Show filters Hide filters

Refine your search

Publication Year
Publisher
1-36 out of 414 results
Change view
  • Sort by:
29:56 DEF CON English 2016

Auditing 6LoWPAN networks: Using Standard Penetration Testing Tools

The Internet of Things is expected to be involved in the near future in all major aspects of our modern society. On that front, we argue that 6LoWPAN is a protocol that will be a dominant player as it is the only IoT-capable protocol that brings a full IP stack to the smallest devices. As evidence of this, we can highlight the fact that even the latest ZigBee Smart Energy standard is based on ZigBee IP which itself relies on 6LoWPAN, a competitor of the initial ZigBee protocol. Efficient IP-based penetration testing tools have been available to security auditors for years now. However, it is not that easy to use them in the context of a 6LoWPAN network since you need to be able to join it first. In fact, the difficult part is to associate with the underlying IEEE 802.15.4 infrastructure. Indeed, this standard already has two iterations since its release in 2003 and it provides with several possibilities regarding network topology, data transfer model and security suite. Unfortunately, there is no off-the-shelf component that provides, out of the box, with such a wide range of capabilities. Worst still, some of them deviate from the standard and can only communicate with components from the same manufacturer. In this paper, we present the ARSEN project: Advanced Routing for 6LoWPAN and Ethernet Networks. It provides security auditors with two new tools. First, a radio scanner capable of identifying IEEE 802.15.4 infrastructures and for each one of them their specificities, including several deviations from the standard that we encountered in actual security audits. Secondly, a border router capable of routing IPv6 datagrams between Ethernet and 6LoWPAN networks while adapting to the specificities identified by the scanner. As a result, the combination of both effectively allows security auditors to use available IP-based penetration testing tools on different 6LoWPAN networks. Bio: Jonathan-Christofer Demay, PhD is the current penetration testing team leader at AIRBUS Defence and Space. As a former academic researcher, he has been working on IDS bypassing, intrusion detection and general network security. Now a consultant for various key industries and government bodies, he is working on incident response, penetration testing and social engineering. Adam Reziouk is an electronics and automation engineer currently working on wireless communications and industrial network security at AIRBUS Defence and Space. He holds a master's degree in electrical and electronic engineering and has been conducting vulnerability research activities on programmable logic controllers, connected devices and smart grids. Arnaud Lebrun is a command and control engineer currently working at AIRBUS Defence and Space. He is focusing on security issues for several projects in the aerospace industry and related areas such as radioactive waste disposal facilities or large telescopes. He also supports the penetration testing team for perimeters that include ICS infrastructures or embedded electronics.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
45:18 DEF CON English 2016

Mouse Jiggler: Offense and Defense

A group of highly-armed individuals has just stormed into your office. They are looking to pull data from your computers which are protected with full disk encryption. In order to prevent your screen saver from activating they will likely immediately insert a mouse jiggler to prevent your screensaver lock from activating. This talk will present ways of detecting and defending against such assaults on your system by mouse jiggler wielding individuals. It will also show you how to build your own simple mouse jiggler. Nothing beyond basic Linux usage is required to understand this talk. Attendees will leave with several ways to defend against mouse jigglers and the knowledge of how to create their own mouse jigglers. Phil was born at an early age. He cleaned out his savings as a boy in order to buy a TI99-4A computer for the sum of 450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil's book "Hacking and Penetration Testing With Low Power Devices" (Syngress, 2015). Phil has also published books on Linux Forensics (Pentester Academy, 2015), USB Forensics (Pentester Academy, 2016), and Windows Forensics (Pentester Academy, 2016). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics (find his Daddy and Daughter Electronics show on YouTube), and has been known to build airplanes.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
1:20:02 DEF CON English 2016

Closing Ceremonies

Closing Ceremonies of DEF CON 24
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
28:21 DEF CON English 2018

BLUE TEAM VILLAGE - Automating DFIR: The Counter Future

Automation has been the forefront of almost every tool or talk in the recent years. The DFIR industry has been moving rapidly towards automating everything! With some great work being done in the area of integrating workflows and various toolsets to make things easier for analysts, automation has really taken off. While that sounds like a worthwhile solution to help SOC analysts weed out the run of the mill adware/PUPs or phishing expeditions, can we really automate a response to the more sophisticated or targeted attack on our company’s crown jewels? The current argument being made, is that -- rather than building in house Incident Response teams, we should utilize automation to substitute analysts and use third party retainers for skilled analysis. Large investments in automation technologies, rather than resource development reflect this strategy. What does this mean for career progression for budding DFIR analysts? With security engineering taking the forefront, is analysis as a career in DFIR a dying star? Is automation moving us towards click forensics rather than intelligent analysis? I’d like to challenge groupthink, and debate where automation will lead the industry trends. Additionally, I will share some of my experiences in the changing face of DFIR.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
18:31 DEF CON English 2018

