Subscribe to the RSS Feed

Subscribe to the RSS Feed


Amit Serper – Adware is just Malware with a Legal Department
Leigh-Anne Galloway & Timur Yunusov – Hack In, Cash Out: Hacking and Securing Payment Technologies
Mark Liphardt – Does Privacy Matter Anymore? Exploring Perception vs. Reality
Matthew Stits – From Security to Risk: Shifting the focus and changing the conversation
Matt Hoy – Data Security: How to avoid an embarrassing breach
Michael Sanders – Go Hack Yourself: Moving Beyond Assumption-based Security
Robert Adams – How to Security Research Without Getting Sucked into a Courtroom
Rtzq0 – Git for Hackers
Security Panda – HTTP2 and You
Katie Knowles – Signal Safari: Investigating RF Controls with RTL-SDR
Wasabi – Can You Hear Me Now?: Wireless Communication for Pentesters
z0rro – Leeky Onions: Deanonymizing Live Tor Hidden Services

Adware is just Malware with a Legal Department

Amit Serper

Adware isn’t a new or an exciting threat. It is often ignored by security professionals because “they just display ads.” Security companies often classify adware as “PuPs” of “Potentially unwanted programs,” downplaying their actual risks and dangers. In this talk I demonstrate just how serious adware can be and how the only difference between adware and malware is the fact that adware companies have legal departments. This is the talk that adware makers don’t want you to attend.

Back in 2016 I discovered a new OSX strain of the Pirrit adware/malware which, at the time, only targeted Windows machines. I completely reverse engineered the malware; it runs with root privileges, hijacks all HTTP traffic on the infected machine, and employs several other nefarious tricks. Due to some stunning opsec mistakes I found the malware’s authors full names and the company that they work for. Fast forward to the present, OSX/Pirrit was back with a vengeance, employing new techniques and learning their lessons from everything I wrote about in my previous reports and talks. Nevertheless, after lots of binary reverse engineering, going through thousands of lines of JavaScript, bash, and AppleScript code – I managed to reveal just how sinister the new version of OSX/pirrit is which is virtually impossible to remove without deep OSX knowledge. Due to more opsec mistakes by the authors I managed to tie this new wave of infections back to On top of that, TargetingEdge, the company who makes this adware/malware, bombarded us with cease and desist letters, threatening my employer and myself personally to prevent us from publishing our report.

This talk will highlight all of the methods used by the malware authors to abuse systems, I will guide the attendees through the process of reverse engineering such malware and share with everyone the amazing and hilarious story behind this whole incident. There will be IDA screenshots, there will be stunning opsec mistakes by the authors and there will lolz galore.

Amit leads the security research at Cybereason’s Boston HQ. He specializes in low-level, vulnerability and kernel research, malware analysis and reverse engineering. He also has extensive experience researching attacks on large scale networks and investigating undocumented OS resources and APIs. Prior to joining Cybereason, Amit spent nine years leading security research projects and teams for an Israeli intelligence agency, specifically in embedded system security. He’s presented at RSA, BSides, CircleCityCon, Derbycon, LayerOne and other conferences.

Hack In, Cash Out: Hacking and Securing Payment Technologies

Leigh-Anne Galloway & Timur Yunusov

Have you ever wanted to learn more about how payments work? Do you want to know how criminals bypass security mechanisms on Point of Sales terminals, ATM’s and digital wallets? Payment technologies are a transparent part of our lives. They enable us pay for everything from a coffee to a car. In the first part of this talk we take a look at payment technologies past, present and future. Learn how payments have evolved and what transactions look like today. Next we’ll dive into the different attacks that are possible with each transaction type and discuss which areas security teams should be focused on now, and in the future. Learn how hackers gain access to banking endpoints, bypass fraud mechanisms, and how they ultimately cash out.

Payment methods have changed vastly in the last 50 years. From the development of the ATM to the more recent adoption of digital payment methods. These days it’s hard to find a shop, restaurant or café that doesn’t accept card or contactless payments. In this talk firstly, we will demystify payment methods so that anyone can understand. What is NFC? EMV? and Tokenization? This talk will leave you with a great understanding of how payments work.

In the second part of this talk we will cover demonstrations of the risks associated with payments. If you considering integrating payment technologies into your business, or already accept payments, pay close attention. Working from case studies and our own experience, we’ll dive into the different attacks that are possible with each transaction type. We’ll look at techniques used to gain access to endpoints such as ATM’s and POS’s. Next we’ll explore the tactics used to bypass fraud detection mechanisms, and the multipliers employed by attackers to make the payout huge.

