ryan Satterfield
Gaining control of the sky: an in-depth drone security talk
1500 Snack Break
1530 Alain Iamburg
Serial Flash Chips: The Little Elephants in the Lab
David Hulton
Cracking DES: The end of Kerberos DES and NETLM/NTLMv1
1600 Santiago Hernández Ramos
WinReg MiTM: Simple Injection and Remote Fileless Payload Execution
Marcelo Mansur
Financial Crime: The Past, The Present and The Future
1630 Dan Tentler
Practical Threat Modeling
Pavel Bansky
Detecting security issues as fast as you making them
1700 Closing Remarks
1730 Dinner Break
1930 Sunday Night Party

Keynote: Lance James – From Hacker to Home

1999, the first Toorcon event started, 5 years after the world-wide web went live and if we were lucky enough, we got to show off our brand new Pentium III laptops at this San Diego-based conference. IOT was a non-existent nomenclature, but it did exist in embedded systems, PBX’s, gas station credit card terminals and Quotrons stock quote machines attached to 56k baud modems. Digital was a word, Cyber wasn’t. A hacker in it’s purest form was found at these conferences, many of them still hoping that the industry would accept their culture-for-hire (as demonstrated in the conference topics of the time) all the while Cult of the Dead Cow introduces the first world-wide remote-access-tool (RAT), scaring the masses rather quickly. Privacy was a questionable problem to solve both technically and socially, and electronic voting security was merely theory. An echo chamber of information sharing and discovery.

2017, The microphone is on, hackers are the cool kids and in some case celebrities, and election hacking is considered commonplace and unsurprising. Teenagers with your TV’s can take down half the Internet for free by going into a place known as the deep and dark web while today we can’t even fill the security roles in our businesses and governments worldwide with enough hackers to help us. This talk will explore the evolution of the hacker both technically and socially, with highlights of today’s problems in IoT, malware, and the merger of traditional intelligence as information security defensive and offensive disciplines.

Lance James
Lance is an internationally renowned information security specialist. He has more than 20 years of experience in programming, network security, digital forensics, malware research, cryptography design, cryptanalysis, counterintelligence, and protocol exploitation. He provides advisory services to a wide range of government agencies and Fortune 500 organizations including America’s top financial services institutions. Credited with the identification of Zeus and other malware, Lance is an active contributor to the evolution of security practices and counterintelligence tactics and strategies. He is currently the  Chief Scientist at Flashpoint where he oversees Flashpoint’s research and development and engages in thought leadership. Prior to joining Flashpoint, Lance was the Head of Cyber Intelligence at Deloitte & Touche LLP.

FaceDancer 2.0 – next generation USB hacking

USB connectivity has become ubiquitous. The sheer variety of USB connected devices ranging from computers and game consoles to resource constrained embedded systems has resulted in a wide variety of vendor-specific protocols and custom USB software stacks.

Being able to fuzz, monitor, mitm, or emulate USB can often be a foot in the door for working with black box systems; whether your goal is to build tools that work with existing hardware and software, find vendor interfaces or vulnerabilities to execute custom code, or to play NSA.

We introduce our next generation FaceDancer, with more supported hardware, higher speeds, and advanced capabilities for monitoring and mitming USB connections.

Dominic Spill
Dominic is a senior security researcher at Great Scott Gadgets where he writes software and firmware for open source hardware. His primary focus is sniffing and modifying communication protocols.

Kyle Temkin
Kyle J. Temkin leads the low-level Computer Architectures group at Assured Information Security, researching a variety of hardware hacking and architectural security topics. Kyle maintains and contributes to a variety of open-source projects, and probably spends way too much time reverse engineering and collecting electronic lab equipment.

From Zero to Zero-Trust: Lessons Learned Building a BeyondCorp SSH Proxy

The term “zero-trust” has become somewhat of a buzzword lately, but we haven’t seen many practical examples of how something like this is implemented. As fantastic as the BeyondCorp papers are, it can be a bit daunting to take concepts from it and build something real.

The SSH protocol in particular was of interest to us given how many times we use it on a daily basis, but aside from some comments in the source code for the Chrome Secure Shell extension, there wasn’t much to go on.

In this talk we’ll provide an in-depth look at how we built an SSH WebSockets proxy that natively supports the relay protocol built into the Chrome Secure Shell extension. We’ll also cover how we built a client proxy that supports the OpenSSH ProxyCommand directive, which allowed us to continue using standard SSH tooling on macOS, Windows, and *nix operating systems.

James Barclay
James Barclay is an R&D Engineer at Duo Labs, the security research and analysis team at Duo Security. Prior to joining Duo, James was a Tools Engineer at Pinterest, and an IT consultant before that. He’s contributed to a handful of open-source projects, and has been called an Apple nerd once or twice.