Hacking the Brain: Customize Evil Protocol to Pwn an SDN Controller

Software-Defined Networking (SDN) is now widely deployed in production environments with an ever-growing community. Though SDN's software-based architecture enables network programmability, it also introduces dangerous code vulnerabilities into SDN controllers. However, the decoupled SDN control plane and data plane only communicate with each other with pre-defined protocol interactions, which largely increases the difficulty of exploiting such security weaknesses from the data plane. In this talk, we extend the attack surface and introduce Custom Attack, a novel attack against SDN controllers that leverages legitimate SDN protocol messages (i.e., the custom protocol field) to facilitate Java code vulnerability exploitation. Our research shows that it was possible for a weak adversary to execute arbitrary command or manipulate data in the SDN controller without accessing the SDN controller or any applications, but only controlling a host or a switch. To the best of our knowledge, Custom Attack is the first attack that can remotely compromise SDN software stack to simultaneously cause multiple kinds of attack effects in SDN controllers. Till now we have tested 5 most popular SDN controllers and their applications and found all of them are vulnerable to Custom Attack in some degree. 14 serious vulnerabilities are discovered, all of which can be exploited remotely to launch advanced attacks against controllers (e.g., executing arbitrary commands, exfiltrating confidential files, crashing SDN service, etc.). This presentation will include: an overview of SDN security research and practices. a new attack methodology for SDN that is capable of compromising the entire network. our research process that leads to these discoveries, including technical specifics of exploits. showcases of interesting Custom Attack chains in real-world SDN projects.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
23:40 DEF CON English 2018

CAR HACKING VILLAGE - CAN Signal Extraction from OpenXC with Radare2

OpenXC builds its firmware -- for both the open and proprietary builds -- using JSON data structures which define the CAN signals. These definitions are akin to the CAN database files (.dbc) files. Reverse engineering of the open openXC builds (as an educational excersise) reveals that it is a straightforward matter to identify and extract the CAN signal definitions from the binary. Attendees will learn: What are dbc files? How strings lead reverse engineers to interesting code via backwards cross-references? What tools do attackers use to reverse engineer raw binary firmwares? How do they use them? What are some simple, useful deterrents? How do descriptive data structures -- JSON in particular -- aid attackers in their reverse engineering efforts? What mitigations are possible for this risk? The exposition of machine code in the talk will be via the free radare2 RE tool.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
32:39 DEF CON English 2018

CAAD VILLAGE - GeekPwn - The Uprising Geekpwn AI/Robotics Cybersecurity Contest U.S. 2018 - Practical adversarial attacks against challenging models environments

Moustafa Alzantot is a Ph.D. Candidate in Computer Science at UCLA. His research interests include machine learning, privacy, and mobile computing. He is an inventor of two US patents and the recipient of several awards including the COMESA 2014 innovation award. He worked as an intern at Google, Facebook, and Qualcom. Yash Sharma is a visiting scientist at Cornell who recently graduated with a Bachelors and Masters in Electrical Engineering. His research has focused on adversarial examples, namely pushing the state-of-the-art in attacks in both limited access settings and challenging domains. He is interested in finding more principled solutions for resolving the robustness problem, as well as studying other practical issues which are inhibiting us from achieving AGI.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
18:03 DEF CON English 2018

Man-In-The-Disk

Most of modern OS are using sandboxing in order to prevent malicious apps from affecting other apps or even harming the OS itself. Google is constantly reinforcing Android’s sandbox protection, introducing new features to prevent any kind of sandbox bypass. In this talk we want to shed new light on a less known attack surface which affects all Android devices and allows an attacker to hijack the communication between privileged apps and the disk, bypassing Android’s latest sandbox protection. The problem begins when privileged apps interact with files stored in exposed areas, and even worse, some of them will unintentionally break the sandbox by insecurely appending such data to its confinements. Can you imagine if someone could execute code in the context of your keyboard, or install an unwanted app without your consent? Well… It’s hardly within the realm of imagination. The external storage and network based vulnerabilities we discovered, can be leveraged by the attacker to corrupt data, steal sensitive information or even take control of your device.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
18:38 DEF CON English 2018