Timur Yunusov – Senior Expert of Banking systems security and author of multiple researches in field of application security including “”Apple Pay replay attacks”” showed at the BlackHat USA 2017, “”Bruteforce of PHPSESSID””, rated in Top Ten Web Hacking Techniques by WhiteHat Security and “”XML Out-Of-Band”” showed at the BlackHat EU. Professional application security researcher. Timur has previously spoken at CanSecWest, BlackHat USA, BlackHat EU, HackInTheBox, Nullcon, NoSuchCon, Hack In Paris, ZeroNights and Positive Hack Days.

Leigh-Anne Galloway is the Cyber Security Resilience Lead at Positive Technologies where she advises organisations on how best to secure their applications and infrastructure against modern threats. She is an expert in the Application Security Unit, specializing in ATM and POS Security and is the author of security research in account recovery processes on social media websites. She has spoken at many conferences including DevSecCon, BSides, InfoSec Europe, Hacktivity, 8dot8, Blackhat EU and Troopers.

Does Privacy Matter Anymore? Exploring Perception vs. Reality

Mark Liphardt

Today many people are concerned with personal privacy issues. However, despite what people say, we often act in many ways which may seem to contradict that desire. This talk will explore some common misconceptions about privacy and contrast behaviors that suggest that either we don’t really know or we don’t actually care about protecting our privacy in real life. We will explore some of the challenges related to achieving and maintaining various degrees of personal privacy in the modern world. We will examine technical issues, as well as, some of the laws and pending legislation impacting it and compare what is happening in the US verses other countries to learn which are doing a better or worse job at protecting their citizen’s personal information. Finally, we will identify current trends and activities that may help or hinder our rights in the near future. We will attempt to discover what is really needed to make our dreams of individual privacy protection come true.

OG member of the hacking/InfoSec community. A computer forensics expert with a lifetime of experiences to share on many aspects of the tech industry. A Defcon goon for 25 years and longtime privacy advocate.

From Security to Risk: Shifting the focus and changing the conversation

Matthew Stits

Security people are often seen as a contradiction in terms. Being both the smartest people in the room and also those least aligned with the business. If you’ve ever wanted to shift the conversation and better communicate with the business this talk is for you. Focusing on changing the conversation; talking more about reliability and not only security, risk in dollars and not just compliance, focusing on the opportunities in the conversation you’re having and not the threat(s).

Matthew Stits has been in the security industry for nearly 20 years. He’s consulted and worked for a number of fortune 500 companies in the Communications, Finance, Casino Gaming and Payment Card industries. Today he’s a Security Architect and Researcher for Adobe focusing on emerging technologies and business cases.

Data Security: How to avoid an embarrassing breach

Matt Hoy

This presentation is a discussion about designing your defense strategy based on Data Security models and Asset Classifications.

Many organizations have suffered breaches that have exposed embarrassingly sensitive data such as Personally Identifiable Information (PII), data preferences and we will continue to see this until we build security into the protection of data.

Matthew Hoy (@mattrix_). Matt has worked in the Information Security world for over 15 years in various Information Security roles from Security Analyst, Architect, Incident Response, Consulting and Management. Matt currently holds CISSP and SANS GCIH Certifications. Matt has presented at Toorcon Seattle, B-Sides Los Angeles, Toorcon San Diego, Circle City Con, Grrcon, DerbyCon, and of course LayeOne.

Go Hack Yourself: Moving Beyond Assumption-based Security

Michael Sanders

You have many security products, probably too many. But you are still not secure because it’s nearly impossible to know if your security products are actually doing what you want. Through live network and endpoint attack demonstrations, see how to use attack behaviors with Bartalex, Vawtrak, Mimikatz, PowerShell, Tunneling and others to validate your actual security products are working. See startling statistics, based on real-life case studies, that illustrate how ineffective many organizations, some with massive security budgets and teams, actually are because of a lack of validation. See how you can turn these attacks into an opportunity to instrument more effective security.

Michael Sanders is a security consultant with over 15 years of experience defending IT infrastructure. From humble beginnings of pushing packets and making his way up the stack to defending applications, Mike has experience across almost ever defensive technology space. Mike has helped defend some of the largest organizations in the world across multiple industries, ranging from large retailers in Arkansas to fruit companies in Silicon Valley. Today he’s bringing together the folks that break stuff and the folks that are supposed to keep it all running as a senior security engineer with Verodin.


How to Security Research Without Getting Sucked into a Courtroom

Robert Adams

The idea for this talk came from several clients asking the same basic legal questions about security research and what they can and shouldn’t do to avoid criminal liability. I thought this would be a good forum to try to answer these questions, especially for private and independent researchers who do not have the backing of a large firm behind them. We’re going to try to answer a couple of generic legal questions that affects anyone who performs security research. Where’s the line in the sand regarding what a security researcher can do and shouldn’t do to avoid criminal liability, and what happens if it’s crossed? What happens when a security researcher wants to disclose a vulnerability to the manufacturer? Can that manufacturer sue the researcher to stop them from publishing their research or giving talks, and can the manufacturer sue for compensatory damages (i.e. money)?