Open Up and Say 0x41414141: Attacking Medical Devices

Network accessible medical devices are ubiquitous in today’s clinical environment. These devices can be of great aid to healthcare professionals in assessing, treating and monitoring a patient’s condition. However, they can also fall victim to a number of systemic vulnerabilities that can expose personal health information or PHI, compromise the integrity of patient data in transit, and affect the availability of the devices themselves.

This talk looks at the methodology and approach to penetration testing of modern medical devices. It will provide an overview of the various stages of a medical device assessment, including discovery and analysis of a device’s remote and local attack surface, reverse engineering and exploitation of proprietary network protocols, vulnerability discovery in network services, compromising supporting systems, attacking common wireless protocols, exploitation of hardware debug interfaces and bus protocols and assessing proprietary wireless technologies.

It will also cover a number of real world vulnerabilities that the speaker has discovered during medical device penetration testing assessments. These include weak cryptographic implementations, device impersonation and data manipulation vulnerabilities in proprietary protocols, unauthenticated database interfaces, hardcoded credentials/keys and other sensitive information stored in firmware/binaries and the susceptibility of medical devices to remote denial of service attacks.

The talk will conclude with some suggestions on how some of the most common classes of medical device vulnerabilities might be remediated by vendors and also how hospitals and other healthcare providers can defend their medical devices in the meantime.

Robert Portvliet
Robert Portvliet is technical director of red team services at Cylance with over 8 years experience in various disciplines of penetration testing. His focus is on embedded systems and wireless penetration penetration testing and reverse engineering. Prior to joining Cylance, he was the network security service line lead for Foundstone and taught the ‘Ultimate Hacking: Wireless’ class at Blackhat 2011-2013.

How To Move Mountains

Pentesters are tired of breaking things, writing a report, and walking away. Security teams are caught in a backlog that prevents them from ever staying ahead. Developers curse security for slowing them down. How can we address these seemingly incompatible and insurmountable issues in an organization, especially at scale? The answer to this may be found in a practice called “DevSecOps” that has been gaining momentum in large organizations that need to move fast and ensure a high level of security across their applications and operations. It is a practice that attempts to address all of these issues through two core principles- automation and education. Using experience gained from working with several large fortune 500 companies, this talk will cover the basics of DevSecOps, and dive into specific tools and processes that organizations of any size can implement to immediately improve their speed of delivery while maintaining a strong and measurable security baseline.

Aaron Hnatiw
As a Senior Security Researcher at Security Compass, Aaron Hnatiw is constantly looking into the future to find ways to secure the world of tomorrow. Whether that’s through security automation, blockchain technology, or machine learning/artificial intelligence, he’s always working on the leading edge of information security. He has worked in most aspects of the information technology field, holding previous positions as a security consultant, system administrator, software developer, and college professor in application security. In his spare time, Aaron enjoys writing security tools and contributing to the open source community.

ShellPcapFication (SPF) – A Sophisticated Interactive Shell Framework

“For someone who works with Wireshark on a daily basis, dealing with different protocols at varying layers in the OSI model, and writing custom display filters for multifarious purposes and scenarios, will soon realize that Wireshark doesn’t provide the management interface necessary to do all of that in a structured and standardized way. Thus, why I’m presenting SPF (ShellPcapFication), a shell framework that provides a sophisticated abstraction layer for TShark (console-based version of Wireshark) and Windows command shell interpreter. SPF features a custom, unique and simple declarative language called Eros that consists of only two constructs, four keywords, three Input operators, auxiliary logic, a function call operator, an INSERT statement, a specifier, and an include preprocessing directive. Additionally, a set of built-in helper commands are also provided by SPF to simplify interaction with Eros in a dynamic way.

In this talk, I’ll address the internals of SPF framework, its features, how it works, how to write constructs for it, and how SPF can be used to help achieve the following:

+ The democratization of writing and sharing a standardized set of constructs based on Eros language
+ The capability to use different constructs as building blocks to form complex operations
+ Simplification of repetitive tasks
+ Rich shell functionality
+ Automation of Exploit Kit detection
+ Protocol specific features/fields extraction
+ Building self-contained and easy to manage self-explanatory units/constructs
+ Functioning as a signature detection system (based on TShark powerful protocol dissectors)”

Mohamad Mokbel
Mohamad Mokbel is a security researcher at Trend Micro, member of the Digital Vaccine Lab. He’s responsible for reverse engineering vulnerabilities and malware C&C communication protocols, among others, for the purpose of writing custom filters for TippingPoint NGIPS. Prior to joining Trend Micro, Mohamad worked for CIBC in the security operation center, one of the top five banks in Canada as a senior information security consultant – investigator (L3) where he realized that experience in the operation field is extremely important to understand the real sides of offense and defense. Prior to CIBC, Mohamad worked for Telus Security Lab as a reverse engineer/malware researcher for about 5 years. He’s been doing reverse code engineering for last 12 years.