CAAD VILLAGE - GeekPwn - The Uprising Geekpwn AI/Robotics Cybersecurity Contest U.S. 2018 - Explanation: Alternative Path to Secure Deep Learning System

In this talk, the speaker will introduce the state-of-art techniques in both defense and attack. More specifically, he will summary the most effective attack approach and the defense mechanisms. He will also share the approaches their team adopted for the competition. Wenbo Guo is a Ph.D. student in the College of Information Science and Technology at Pennsylvania State University. Currently, he is a research intern at JD security research center in Silicon Valley. Before joining the Penn State, he got his Master degree from Shanghai Jiao Tong University in 2017. His research mainly focuses on deep learning as well as its applications in program analysis and security. He has published several research papers in the high-quality journals and conferences, such as KDD. Alejandro Cuevas, originally from Paraguay, graduated in May 2018 from The Pennsylvania State University with a B.S. Security and Risk Analysis. As an undergraduate, Alejandro co-authored 2 papers in different areas within computer security. At Penn State, Alejandro has worked on analyzing the challenges in the reproduction of crowd-reported vulnerabilities and is currently involved in a project presenting a novel RNN for memory alias analysis. Furthermore, Alejandro has also extensively collaborated with EPFL, exploring the security challenges faced by the ICRC and helping in the deployment of an anonymous communication protocol with provable traffic-analysis resistance. Alejandro is currently applying to Ph.D. programs and hopes to start in the fall of 2019.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
21:41 DEF CON English 2018

PACKET HACKING VILLAGE - Normalizing Empire's Traffic to Evade Anomaly-based IDS

Perimeter defenses are holding an important role in computer security. However, when we check the method of APT groups, a single spear-phishing usually enough to gain a foothold on the network. Therefore, red teams are mostly focused on "assume breach" type of scenarios. In these scenarios, testers need to use a post-exploitation framework. Besides that, testers also need to hide the server-agent communication from NIDS (Network Intrusion Detection Systems). In this session, we will discuss one of the most famous post-exploitation tool, Empire's situation against payload-based anomaly detection systems. We will explain how to normalize Empire's traffic with polymorphic blending attack (PBA) method. We will also cover our tool, "firstorder" which is designed to evade anomaly-based detection systems. firstorder tool takes a traffic capture file of the network, tries to identify normal profile and configures Empire's listener in such way.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
29:11 DEF CON English 2018

CRYPTO AND PRIVACY VILLAGE - No Way JOSE! Designing Cryptography Features for Mere Mortals

  • Published: 2018
  • Publisher: DEF CON
  • Language: English
20:06 DEF CON English 2018

WIRELESS VILLAGE - Exploring the 802.15.4 attack surface

Whilst 802.15.4 technologies such as Zigbee have been around for some time, our understanding of threats and risks associated with it have been lacking. As new use cases evolve, so have the opportunities for attack and exploitation. The purpose of this talk is to provide a real world exploration of where I've been finding zigbee devices with a purpose built war driving kit, some of the live collection I've done as well as an exploration of risks and what can be done. By the end of this talk, audience members will have an appreciation for cool technologies floating around their environments, an appreciation the issues associated with the 802.15.4 protocol, and how to plan and prepare from a security standpoint.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
55:41 DEF CON English 2018

WIRELESS VILLAGE - Introduction to Railroad Telemetry

North American railroads use several wireless systems for remote control, monitoring, and tracking of locomotives, railcars, signals, and other equipment. This talk will provide an overview of the systems in use, an in-depth look of two of them: The end-of-train (EOT) device contributed to the demise of the caboose 35 years ago, taking over one of its primary functions: monitoring brake pipe pressure. The EOT transmits pressure, its unique ID, and other data, encoded into AFSK packets, to a corresponding head-of-train (HOT) device in the locomotive. A secondary function is venting the line in an emergency braking event, under command of the HOT. BCH error correction is employed for reliability, but there are inherent security flaws. A SDR/GNU Radio/Python workflow for decoding and verifying packets will be demonstrated. Attempts at automatically identifying passing railcars were largely unsuccessful until the introduction of the Automatic Equipment Identification (AEI) system in the early 90s. This 900 MHz RFID system consists of passive tags on each locomotive and car and wayside readers at rail yard entrances and other locations of interest. The author's day job in environmental noise consulting led to a study of the feasibility of using AEI for rail noise studies. It had to be reverse-engineered first, of course. Using a repurposed commercial reader, Raspberry Pi, and cellular modem, a remote monitoring system gathered tag date for 5 weeks. Details of the protocol and monitoring system will be presented, along with video demonstrations.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
09:58 DEF CON English 2018

