Subscribe to the RSS Feed

Subscribe to the RSS Feed

Speakers

Becker Polverini – Turning Joy into Sadness: Common Cryptography Anti-Patterns
Brett Chance – Doorking Around
Dan Tentler – Threat Modeling 101
Deviant Ollam & Pinup – The Hotel Room Gourmet
Ignat Korchagin – Exploiting USB/IP in Linux
Iximeow – Automating Javascript Deobfuscation
Jase Kasperowicz – Post Mortem Forensics: Telling the Story of a Breach
Jason Ritzke – IAM Unhinged
Katie Knowles – SMTP Security in a Changing World
William Turner – Getting off The Grid and onto Hyperboria
z0rro – How Containers Contain
Zapp & Hyr0n – From Zero to Bender in 12 Months

Turning Joy into Sadness: Common Cryptography Anti-Patterns

Becker Polverini

In an almost shockingly nihilistic talk, Becker Polverini will explain why just telling people not to “roll your own crypto” is not enough to prevent blowing your legs off in applied cryptography. He will explain why no programming language smart enough, no crypto library battle-tested enough, exists to prevent people from using upvoted, incorrect StackOverflow crypto posts to devastating effect. He will present a smorgasbord of incredibly broken PBKDFs, timing-safe equality, cipher modes, HMACs, and other crypto primitives, from the PKC Security consulting archives, as a means of educating developers on how to use trusted cryptography libraries safely. Get ready to laugh, then cry, as you realize these vulnerabilities sit in your favorite web and mobile apps.

Becker Polverini is the CEO and co-founder of PKC Security, a custom software development and cybersecurity consulting firm. He leads PKC’s work in applied cryptography, web application architecture, and operating system security. He previously worked with Microsoft Research on Chinese censorship and espionage, Princeton University’s Center for Information and Technology Policy on Chinese surveillance algorithms, at the Columbia University Intrusion Detection Systems Laboratory on the insider threat problem, and in kinetic warzones to provide secure communications with allies. Published research includes NSF funded work in machine learning and censorship analysis.


(^Top)


Doorking Around

Brett Chance

This talk will be about a vulnerability I discovered in DoorKing’s registration system that exposed customer data and telephone entry systems. This talk will cover how I became interested in these systems and how these systems works. I’ll highlight the major problem that could ultimately lead to accounts being compromised. We’ll discuss the impact of customer information being leaked to anyone who knows how to modify a cookie. We’ll also talk about the impact of entry system phone numbers and master codes being leaked and what risk that would pose to end users. Finally, we’ll discuss a speculative attack that could have leveraged this vulnerability. This would include scenarios where an attacker could wipe the entire access system, set new entry codes to allow themselves access to the protected building, backup access control data and more.

This issue was disclosed in line with responsible disclosure. I’ll discuss the timeline of this issue and I’ll also cover my attempts to notify the vendor and the responses I received. I published my findings in February of this year (2017).

Brett is an IR and Security Researcher with a focus on websec and IoT


(^Top)


Threat Modeling 101

Dan Tentler

In the recent news we’ve seen a variety of colorful headlines. Everything from “uninstall signal” to “the cia has broken whatsapp’s encryption”, followed by “the nsa can hack every cisco device” and even “the cia can hack your TV to spy on you”. Managing infrastructure for a company, a utility, a carrier and a press outlet all come with wildly different types of risk. Being able to clearly identify threats to a specific organization or technology is a key skill if you are defending it. Being able to explain to non-technical people what the risks are is also key. Deciding on what security posture to take, where to spend budgetary dollars and what defensive technologies need to be bolstered are decisions that all hinge from basic threat modeling.

This presentation serves as a “the-grugq-style” explanation of what threat modeling is, how it is used, and how to apply it to some recent headlines so that the audience take-away is a better understanding of threat modeling and how to apply it to various speaking topics, as well as their day to day work in the security space

Dan Tentler (@Viss) is the founder and CEO of The Phobos Group, a boutique information security services company. Previously a co-founder and CTO of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to “evil hacker for a camera crew”. When not obtaining shells or explaining against how to get shelled, Dan enjoys FPV racing and crashing drones in new and interesting ways.


(^Top)


The Hotel Room Gourmet

Deviant Ollam & Pinup

Those who know Deviant or Tarah are aware that they love fine food and top-shelf drinks. When visiting homes of others, or when guests are gracious enough to come to our home, it’s a pleasure to demonstrate just how easily one can prepare gourmet-grade feasts on a budget.

But what if you’re not in your house, or the abode of an accommodating friend with a nice kitchen? Many of us spend much of our work life on the road, struggling to eat healthy and well while staying within budget. Well, forget the hotel lobby restaurant. Don’t Uber to the nearest Morton’s. Hell, don’t even put on your pants.