His research interests lie in the areas of reverse code engineering, malware research, intrusion detection/prevention systems, C++, compiler and software performance analysis, information security, and exotic communication protocols.

Mohamad holds a MSc. in Computer Science from the University of Windsor and BSc. in Computer Engineering from the Lebanese International University.

Defending Cyberspace by Thinking “1n51d3-th3-B0x”

Innovation is a key buzzword currently within the US military and is shaping the vision for our forces as being agile organizations able to adapt to a complex world. But does our military have the capabilities to protect vital national interests in cyber? The growth of the Internet in our globally connected world has meant that tools for cyber are constantly changing. Accordingly, do we have the capacity to gain the advantages needed to out-hack our adversaries in this domain? In this talk, we provide a relatively simple framework for different types of innovation (disruptive, breakthrough, sustaining, and incremental) in order to find better solutions to malicious cyberattacks. By doing so, we promote how “inside-the-box” thinking can help successfully defend cyberspace.

Ernest Wong
Ernest Y. Wong is the Chief of Staff at the Army Cyber Institute and teaches Systems Engineering at West Point. He holds a Master of Military Science from Kuwait’s Mubarak al-Abdullah Staff College and earned a MS in management science & engineering and a MA in education from Stanford. He was a NASA Summer Faculty Fellow and has served in Iraq, Kuwait, and the Republic of Korea. He enjoys researching disruptive innovations and cyber resiliency.

DirtyTooth: Put music & lose your contacts

Bluetooth communications are on the increase. Millions of users use the technology to connect to peripherals that simplify and provide greater comfort and experience. There is a trick or hack for iOS 10.3.2 and earlier that takes advantage of the management of the profiles causing a great impact on the privacy of millions of users who use Bluetooth technology daily. From the iOS device information leak caused by the incorrect management of profiles, a lot of information about the user and their background may be obtained.

Chema Alonso
Chema Alonso is the CDO – Chief Data Officer – at Telefónica. In this position he heads the company’s Big Data strategy, Advertising and the Fourth Platform. As part of the work to define the Fourth Platform, he also leads the Personal Data Bank team and is the main internal promoter of the Data Transparency Lab. He is also responsible for global cybersecurity and data security, having created the new Global Security Unit with the Information Security Global Business in B2B & B2C and Eleven Paths.

Cyber Wargames: Table Top Exercises

In this talk you will learn about cyber wargaming with table top exercises (TTX). A TTX is an all paper exercise but has aspect of a penetration test without impacting actual systems. It provides a rehearsal for response, mitigation and recovery of a cyber attack.

Subjects that will be address include: What is a cyber wargame TTX, what are the objectives, how is it run, who are the players, what are the advantages and disadvantages of a TTX, when is a TTX appropriate as opposed to a pentest or vulnerability assessment, what are the outcomes and how can they be used to improve an organization’s security.

Gurney Halleck
– Over twenty years in computer and network security
– Concentration in offensive security
– R&D in offensive cyber systems
– Employed by a major aerospace corporation
– Design and development of cyber range systems
– Pentest and vulnerability assessment
– Over two years Red Team lead in cyber wargame TTXs

Cash in the aisles: How gift cards are easily exploited

It is commonly thought that gift cards must be activated to have any monetary value. Often displayed on countertops and lining grocery store aisles, seemingly worthless unactivated gift cards are free for anyone to grab a handful. However, weaker security features than the average credit card makes these gift cards nearly as valuable as cash. Mass produced, their numbers follow a predictable pattern and have limited built-in security, such as a chip or pin, to prevent fraud.

Will Caput
I’m a professional pen-tester with over a decade of experience in the offensive security field.

False Advertising: How Modern Ad Platforms Can Be Used for Targeted Exploitation

In this presentation I would like to demonstrate how modern ad platforms can be hijacked by a malicious user to deliver an extremely targeted phishing campaign to an unsuspecting victim. This campaign can target anyone from a CEO to a college intern, and can be configured to show on any predetermined device.

Everyday, millions of people use social networks to reach out, interact, share, and partake in an ever growing digital consciousness. Behind these networks sit unseen ad platforms serving up relevant advertisements to whoever advertisers would like to target. Modern ad platforms are designed to allow advertisers to grow their revenue and brand presence while being easy enough to use that everyone from a fortune 500 executive, to a general contractor, can now take part in the digital advertising revolution.