VOTING VILLAGE - Mechanics and Pitfalls of Auditing with Scanners

  • Published: 2018
  • Publisher: DEF CON
  • Language: English
42:04 DEF CON English 2018

VOTING VILLAGE - Recap of Voting Village 2017 Lessons Learned

  • Published: 2018
  • Publisher: DEF CON
  • Language: English
20:39 DEF CON English 2018

WIRELESS VILLAGE - Attacking Gotenna Networks

Talk will focus on privacy (or lack thereof) of gotenna networks. We will cover traditional attacks which have only been available to state sponsored prior to popularization and wide availability of software defined radios. We will cover signal analysis, triangulation, protocol analysis, deanonimization, cryptanalysis, spoofing and selective jamming. Since the gotenna ecosystem also includes an app we will cover the vulnerabilities in the underlying crypto libraries, weak token generation, broken API segregation as well as other vulnerabilities. You too can learn how to analyze, snoop on and exploit RF networks like a pro with a hackrf, laptop and some elbow grease, sweat and sleep deprivation.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
45:45 DEF CON English 2018

Defending the 2018 Midterm Elections from Foreign Adversaries

Election Buster is an open source tool created in 2014 to identify malicious domains masquerading as candidate webpages and voter registration systems. During 2016, fake domains were used to compromise credentials of a Democratic National Committee (DNC) IT services company, and foreign adversaries probed voter registration systems. The tool now cross-checks domain information against open source threat intelligence feeds, and uses a semi-autonomous scheme for identifying phundraising and false flag sites via ensembled data mining and deep learning techniques. We identified Russian nationals registering fake campaign sites, candidates deploying defensive—and offensive—measures against their opponents, and candidates unintentionally exposing sensitive PII to the public. This talk provides an analysis of our 2016 Presidential Election data, and all data recently collected during the 2018 midterm elections. The talk also details technological and procedural measures that government offices and campaigns can use to defend themselves.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
26:46 DEF CON English 2018

AI VILLAGE - Hunting the Ethereum Smart Contract: Color Inspired Inspection of Potential Attacks

Blockchain and Cryptocurrencies are gaining unprecedented popularity and understanding. Meanwhile, Ethereum is gaining a significant popularity in the blockchain community, mainly due to the fact that it is designed in a way that enables developers to write decentralized applications (Dapps) and smart contract. This new paradigm of applications opens the door to many possibilities and opportunities. However, the security of Ethereum smart contracts has not received much attention; several Ethereum smart contracts malfunctioning have recently been reported. Unlike many previous works that have applied static and dynamic analyses to find bugs in smart contracts, we do not attempt to define and extract any features; instead we focus on reducing the expert’s labor costs. We first present a new in-depth analysis of potential attacks methodology and then translate the bytecode of solidity into RGB color code. After that, we transform them to a fixed-sized encoded imag​​e. Finally, the encoded image is fed to convolutional neural network (CNN) for automatic feature extraction and learning, detecting security flaw of Ethereum smart contract.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
1:37:17 DEF CON English 2018

RECON VILLAGE - Building visualisation platforms for OSINT Data Using open source solutions

“Reconnaissance is about gathering information. The information gathered is only as good as the insights and actionable decisions that we can gain from it. A lot of research is focused on finding OSINT data but little is done towards converting the data into insights and actionable decisions. Visualisation is an easy and efficient way to gain insights from any the data gleaned. In this workshop, we will look at how we can gather OSINT data and visualise it using free and open source solutions. Visualising data is not enough, we’ll also look at how we can use the metrics to answer business questions and lead to actionable decisions. We’ll tackle the problem by breaking it into following steps: Gathering OSINT data Storing the OSINT data Processing & visualising the data Gaining insights and making actionable decisions Some specific use-cases we’ll look at during the workshop includes: Monitoring an organisation’s SSL/TLS certificates, domains and subdomains in near-real time Creating dashboards using public datasets(scans.io) to gain insights into an organisation’s external posture Building monitoring and alerting solutions using OSINT data that will help us take business decisions Participants will get Step by Step Gitbook covering the entire training (html, pdf, epub, mobi) Custom scripts, playbooks and tools used as part of the workshop Scenarios that can be readily implemented for your use cases References to the data used in the workshop
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
35:11 DEF CON English 2018