In this talk we will snub our noses at room service and not take our our credit card save for one quick visit to a local grocery store. The Hotel Room Gourmet will be a full and complete breakdown of a dizzying array of high-class food that we often make right in our hotel rooms (no suite or kitchenette needed!) which is healthier, tastier, and cheaper than nearly all other offerings available. Stick it to the man (and make your expense report happy) as you start dining on deviled eggs, savory vegetables, and the thickest, juiciest rare steaks imaginable.

Those who are present will not only learn but be afforded the opportunity to taste some of these exact creations! Those who are vegan, forswear alcohol, or prefer their meat well-done are advised to leave…as we will be holding knives.

Deviant Ollam (@deviantollam) is a gregarious gormandizer of foods from the four corners of the earth and a bibulous boozer of the highest order. If you’ve ever been in a hotel whose hallways have smelled curiously of bacon or seen a wild-eyed bearded man applying a blowtorch to ribeye steaks in a parking lot, chances are that was his doing. Deviant drinks peaty scotch — Lagavulin, Ardbeg, Bowmore, and Laphroaig — and bourbon with bite — Basil Hayden’s, Blanton’s, Booker’s, Barterhouse, and even some that don’t start with the letter B. Give him twenty minutes, a hot enough cast iron, and sufficient butter… and he can even make steaks from Aldi passable.

Pinup (@tarah) has several extremely bad habits, including dark chocolate, dangerous men, and running incident response like a tinpot Napoleon. She enjoys long walks in your binaries, sunsets over popped shells, and convincing the receptionist that she’s the new project manager who just forgot her badge.


(^Top)


Exploiting USB/IP in Linux

Ignat Korchagin

USB/IP is a framework for sharing USB devices over the network: it encapsulates USB I/O messages into TCP/IP payloads and transmits them between network-connected hardware. This way, USB devices, plugged into one machine, appear as if they are plugged into another connected machine and can be used without any additional drivers or software.

Being part of the mainline kernel since version 3.17, this framework is immediately available to Linux users. Kernel code supporting this feature is compiled by default as a loadable module and is available for stock kernels in most popular Linux distributions. However, the implementation is rather uncommon for Linux kernel; the USB I/O bearer TCP connection is established by helper user-space applications, but then connected sockets are passed to the kernel and the kernel code itself handles all socket communication. So, most of the application protocol part is directly implemented in the kernel. This is a big shift from the traditional Linux paradigm of “tools only” in kernel code and “policy” in user-space.

The above design puts very strict security requirements on the code implementing the protocol since the code is executed in a highly privileged context (Linux kernel). Not doing proper input validation may create serious security vulnerabilities. Unfortunately, this is the case with USB/IP framework: with specific conditions a malicious party may trigger an out-of-bounds memory access and write arbitrary data to kernel memory. This is especially dangerous here because the potential attacker may do it remotely over the network.

Who is affected? The conditions of the exploitability of the above vulnerability are outlined. Also, some general security recommendations for USB/IP users are presented.

Ignat is a security engineer at Cloudflare working mostly on platform and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before Cloudflare, Ignat worked as a senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets. Ignat started his career as a security researcher in the Ukrainian government’s communications services.


(^Top)


Automating Javascript Deobfuscation

Iximeow

Most Javascript deobfuscation seems to be reliant on mocking functions like eval() and making objects like `WScript` available, running the (potentially malicious!) javascript, either in a browser tab or nodejs, and printing out what was passed to mocked functions. This talk covers what a more “right” approach might be, which is to say that most current Javascript can be meaningfully deobfuscated with a few optimizations often used by compilers to reduce code size.

I’ll also walk through a example implementation of those same techniques to deobfuscate some malicious Javascript from the wild plains of The Internet.

Computer guy. Software engineer. Reverse engineer. Ivory tower academic. Nerd on the internet. Iximeow has been called all of these things, and more. 4/5 people agree – Iximeow really likes weird computer things.


(^Top)


Post Mortem Forensics: Telling the Story of a Breach

Jase Kasperowicz

Ever wonder how to dissect a cyber attack? This talk will be an overview of the forensic artifacts that matter when investigating breaches carried out by persistent actors, as well as tips and tricks I’ve learned while responding to breaches of Windows systems over the years.

Topics covered will include the following:

  • Process execution forensics
  • Enumerating activity tied to use of graphical interfaces
  • Stacking logs to reveal use of attack tools
  • Methods to hunt for exfiltration of data
  • Timelining forensic artifacts
  • Hunting for previously undetected threat actors across large networks
  • Aggregating malware repositories to help you hunt for target attack tools

By day, Jase is a Security consultant responding to incidents at some of the world’s largest companies. Specialized in performing distributed forensics across networks in excess of 50,000 systems and hunting for previously undetected threat actors. By night, he’s active in the Southern California infosec scene and active DC562 member.