What most non-advertisers don’t know is that while advertising to a broader audience is excellent for business, ads can be and have been, used as a sharp skewer, precisely targeting a single individual. Modern ad platforms have given advertisers the power to reach anyone they please, anywhere in the world; this power could be harnessed by malicious users to serve as a gateway onto the network of their intended victim.

Tyler Cook
My name is Tyler, I like to break things.

████████████████████████████ Your█████████████

We ██████████ a █████████████████████████████████████ in ████████████████████████████████████████████████████████████████████████████████████████████████████████ and ████████. Our ███████████████████ it █████████████ to ████████ and ██████████████ all ████████ and ██████████████████████████████ the ████████████████████████████ millions of █████████████.

███████ for a ████████████████████ a ██████████ ██ an ██████████████████████████████████████████████████ the same █████████████. ███████████████. ██████████████ to ████████ the ██████████ for the ████████████████████, or ████████ the ████████████████████████████████████████████.

█████████████████████████████████? ███ to █████! ████████████████████████ a ███████████████████████ and ██████████████████████████████████████ on ███████████████████████████████████. █████████████████████████ on ████ to ██████ and ████ at the ███████████████████ that ███████████████████████ to █████████████████.

In █████████, we ███████████████ the █████████████████████████████ to ███████████████████████████████████████████████ of ████████████. ██████████████████████ of the ███████████████████████████████, we █████████████ the ███████████████████████████ the ████████████████.

Marc Newlin
Marc is a wireless security researcher at Bastille, where he discovered the MouseJack and KeySniffer vulnerabilities affecting wireless mice and keyboards. A glutton for challenging side projects, Marc competed solo in two DARPA challenges, placing third in the DARPA Shredder Challenge, and second in the first tournament of the DARPA Spectrum Challenge.

Logan Lamb
Logan joined Bastille Networks in 2014 as a security researcher focusing on applications of SDR to IoT. Prior to joining Bastille Networks, he was a member of CSIR at Oak Ridge National Lab where his focus was on symbolic analysis of binaries and red-teaming critical infrastructure.
Chris Grayson
Christopher Grayson (OSCE) is the founder and principal engineer at Web Sight.IO. In this role he handles all operations, development, and research efforts. Christopher is an avid computing enthusiast hailing from Atlanta, Georgia. Having made a habit of pulling things apart in childhood, Chris has found his professional home in information security. Prior to founding Web Sight.IO, Chris was a senior penetration tester at the security consultancy Bishop Fox, and a research scientist at the Georgia Institute of Technology. During his tenure at these organizations, Chris became a specialist in network penetration testing and in the application of academic tactics to the information security industry, both of which contributed to his current research focus of architecting and implementing high-security N-tier systems. Chris attended the Georgia Institute of Technology where he received a bachelor’s degree in computational media, a master’s degree in computer science, and where he organized and led the Grey H@t student hacking organization.

MS Just Gave the Blue Team Tactical Nukes (And How Red Teams Need To Adapt)

Windows Defender Advanced Threat Protection will soon be available for all Blue Teams to utilize within Windows 10 Enterprise, which includes detection of post breach tools, tactics and techniques commonly used by Red Teams, as well as behavior analytics. Combined with Microsoft Advanced Threat Analytics for user behavior analytics across the Domain, Red Teamers will soon face a significantly more challenging time maintaining stealth while performing internal recon, lateral movement, and privilege escalation in Windows 10/Active Directory environments.

This talk highlights challenges to red teams posed by Microsoft’s new tools based on common hacking tools/techniques, and covers techniques which can be used to bypass, disable, or avoid high severity alerts within Windows Defender ATP and Microsoft ATA, as well as TTP used against mature organizations that may have additional controls in place such as Event Log Forwarding and Sysmon.

Chris Thompson / @retBandit
Chris is Red Team Operations Lead at IBM X-Force Red. He has extensive experience performing penetration testing and red teaming for clients in a wide variety of industries. He’s led red teaming operations against defense contractors and some of North America’s largest banks.

He’s on the board for CREST USA (crest-approved.org), working to help mature the pentesting industry. Chris also teaches Network & Mobile Pentesting at one of Canada’s largest technical schools.

Hacking his way through life, Chris likes to pretend he’s a good drone pilot, lock picker, and mountain biker.

Vehicle Keyfob Reconnaissance & Attacks

In this talk I’ll share the exciting details on researching and creating attack tools to perform automated wireless keyfob reconnaissance and demonstrate wirelessly unlocking and starting cars. This will focus primarily on using low cost tools, investigating proprietary chips and protocols (with no datasheets available), and creating new tools to aid in research.