Fuzzing Malware For Fun & Profit. Applying Coverage-Guided Fuzzing to Find Bugs in Modern Malware

Practice shows that even the most secure software written by the best engineers contain bugs. Malware is not an exception. In most cases their authors do not follow the best secure software development practices thereby introducing an interesting attack scenario which can be used to stop or slow-down malware spreading, defend against DDoS attacks and take control over C&Cs and botnets. Several previous researches have demonstrated that such bugs exist and can be exploited. To find those bugs it would be reasonable to use coverage-guided fuzzing. This talk aims to answer the following two questions: we defend against malware by exploiting bugs in them ? How can we use fuzzing to find those bugs automatically ? The author will show how we can apply coverage-guided fuzzing to automatically find bugs in sophisticated malicious samples such as botnet Mirai which was used to conduct one of the most destructive DDoS in history and various banking trojans. A new cross-platform tool implemented on top of WinAFL will be released and a set of 0day vulnerabilities will be presented. Do you want to see how a small addition to HTTP-response can stop a large-scale DDoS attack or how a smart bitflipping can cause RCE in a sophisticated banking trojan? If the answer is yes, this is definitely your talk.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
54:24 DEF CON English 2018

WIRELESS VILLAGE - Little Fluffy Pineapple Clouds

What happens when a Pineapple, a Turtle and a Squirrel get high...up in the clouds? It's been a solid year for Hak5 and we're excited to debut some epic new features! Like a centralized web consoles for all your networked Hak5 Gear, WiFi Pineapple WPA Enterprise harvesting, credential capturing and pass-through, or LIVE reconnaissance and more! Join Sebastian Kinne and Darren Kitchen of famed pentesting tools for a peek into what's right around the corner.
  • Published: 2018
  • Publisher: DEF CON
  • Language: English
58:37 DEF CON English 2018

WIRELESS VILLAGE - "It's not Wi-Fi": Reverse engineering and managing radio signals

  • Published: 2018
  • Publisher: DEF CON
  • Language: English
02:23 DEF CON English 2018

RECON VILLAGE - Closing Note

  • Published: 2018
  • Publisher: DEF CON
  • Language: English
25:56 DEF CON English 2016

Let's Get Physical: Network Attacks Against Physical Security Systems

With the rise of the Internet of Things, the line between the physical and the digital is growing ever more hazy. Devices that once only existed in the tangible world are now accessible by anyone with a network connection. Even physical security systems, a significant part of any large organization’s overall security posture, are being given network interfaces to make management and access more convenient. But that convenience also significantly increases the risk of attack, and hacks that were once thought to only exist in movies, like opening a building’s doors from a laptop or modifying a camera feed live, are now possible and even easy to pull off. In this talk, we will discuss this new attack surface and demonstrate various ways an attacker can circumvent and compromise devices such as door controllers, security cameras, and motion sensors over the network, as well as ways to protect yourself from such attacks. Bio: Ricky ‘HeadlessZeke’ Lawshae has spent the better part of the last decade voiding warranties and annoying vendors for both business and pleasure. He has spoken at several conferences including DEF CON , Ruxcon, Recon, and Insomnihack on a variety of topics involving network protocols and embedded devices. By day, he works as a mild-mannered security researcher for TippingPoint DVLabs. By night, he roams the streets in search of justice.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
43:21 DEF CON English 2016

Intro to Wichcraft Compiler Collection

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we’ll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we’ll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we’ll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turing PEs into ELFs, functional scripting of sushi in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Witchcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24. Bio: Jonathan Brossard is a computer whisperer from France, although he’s been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAfee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled &lquo;incurable and undetectable&rquo;. This year will be his third DEF CON … Endrazine is also known in the community for having run the Hackie Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and white papers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
50:55 DEF CON English 2016