Robert is a licensed attorney and a member of the State Bar of California, the U.S. District Court Bar for the Central District of California, and the American Bar Association. I am listed as a Cooperating Attorney with the EFF and holds multiple certifications. He established his own law firm, RobbLAW, that specializes in information technology law, corporate compliance, privacy and data security law, computer law, and Internet/cyber law (even though he hates the term cyber, it’s how the State Bar categorizes it). Robert grew up in the 80’s and was fortunate enough to have a computer in his bedroom. He enjoyed playing with it but always wanted to be a lawyer; he loved arguing too much. Robert never thought about computers as a career until being discharged from the United States Marine Corps. He had just moved to Los Angeles and the only job available at the time was in desktop support. He knew enough about computers to figure out how to do the job so he took it. Over the years, Robert learned as much as he could and eventually worked my way up to becoming the Technical Lead Engineer in North America for Universal Music. After running their engineering program for a couple of years, Robert decided it was time to follow my calling and go to law school. He worked fulltime and went to law school in the evenings. After graduating, Robert transitioned from systems engineering to information security and compliance because it allowed me to keep my technical skills and apply my legal education.

Git for Hackers


While a lot of noise has been made about sensitive artifacts being left in git, and several tools exist to analyze git repositories for deleted files, a deep understanding of where and how git stores things (and therefore how such artifacts are being retained) eludes many. NO MORE! Rtzq0 will teach you how git functions, and in doing so you will come to understand the many ways in which things that people think have been deleted have not actually been deleted (and therefore how you might obtain them). Vivent les accidentally comitted private keys!

Rtzq0 is a “DevOps” (whatever the hell that means) consultant, hacker and organizer with DC562, and loves him some karate.

HTTP2 and You

Security Panda

Although not commonly known, HTTP2 was first published in May 2015 as an update to HTTP 1.1. By the end of that year, the majority of major browsers added HTTP2 support and it is now being utilized all across the Internet. Sites such as Google, Twitter, Facebook, and perhaps even your company’s site have HTTP2 enabled. If so, you probably do not realize you are using it. In fact, many Web Application Firewalls (WAFs) are not keeping pace with HTTP2 security needs and common AppSec testing tools such Burp, Zap, and other DAST products don’t support HTTP2.

This talk will discuss the details of the presenter’s discovery process in identifying how many site hosts are utilizing HTTP2, and a sample of common vulnerabilities which were found on these sites. Attendees will come away with having a better understanding of the security implications of HTTP2 and how you can detect these potential pitfalls on your network using freely available tools.

Brett is a Breaker of Web Applications, Leader of a DefCon Group, Maker of Tasty Food, and Owner of a Majestic Beard. He has over 17 years of experience in IT and Security, specializing in Web Application Pentesting, PCI practices, vulnerability scanning, and management.

Signal Safari: Investigating RF Controls with RTL-SDR

Katie Knowles

Cranes, trains, building controls, oil rigs, and …ceiling fans? Recent developments have made secure wireless protocols more common, but the fact is there’s still a swarm of simpler RF controls in the wireless world around us. Luckily, the onset of Software Defined Radios (SDRs) means analyzing these insecure signals is easier than ever! We’ll explore the basics of capturing and reversing simple RF control signals with the affordable RTL-SDR. With a little exploration through this menagerie of signals, we can unravel the mysteries of their operation and better understand what risk they pose to the environments we protect.

Katie Knowles (@_sigil) is a Security Consultant and Pentester with MWR InfoSecurity. Before her switch to offense, she implemented and managed enterprise security solutions. She enjoys good time spent on good projects, learning new tricks and incantations to befuddle innocent computers, and sharing her newfound knowledge with anyone (un)fortunate enough to be in earshot.

Can You Hear Me Now?: Wireless Communication for Pentesters


Wireless communication is getting cheaper and hobby projects are integrating long range low powered communication to link devices in all sorts of unique ways. But what about in the world of information security? This talk will cover the acronym soup of current communication systems including LoRA, RFM, Satellite, ASK, and many others to identify what protocols make sense when you are trying to communicate either stealthily or in remote areas. In addition, this talk will cover how to improve reliability of wireless communication and the costs associated with making your super pen test box. The aim for this talk is to be interactive, and allow people to share experiences.

Researcher of embedded devices and internet of things

Leeky Onions: Deanonymizing Live Tor Hidden Services


This talk will demonstrate how administrative slip-ups can result in deanonymization of live tor hidden services. Covering multiple techniques to reveal IP address of hidden services and more! This is not an in-depth talk on how tor works or how to use tor, nor is it a talk about exploiting the tor protocols themselves.

z0rro helps run DC562, does red teaming, and security research.