Samy
Samy Kamkar is a security researcher, best known for creating The MySpace Worm, one of the fastest spreading viruses of all time. He (attempts to) illustrate terrifying vulnerabilities with playfulness, and his exploits have been branded:

“Controversial”, -The Wall Street Journal
“Horrific”, -The New York Times
“Now I want to fill my USB ports up with cement”, -Gizmodo

He’s demonstrated usurping typical hardware for surreptitious means such as with KeySweeper, turning a standard USB wall charger into a covert, wireless keyboard sniffer, and SkyJack, a custom drone which takes over any other nearby drones allowing them to be controlled as a massive zombie swarm. He’s exposed issues around privacy, such as by developing the Evercookie which appeared in a top-secret NSA document revealed by Edward Snowden, exemplifying techniques used by governments and corporations for clandestine web tracking, and has discovered and released research around the illicit GPS and location tracking performed by Apple, Google and Microsoft mobile devices. He continues to produce new research and tools for the public as open source and open hardware.

Twitter: @samykamkar

Hacking Around ICS and Modbus

Using a simulated ICS/SCADA environment using a Modbus-based Python setup, the presentation will show different ways of interacting with that environment. This includes breaking apart the Modbus protocol, how programmable logic controllers are setup with respect to the Modbus protocol and how to use Metasploit to manipulate the environment.

Ric Messier
Ric Messier, GCIH, GSEC, CEH, CISSP, has spent decades in the fields of information security and information technology. He is currently the Director of Cyber Academic Programs at Circadence, a leader in innovative cybersecurity training platforms. He has spent previous lifetimes running security engineering teams at a global Internet service provider, created and managed graduate and undergraduate degree programs at a small school in New England, done security consulting for large and medium sized Fortune 500 companies and a variety of other jobs over the years. He has written several books on information security and digital forensics, as well as authored dozens of video training titles for O’Reilly Media and VTC.

Agile Security in WordPress Deployments

WordPress currently runs a large part of the internet ecosystem. Most companies use it in some shape or form of its web presence as a company blog, website, forum etc. The bad guys have kept pace with the development of the core product and have constantly demonstrated new ways of identifying vulnerabilities on the platform, exploiting weaknesses and using the exploited infrastructure for fun and profit.

With more and more companies moving towards agile technologies and a DevOps culture it has been a challenge for the security teams to keep pace with the constant changes in their infrastructure. It has been difficult for the security teams to review each line of code and perform penetration test for every new feature that makes it to production. The talk discusses ways of managing the pace of software development changes for security teams and following an agile strategy to allow them to stay ahead of vulnerabilities/bugs in daily changes of production code and build better detection on their WordPress infrastructure.

We have been witnessing more of the web infrastructure moving towards API driven capabilities and same has been the story for WordPress providing leverage for attackers to use automated techniques.

The talk focuses on securing programmatic access to WordPress APIs, understanding its weaknesses and how attackers have been exploiting it with the help of major botnet networks. We would deep dive for learning about the techniques attackers/botnets have been using to do initial recon followed by exploitation on WordPress sites. This talk would share trends of how the attack space has looked in the last few years and has been changing with time for WordPress. As part of the learning experience security teams would learn simple strategies to reduce the exposure of their WordPress infrastructure to such attacks and stay a step ahead of the bad guys.

Aditya Balapure
Aditya Balapure is a Senior Application Security Engineer at Grubhub Inc, former Application Security Engineer at Amazon. A builder, breaker and defender at heart Aditya likes to evangelize Product Security. With multiple years of experience in all forms of Information Security, some of his core interests are in the field of Application, Cloud Security and Malware Research.

Dynamic whitelisting and security policy automation – pipe-dream or not?

Many cybersecurity experts have said for years that we need to do better whitelisting, and that relying on blacklisting and anomaly detection is not good enough anymore. Unfortunately, organizations often cannot technically implement the comprehensive security policies they want to (or should want to). This is because there are too many overlapping technical configs in too many places, and everything keeps changing dynamically. This is particularly hard for large, interconnected “IT landscapes” like IoT. We need better security policy automation tools that allow us to write policies in generic, simple terms, and automatically implement them, and update them if the IT landscape changes. This is of course easier said than done. In this talk we will present (and run a demo) of security policy automation we are developing as part of a current government R&D subcontract (across an interconnected medical device landscape and across an interconnected intelligent transport system). It allows to author generic policies, ingests numerous data sources, tests policies, generates technical policy configurations, and monitor. The presentation will explain technical approaches, benefits and challenges.