Shellphish - Panel: Cyber Grand Shellphish

Last year, DARPA ran the qualifying event for the Cyber Grand Challenge to usher in the era of automated hacking. Shellphish, a rag-tag team of disorganized hackers mostly from UC Santa Barbara, decided to join the competition about ten minutes before the signups closed. Characteristically, we proceeded to put everything off until the last minute, and spent 3 sleepless weeks preparing our Cyber Reasoning System for the contest. Our efforts paid off and, as we talked about last DEF CON , against all expectations, we qualified and became one of the 7 finalist teams. The finals of the CGC will be held the day before DEF CON. If we win, this talk will be about how we won, or, in the overwhelmingly likely scenario of something going horribly wrong, this talk will be about butterflies. In all seriousness, we've spent the last year working hard on building a really kickass Cyber Reasoning System, and there are tons of interesting aspects of it that we will talk about. Much of the process of building the CRS involved inventing new approaches to automated program analysis, exploitation, and patching. We'll talk about those, and try to convey how hackers new to the field can make their own innovations. Other aspects of the CRS involved extreme amounts of engineering efforts to make sure that the system optimally used its computing power and was properly fault-tolerant. We'll talk about how automated hacking systems should be built to best handle this. Critically, our CRS needed to be able to adapt to the strategies of the systems fielded by the other competitors. We'll talk about the AI that we built to strategize throughout the game and decide what actions should be taken. At the end of this talk, you will know how to go about building your own autonomous hacking system! Or you might know a lot about butterflies. Bio: Shellphish is a mysterious hacking collective famous for being great partiers and questionable hackers. The secret identities of the Shellphish CGC team are those of researchers in the security lab of UC Santa Barbara. When they're not CTFing or surfing, they're doing hard-hitting security research. Their works have been published in numerous academic venues and featured in many conferences. In 2015, they unleashed angr, the next (current?) generation of binary analysis, and have been working hard on it ever since!
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
30:26 DEF CON English 2016

Use Their Machines Against Them: Loading Code with a Copier

We’ve all worked on ‘closed systems’ with little to no direct Internet access. And we’ve all struggled with the limitations those systems put on us in the form of available tools or software we want to use. I didn’t like struggling, so I came up with a method to load whatever I wanted on to a closed system without triggering any common security alerts. To do this I had to avoid accessing the Internet or using mag media. In the end all I needed was an office multi-function machine and Excel. It’s all any insider needs. For my presentation and demo, I’ll show you how I delivered a select group of PowerSploit tools to a clean, isolated machine. Of course, Excel has been known as vector for macro viruses for quite some time and some of the techniques—such as hex-encoding binary data and re-encoding it on a target machine—are known binary insertion vectors but I have not found any prior work on an insider using these techniques to deliver payloads to closed systems. You’ll leave my presentation knowing why Excel, umm, excels as an insider attack tool, how to leverage Excel features to load and extract arbitrary binary data from a closed network, and what to do if this really frightens you. BioL Mike has over 20 years experience in the military. He has been part of everything from systems acquisition, to tactical intelligence collection, to staff work, to leading a unit dedicated to data loss prevention. He recently retired from active military service and is now working as a systems security engineer. This is Mike’s first security conference presentation and will also be the first public release of a tool he has written. Mike has previously published twice in 2600 magazine. Mike is super proud of his OSCP certification. He’s also a CISSP.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
51:36 DEF CON English 2016

Emulating all (well many) of the things with Ida

It is not uncommon that a software reverse engineer finds themselves desiring to execute a bit of code they are studying in order to better understand that code or alternatively to have that code perform some bit of useful work related to the reverse engineering task at hand. This generally requires access to an execution environment capable of supporting the machine code being studied, both at an architectural level (CPU type) and a packaging level (file container type). Unfortunately, this is not always a simple matter. The majority of analysts do not have a full complement of hosts available to support a wide variety of architectures, and virtualization opportunities for non-intel platforms are limited. In this talk we will discuss a light weight emulator framework for the IDA Pro disassembler that is based on the Unicorn emulation engine. The goal of the project is to provide an embedded multi-architectural emulation capability to complement IDA Pro’s multi-architectural disassembly capability to enhance the versatility of one of the most common reverse engineering tools in use today. Bio: Chris Eagle is a registered hex offender. He has been taking software apart since he first learned to put it together over 35 years ago. His research interests include computer network operations, malware analysis and reverse/anti-reverse engineering techniques. He is the author of The IDA Pro Book and has published a number of well-known IDA plug-ins. He is also a co-author of Gray Hat Hacking. He has spoken at numerous conferences including Black Hat, DEF CON , Shmoocon, and ToorCon. Chris also organized and led the Sk3wl of r00t to two DEF CON Capture the Flag championships and produced that competition for four years as part of the DDTEK organization.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
37:58 DEF CON English 2016