(^Top)


IAM Unhinged

Jason Ritzke

You may think this talk is just a cleverly disguised ruse to make as many IAM puns as is humanly possible. And you’d be correct. You should in no way mistake it for an attempt to distill, in as short a period as possible, an understanding of Amazon Web Services API security policy documents. Nor should you confuse it with a brief evaluation of the sorry state of predefined AWS policies. Whatever you do, you should not assume that I’ll spend any time meditating on the utter unmitigated disaster that is most people’s policy stack (Hint: there’s a fair bit of *FullAccess in there).

Jason Ritzke is a senior system engineer with Taos. He specializes in secure, effective deployments of open-source software that help businesses and individuals achieve their goals and dreams. He helps run DC562 and is a maintainer of the Reclass external node classifier.


(^Top)


SMTP Security in a Changing World

Katie Knowles

The Simple Mail Transfer Protocol (SMTP) has been handling some of our most trusted communications since 1982. And yet, it’s own RFC admits “SMTP mail is inherently insecure”. What gives?

We’ll be taking a look at key technologies along the timeline to secure SMTP, from the first security-free(!) SMTP standard to STARTTLS, SPF, DMARC, and everywhere in between. We’ll cover a simple explanation for each standard and the basics of why it matters, presented in order of historical appearance to highlight the bigger story around SMTP and its ongoing struggle to stay modern with security. Along the way we’ll investigate where our train conductors in the saga to secure SMTP have failed, how far off the rails we are with “best practice”, and what we can do for now to bring email a little closer to on-track.

Katie Knowles (@_sigil) is a dedicated enterprise Information Security Specialist by day, and avid Information Security explorer by night. She received her Bachelors in Electrical Engineering from Rochester Institute of Technology before journeying to Los Angeles, where she can usually be found with DEFCON 562.


(^Top)


Getting off The Grid and onto Hyperboria

William Turner

Now more than ever, the desire to decentralize is manifesting into reality. Regional networks are beginning to pop up across the US and rest of the world (https://docs.meshwith.me/meshlocals/existing/), but in order to gain traction needs to appeal to the masses. Getting connected to a mesh network looks and feels a lot like connecting to the internet (at a provider level) but with a cryptographic twist.

Beginning with a brief overview of existing mesh tech, this talk will be a deep dive on the CJDNS Layer 3 routing protocol which uses PKI for routing and lay out a road map for building a Los Angeles mesh local on the Hyperboria network.

Working in Linux has been a passion of mine since I was young. Finding a balance between hardware projects and software has always been a struggle as I really enjoy both! During the day I focus on Cloud technology, but in the evening focus on emerging technology and fostering my local tech community.


(^Top)


How Containers Contain

z0rro

An introduction to the underlying technologies being used by most container frameworks. The presentation covers the basics of kernel namespaces, cgroups, kernel capabilities, and chroots. This presentation will demonstrate how to use each technology independently and combined to restrict resource usage of a process or groups of processes, allow non root users to carry out privileged tasks in a secure fashion, isolate a process or groups of processes from others, restrict a process or group of processes view of a file system and more! There will be an emphasis on security and system hardening using these technologies.

Kyeho is a blue teamer by day. He helps run DC562.


(^Top)


From Zero to Bender in 12 Months

Zapp & Hyr0n

In this talk Zapp will walk you through how he went from barely knowing how to solder to building 175 electronic badges for DEF CON. He will detail the steps he took including projects he used to learn just enough to design, code, and produce the badges as well as share many of the screw-ups along the way.

Additionally, Zapp and Hyr0n will walk you through the features, background, and thought behind the much anticipated AND!XOR unofficial badge for DC25. Badge creation is a lifestyle not just bling and fame.

Zapp has been hacking on computers of various forms since he was very young, a self-taught coder, he has learned valuable lessons and caused plenty of data loss, mostly his own. He has a BS in Computer Science and Masters in Systems Engineering. Most of his professional career has been spent coding in Java, don’t judge him, and systems administration until recent promotion into management where he is limited to Outlook and Powerpoint. Inspired by electronic badges he’s recently balanced his MS Office worklife with embedded electronics and PCB design designing and producing the AND!XOR Bender Badge at DEF CON 24.

Hyr0n, recent badge hacker pr0spect to AND!XOR, is a mathematician and computer scientist turning hardware. He has a BS is Applied Mathematics and Computer Science, MS in Systems Engineering, and is a currently a PhD Student of Systems Engineering with a focus in Cybersecurity. A Red Hat Certified Engineer with a CEH in the back pocket, he is no stranger to the terminal shell (VIM for Life). Starting early on by building his first 386 DX66 with the awesome power of the turbo button and additional math coprocessor, he proceeded into C++ & Assembly projects before moving on in life to Java & Coldfusion (I deserve to be judged & I can handle it). Now a part time security researcher coming full circle to working with embedded electronics and firmware programming with AND!XOR.


(^Top)