Ulrich Lang (@objectsecurity)
Ulrich received his Ph.D. from the University of Cambridge Computer Laboratory (Security Group) on access policies for middleware in 2003, after having completed a Master’s Degree (M. Sc.) in Information Security from Royal Holloway College (London) in 1997. Ulrich is a renowned thought leader in access control policy, model-driven security, and Cloud/SOA/middleware security. He is on the Board of Directors of the Cloud Security Alliance (Silicon Valley Chapter). He is also responsible for the business and technical strategy, architecture and direction of ObjectSecurity and the OpenPMF product. He has published over 150 papers/presentations, and has previously worked as a proposal evaluator, project evaluator, conference program committee, panel moderator, consultant, book author.

No one left behind : Security Defense through Gamification including CTFs

For an outsider, the world of cybersecurity and hacking can be complex and mystifying. People are intrigued and terrified by the “400 lb hacker.” With phishing and other forms of social engineering still being one of the most common root cause of breach, there is a need to empower a company’s employees, especially the non-technical ones, to be able to defend and not fall prey to such attacks. Similarly, the increase in the amount of code being written along with the shortage of cybersecurity professionals calls for a need to train software developers in Security. Traditional methods of awareness including lectures, videos etc. have been ineffective in achieving this adequately. I claim this based on reports by organizations such as Experian, Ponemon etc. and the extensive internal research done at my current company. I present a novel system for cybersecurity training and awareness : Security Gamification including CTF ( Capture The Flags). The training emphasizes on a ‘no one left behind’ principle in which all the employees at a company get trained in CyberSecurity defense.

CTFs are online cybersecurity competitions that involve practical hands on training through Security puzzle solving. They are mostly played by current or aspiring Security professionals and have proven to be one of the best ways to learn about Security and defense. My training method is novel in that this is the first publicly released use of CTFs and Security puzzles to train developers and non-technical people. CTFs rely on the interactive ‘learning by doing’ methodology which has proven to be more successful than the one-way incoming lecture style. We use this methodology to gamify the Security training for technical as well as nontechnical employees by varying the scopes and level of challenges. The idea is to help the participants learn how to defend by making them break or hack things in a controlled environment. It helps the participants defend better by getting into the attacker mindset, thereby de-mystifying the hacking world. Additionally, the healthy competition amongst employees, the fun puzzle based format and the chance to work in teams all provides exceptional learning opportunities.

In my presentation, I will also delve into the key take-aways for people interested in building a similar system at their respective companies. This detailed interaction will contain discussions about the reconnaissance of Security awareness at a company needed as step one of building this system. Then, it will go on to demo some example challenges for both developers as well as non-technical employees. I also plan to include a brief section about how to present it such that the employees and leadership are excited about it rather than seeing it as a burden.

One of the many appealing things about this system is its ability to effectively track and quantifiably measure the increase in Security awareness and defense capabilities over time. Starting from the reconnaissance phase, all the way to successfully completing the implementation and even after that, the system provides functionality of number of challenges solved, time taken, number of attempts etc. for each employee which can also be combined per team, per department or the whole company etc.

Kashish Mittal
Kashish Mittal is a Security Researcher & Engineer. He has worked for companies such as Duo Security, Bank of America, Deutsche Bank etc. By choice, he is an ethical hacker and an addicted CTF player. He is a member of PPP (CMU’s elite CTF group). He also spent several years doing Security Research at CyLab, Pittsburgh. He has a BS and a MS from Carnegie Mellon University with a focus on Security. He is passionate about delivering Security awareness and education for employees, college students and high schoolers etc.

Dig Deep into FlexiSpy for Android

FlexiSpy for Android is a spy app with full IM tracking, VoIP call recording and live call interception. It also can spy on messages, GPS, multimedia, Internet, applications, etc. In short, FlexiSpy can take total control of an Android mobile phone or tablet and spy on all its communications and activities from any computer with a web browser.
At the end of April 2017, Flexidie released the source code and binaries of the FlexiSpy Android spy app. I have been reviewing the leaked data and have finished the deep analysis of the app around the middle of May.

Kai Lu
Kai Lu(@k3vinlusec), security researcher from Fortinet’s FortiGuard Labs, works in HQ of Fortinet at Sunnyvale, CA, US. I’m interested in vulnerability founding and have found more than 30 vulnerabilities of products from Microsoft, Google, Adobe, Apple, as well as vulnerability analysis and android security including malware analysis and vulnerability research.

Cracking DES: The end of Kerberos DES and NETLM/NTLMv1

Have you ever tried to crack a password that was just too difficult to crack? This talk will focus on some new techniques for cracking passwords that work 100% of the time. In 2012 I released an FPGA-based DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2. In this presentation we’ll take a look at some of the research we’ve done into other widely used protocols and services that still rely on DES for security and provide an quick intro into the https://crack.sh API so you too can use this service for your own projects.