Examining the Internet's pollution

Network telescopes are collections of unused but BGP-announced IP addresses. They collect the pollution of the Internet: scanning, misconfigurations, backscatter from DoS attacks, bugs, etc. For example, several historical studies used network telescopes to examine worm outbreaks. In this talk I will discuss phenomena that have recently induced many sources to send traffic to network telescopes. By examining this pollution we find a wealth of security-related data. Specifically, I’ll touch on scanning trends, DoS attacks that leverage open DNS resolvers to overwhelm authoritative name servers, BitTorrent index poisoning attacks (which targeted torrents with China in their name), a byte order bug in Qihoo 360 (while updating, this security software sent acknowledgements to wrong IP addresses… for 5 years), and the consequence of an error in Sality’s distributed hash table. Bio: Karyn recently defended her PhD in computer science. Prior to starting graduate school she wrote intrusion detection software for the US Army. When not looking at packets, Karb eats tacos, runs marathons, and collects state quarters.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
44:04 DEF CON English 2016

Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles

To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks. Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test. Chen Yan is a PhD student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices. Wenyuan Xu is a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
44:34 DEF CON English 2016

Six Degrees of Domain Admin

Active Directory domain privilege escalation is a critical component of most penetration tests and red team assessments, but standard methodology dictates a manual and often tedious process – gather credentials, analyze new systems we now have admin rights on, pivot, and repeat until we reach our objective. Then — and only then — we can look back and see the path we took in its entirety. But that may not be the only, nor shortest path we could have taken. By combining our concept of derivative admin (the chaining or linking of administrative rights), existing tools, and graph theory, we can reveal the hidden and unintended relationships in Active Directory domains. Bob is an admin on Steve’s system, and Steve is an admin on Mary’s system; therefore, Bob is effectively (and perhaps unintentionally) an admin on Mary’s system. While existing tools such as Nmap, PowerView, CrackMapExec, and others can gather much of the information needed to find these paths, graph theory is the missing link that gives us the power to find hidden relationships in this offensive data. The application of graph theory to an Active Directory domain offers several advantages to attackers and defenders. Otherwise invisible, high-level organizational relationships are exposed. All possible escalation paths can be efficiently and swiftly identified. Simplified data aggregation accelerates blue and red team analysis. Graph theory has the power and the potential to dramatically change the way you think about and approach Active Directory domain security. Bio: Andy Robbins is the Offensive Network Services lead for Veris Group’s Adaptive Threat Division. He has performed penetration tests and red team assessments for a number of Fortune 500 commercial clients and major U.S. Government agencies. In addition, Andy researched and presented findings related to a business logic flaw with certain processes around handling ACH files affecting thousands of banking institutions around the country at DerbyCon. He has a passion for offensive development and red team tradecraft, and helps to develop and teach the ‘Adaptive Red Team Tactics’ course at BlackHat USA. Rohan Vazarkr is a penetration tester and red teamer for Veris Group’s Adaptive Threat Division, where he helps assess fortune 500 companies and a variety of government agencies. Rohan has a passion for offensive development and tradecraft, contributing heavily to EyeWitness and the EmPyre projects. He has presented at BSides DC, and helps to develop and teach the ‘Adaptive Penetration Testing’ course at BlackHat USA. Will Schroeder is security researcher and red teamer for Veris Group’s Adaptive Threat Division. He is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of the PowerShell post-exploitation agent Empire. He has presented at a number of security conferences on topics spanning AV-evasion, post-exploitation, red team tradecraft, and offensive PowerShell
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
43:18 DEF CON English 2016

Direct Memory Attack the Kernel

Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a 100 piece of hardware together with the easy to use modular PCILeech toolkit - which will be published as open source after this talk. Bio: Ulf Frisk is a penetration tester working in the Swedish financial sector. Ulf focuses mainly on online banking security solutions, penetration testing and it-security audits during daytime and low-level coding during nighttime. Ulf has been working professionally with security since 2011 and has a dark past as a developer.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
21:22 DEF CON English 2016

Cheap Tools for Hacking Heavy Trucks

There has been much buzz about car hacking, but what about the larger heavy-duty brother, the big rig? Heavy trucks are increasingly networked, connected and susceptible to attack. Networks inside trucks frequently use Internet connected devices even on safety-critical networks where access to brakes and engine control is possible. Unfortunately, tools for doing analysis on heavy trucks are expensive and proprietary. Six Volts and Haystack have put together a set of tools that include open hardware and software to make analyzing these beasts easier and more affordable. Bios: Six Volts is a "research mercenary" and has worked on High Performance Computing, embedded systems, vehicle networking and forensics, electronics prototyping and design, among other things. He's crashed cars for science, done digital forensics on a tangled mess of wires that used to be a semi truck, built HPC clusters out of old (and new) hardware, designed tools to extract data from vehicle EDRs, and in his spare time trains teams of students to defend enterprise networks. Haystack was a computer science student researching process control security, when one day he was recruited by a nefarious mechanical engineering professor hell-bent on dominating the field of accident reconstruction. After a series of dangerous training missions to various accident sites and junkyards, Haystack can now cut electronic control modules from wrecked trucks with surgical precision and extract crash data from them that was previously thought to be unrecoverable.
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
01:43 DEF CON English 2016