Specifically, we will demonstrate tools for doing exhaustive brute-force cracking of MSCHAPv2 (PPTP VPNs, WPA-Enterprise), DES crypt() hashes, Kerberos5, and release a free real-time service for cracking MSCHAPv1 (Windows Lanman and NTLMv1 authentication) in a matter of seconds.

David Hulton
David Hulton organizes the ToorCon suite of conferences and has spent nearly 20 years doing security research mostly focused on reverse engineering and cracking crypto. He’s mostly known for developing the bsd-airtools wireless attack tools in the early 2000’s, developing and presenting the first practical attack on GSM A5/1 in 2008, and releasing a DES cracking service and tools to perform a full break of MSCHAPv2 authentication in 2012.

My dog is a hacker and will steal your data!

This presentation is about a creative approach to intrusion tests, as the popular saying would say: “–The dog is man’s best friend” (he makes you feel good and secure).

Let’s explore the vulnerability of layer eight, the human being, subject to error and the social engineering techniques; This is an innovative method, with art and style, will be simpler than it sounds; The dog will be used as an attack tool, which will carry a mobile phone hidden along with its pectoral collar.

The attack vectors are triggered automatically without any human interaction. This may include geographically close attacks, such as fake Wi-Fi access points, cellular base stations or local user attacks on a network, we can exploit DNS hijacking, packet injection, Evil-Twin, rogue router or ISP, and many other variants.

Furthermore, the target will connect to your rogue wifi access point and the rules are enabled with the DHCP configurations to allow fake AP to allocate IP address to the clients and forward traffic to a fake/malicious web-site; Then, the information can be stored easily as well the injection of malicious file to remotely control the victim.
And it’s done. You can drop your hacker dog in a park and expect him to hack people for you, quietly, that’s perfect!

Rafael Fontes Souza
Rafael Fontes Souza aka b4ckd00r is a Senior Information Security Consultant at CIPHER. He is a core member of Cipher Intelligence Labs – the advanced security team focused on penetration testing, application security and computer forensics for premier clients. He started studying at age 13 and since then has disclosed security vulnerabilities and has received recognition and awards from major companies such as Apple, Microsoft, ESET, HP and others. Being done hundreds of successful penetration tests for various organizations, including government, banking, commercial sectors, as well the payment card industry.

Gaining control of the sky: an in-depth drone security talk

Do you like binary analysis? Do you like gaining control of drones flying in the sky? Then this talk is for you. It covers consumer grade drones and their security flaws.

Ryan Satterfield
Ryan Satterfield hacks the world and has a passion for drones, internet of things, web applications, and anything else that uses code.

Drone security is of the utmost importance, since everyone from your next door neighbor to law enforcement in various parts of the world are or have utilized consumer grade drones.

Serial Flash Chips: The Little Elephants in the Lab

Serial flash chips are found in (almost) all embedded devices however they usually have little to no security protection enabled, thus exposing them to eavesdropping and tampering attacks. These chips contain critical data that can be leveraged during vulnerability research such as device firmware and bootloader images, certificates, and configurations.

In this talk I will introduce the most common types of serial flash, and then walk through some practical security assessment techniques while sharing use cases from my prior engagements. I will discuss various hardware and software tools including a new tool I created called sniffROM.

Alain Iamburg
Alain is a security researcher and computer engineer with a particular interest in embedded devices. He enjoys exploring systems, discovering vulnerabilities, and sharing knowledge.

The state of Security in the Medical Industry

Bringing awareness to the pain felt in the healthcare industry from a security standpoint, what attackers are targeting, and how the industry needs to steer itself to prevent further patient risk and mishandling of data.

I’ll be covering a brief background on HIPAA, how it has set the stage for a series of failures, what those failures are, and things individuals and the medical industry can do to protect themselves.

Billy / Cannibal
@cannibal has spent 10 years working in the medical device industry. While spending the majority of the time handling defensive security, he recently switched to the attack side after joining the Phobos Group in 2016. The handle “cannibal” comes from disassembling electronics and “cannibalizing” their components for other uses, so please feel free to approach with questions he’s pretty harmless.

WinReg MiTM: Simple Injection and Remote Fileless Payload Execution

This talk presents an analysis of security shortfalls in the implementation of the Remote Registry protocol by the latest Windows operating systems (such as Windows 10). The analysis shows how these weaknesses can be used by an attacker applying a man in the middle technique to write arbitrary data to the victim’s Windows registry, and consequently execute code remotely. The article also describes a tool capable of intercepting the Windows Registry protocol packets and modifying them.

The insertion of these values is not trivial, since the modification of the length of a field in a certain packet layer causes inconsistency in the control fields of the lower layers (such as lengths or checksums). Additionally, the following sequence number of a packet in a session is based on the length of the packet, causing the connection to break. The tool automatically recalculates all control fields for the TCP / IP / SMB2 / RPC layers of the different protocol packets, and applies an algorithm for correcting the sequence numbers of all packets so that, once a value has been entered by an attacker, the connection will not break. This tool is the only public application capable of performing a man in the middle attack on the Remote Windows Registry protocol.

Santiago Hernandez
Santiago Hernández is a cybersecurity researcher at 11Paths/Telefonica, Spain. He holds a degree in computer engineering and a master’s degree in information and telecommunications security. Its main field of activity is the study and discovery of new cybersecurity threats, as well as innovation in security products. Its main fields of interest are “low-level” security disciplines, such as reverse engineering or in-depth operating system security, along with the developing of new security tools. Some previous works includes, static analysis tools or study and implementation of new fuzzing approaches.

Financial Crime: The Past, The Present and The Future

This talk starts with the beginnings of my own career in a dicey investment brokerage and discusses some old school boiler room practices before moving on to insider trading, cryptocurrencies, dark markets and the growing prevalence of hackers in the murky world of investment fraud. I’ll be covering:

-The scammers I worked for, what they sold and how they fooled us all
-Insider trading and false rumour spreading
-Amaranth, Galleon Group and Jonathan LeBed
-Cryptocurrency and online trading
-Fin4, The Macau 3 and The Wall Street/Kiev coalition
-The darknet exchanges for inside information
-Employee bribery and shopping lists of secrets
-What the hell are we supposed to do now?

Marcelo Mansur
After a few months as a headhunter I chose to focus purely on infosec due to my love for the community and all things hacker related. I now run a security recruitment, consulting and contracting company – but before all of this began I was a stockbroker. My initial involvement in the financial sector is where my interest in the topic of this talk began and I’ve kept my finger on the pulse of this subject throughout my career. I enjoy dark comedy, bad puns and conversations about hacking. I enjoy them more if absorbed with a few beers and a steak.

Practical Threat Modeling

Managing infrastructure for a company, a utility, a carrier and a press outlet or a startup all come with wildly different types of risk. Being able to clearly identify threats to a specific organization or technology is a key skill if you are defending it, as well as attacking it. Being able to translate the technical jargon one comes across to stakeholders is also key. Deciding on what security posture to take, where to spend budgetary dollars and what defensive technologies need to be bolstered are decisions that all hinge from practical, basic threat modeling.

In the recent news we’ve seen a variety of colorful headlines. Everything from “uninstall signal” to “anyone can read your whatsapp messages”, followed by “the nsa can hack every cisco device” and even “the cia can hack your TV to spy on you”. Following that, the shadowbrokers release of the NSA tools, massive worldwide infection campaigns, multiple reported wikileaks pages detailing additional CIA malware, and then the worlds most virulent ransomware campaign riding on the back of leaked NSA tools. It’s quite a lot to take in, so I’ll be explaining how to approach these topics without losing ones mind.

Dan Tentler
Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. Previously a co-founder and CTO of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to “evil hacker for a camera crew”. Dan is an accomplished public speaker, having spoken at security conferences such as BlackHat, DEF CON, Bsides San Francisco, Hack in the Box, 44con and many more. Dan routinely interacts with the media as a subject matter expert for security stories, and has been in several documentaries as a security expert. Dan enjoys FPV racing and crashing drones in new and interesting ways.

Detecting security issues as fast as you making them

It is widely accepted that security mistakes are quicker and cheaper to fix the sooner they are identified after being introduced. With that as a guiding principle, DevSkim was developed to help identify certain insecure patterns as the developer is writing code within their IDE. Currently integrating with Visual Studio, Visual Studio Code, and Sublime, DevSkim is an open sourced extension that flags insecure patterns inline in the IDE, provides security guidance to explain the issue, and offers automatic fixes. DevSkim supports multiple programming and scripting languages, and its rules syntax makes adding a new rule for any language straightforward. The most effective security processes use layers of validation to identify and address security mistakes – DevSkim aims to be the first layer in that approach, complementing rather than replacing more time intensive build time Static Analysis, or post-build Dynamic Analysis.

Pavel Bansky
I was not accepted into the soccer team at the age of seven, so I start spending more time with the Sinclair ZX Spectrum+ and learned programming. I never played nor watched soccer from that point on.
Today I work as a security engineer at Microsoft Trustworthy Computing.