RISE OF THE MACHINES

  • Published: 2016
  • Publisher: DEF CON
  • Language: English
26:06 DEF CON English 2016

DARPA Cyber Grand Challenge Award Ceremony

On Friday morning, August 5th, DARPA will announce the prize winners and recognize the parties responsible for building and competing in the Cyber Grand Challenge (CGC), the world's first all-machine hacking tournament, which was completed August 4th. Seven high performance computers will have completed an all-machine Capture the Flag contest, reverse engineering unknown binary software, authoring new IDS signatures, probing the security of opponent software, and re-mixing defended services with machine-generated patches and defenses. Come hear about what transpired at CGC, and learn which team will be taking home the 2M grand prize, as well as the 1M second place and 750K third place prizes
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
42:39 DEF CON English 2016

"Cyber" Who Done It?! Attribution Analysis Through Arrest History

There have been over 20,000 data breaches disclosed exposing over 4.8 billion records, with over 4,000 breaches in 2015 alone. It is clear there is no slowdown at all and the state of security is embarrassing. The total cybercrime cost estimates have been astronomical and law enforcement has been struggling to track down even a fraction of the criminals, as usual. Attribution in computer compromises continues to be a surprisingly complex task that ultimately isn’t definitive in most cases. Rather than focusing on learning from security issues and how companies can avoid these sorts of data breaches in the future, for most media outlets the main topic after a breach continues to be attribution. And if we are honest, the media have painted an “interesting” and varied picture of “hackers” over the years, many of which have caused collective groans or outright rage from the community. The Arrest Tracker project was started in 2011 as a way to track arrests from all types of “cyber” (drink!) and hacking related incidents. This project aims to track computer intrusion incidents resulting in an arrest, detaining of a person or persons, seizure of goods, or other related activities that are directly linked to computer crimes. The Arrest Tracker project currently has 936 arrests collected as of 4/23/2016. How does tracking this information help and what does the data tell us? A lot actually! Who is behind these data breaches and what are the demographics such as average age, gender, and nationality? Which day of the week are you most likely to be arrested? How many arrests lead to assisting authorities to arrest others? How many work by themselves versus part of a group? These observations, and a lot more, paint an interesting picture of the computer crime landscape. Bio: Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence. He has presented at many well-known security conferences including DEF CON , Black Hat, DerbyCon, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. With all of that said, many people are shocked to find out that he has a CISO title, and many others can’t believe that he has been attending DEF CON since the good old days of Alexis Park!
  • Published: 2016
  • Publisher: DEF CON
  • Language: English
out of 12 pages
Loading...
Feedback

Timings

  206 ms - page object
   89 ms - search
    7 ms - highlighting
    1 ms - highlighting/36284
    0 ms - highlighting/39654
    2 ms - highlighting/36290
    2 ms - highlighting/36307
    0 ms - highlighting/39657
    0 ms - highlighting/39957
    4 ms - highlighting/36255
    3 ms - highlighting/36289
    2 ms - highlighting/39713
    0 ms - highlighting/39847
    3 ms - highlighting/36297
    1 ms - highlighting/39655
    3 ms - highlighting/36262
    1 ms - highlighting/36277
    4 ms - highlighting/36225
    1 ms - highlighting/39742
    1 ms - highlighting/39961
    2 ms - highlighting/36233
    1 ms - highlighting/39660
    0 ms - highlighting/36285
    1 ms - highlighting/36257
    1 ms - highlighting/39757
    1 ms - highlighting/39653
    1 ms - highlighting/39823
    1 ms - highlighting/39975
    0 ms - highlighting/39824
    0 ms - highlighting/39977
    0 ms - highlighting/39788
    1 ms - highlighting/39691
    0 ms - highlighting/39872
    0 ms - highlighting/39819
    1 ms - highlighting/39914
    1 ms - highlighting/36274
    4 ms - highlighting/36245
    2 ms - highlighting/36252
    3 ms - highlighting/36215

Version

AV-Portal 3.7.0 (943df4b4639bec127ddc6b93adb0c7d8d995f77c)