HACKER SUMMER CAMP 2018 GUIDE — Part Four: DEFCON 26

Welcome to part two of our guide to Hacker Summer Camp! Today we are going to cover DEFCON 26. If you missed part one or want to skip ahead to other sections use our Table of Contents below:

HACKER SUMMER CAMP 2018 GUIDE — Part One: Surviving Vegas

HACKER SUMMER CAMP 2018 GUIDE — Part Two: BSides Las Vegas 2018

HACKER SUMMER CAMP 2018 GUIDE — Part Three: Black Hat USA 2018

HACKER SUMMER CAMP 2018 Guide — Part Five: SIGS, EVENTS AND PARTIES

WHAT IS DEFCON?

Dates: August 9th — August 12th

Location: Caesar’s Palice (255 E. Flamingo Rd.) & Flamingo (3555 South Las Vegas Boulevard) & LINQ (3535 South Las Vegas Blvd, Las Vegas, NV 89109)

Code of Conduct: https://defcon.org/html/links/dc-code-of-conduct.html

Android App: https://play.google.com/store/apps/details?id=com.shortstack.hackertracker&hl=en

iOS App: https://itunes.apple.com/us/app/hackertracker/id1021141595

DEFCON was started in 1993 by Dark Tangent (Jeff Moss) as a going away party for a friend who never showed. It has since grown to one of the biggest hacker security conventions around the world with over 20,000 attendees yearly. This year the convention will take place from Thursday thourgh Sunday over three diffrent hotels.

DEFCON has grown to become so big that we at DEFCON 201 classify it as a “Mega Convention” aka a convention with smaller mid-sized conventions nested in it. You will be covering a wide area with a diverse mob of people with ten million activities going on all at once. It’s important to plan out your day, take your time and remember that it’s physically impossible to see and do everything in one con year nevermind in one day. The convention this year is so massive we plan on listing all the important things to no, not exactly everything that is there. We highly suggest looking at their website and clicking around to give you a sense on what you would like to see.

Also remember, you get out of it what you put into it!

CONVENTION MAP LINKS

CAESAR’S PALICE CONVENTION CENTER

FLAMINGO FLOOR PLAN — DAY

FLAMINGO FLOOR PLAN — NIGHT

LINO & HOTEL CASINO WORKSHOPS

DEFCON VILLAGES

The core and heartblood of the convention are the “Villages”. These are spaces inside of DEFCON that act as their own minature convention, including talks, contests, badges and swag. Many of them focus around a particular special interest. Here is a master list of almost every village at the convention plus a special hilight of one talk or activity they will have there. A few that are listed here will be spotlighted in much greater detail in PART FIVE of the Hacker Summer Camp Guide:

IOT Village

Friday: 10:00 to 19:00, Saturday: 10:00 to 19:00, Sunday: 10:00 to 13:00
Location: Turin, Verona, & Trevi — Caesars

HILIGHT — (IoT Village Keynote) Tales of a SOHOpeful Journey: Where our Research Started and Where it’s Going Rick Ramgattie @RRamgattie and Jacob Holcomb @rootHak42 11:30 am — 12:00 pm

Biohacking Village

Friday: 10:00 to 20:00, Saturday: 10:00 to 20:00, Sunday: 10:00–14:00
Location: Siena, Pisa, & Palermo — Caesars

SEE IN PART FIVE OF GUIDE IN SIGS SECTION

Packet Hacking Village

Friday: 10:00–19:00, Saturday: 9:00–19:00, Sunday: 10:00–14:00
Location: Neapolitan — Caesars

HILIGHT — Ridealong Adventures: Critical Issues with Police Body Cameras
Josh Mitchell, Saturday 4:00 PM

Crypto & Privacy Village

Friday: 10:00 to 18:30, Saturday: 10:00 to 18:30, Sunday: 10:00 to 14:00
Location: Milano I II — Caesars

HILIGHT — Building A Cryptographic Back Door in OpenSSL, Lei Shi & Allen Cai, Sat, August 11, 1:30pm — 2:00pm

Wireless Village

Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Milano V VI — Caesars

HILIGHT — Exploring the 802.15.4 attack surface, Faz, August 10th 5:30 PM

r00tz Asylum

Friday: 10:00 to 17:00, Saturday: 10:00 to 17:00, Sunday: 10:00 to 14:00
Location: Milano III IV — Caesars

SEE IN PART FIVE OF GUIDE IN SIGS SECTION

Social Engineer Village

Thursday: 10:00 to 17:00, Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Octavius 3–8 — Caesars

SEE IN PART FIVE OF GUIDE IN SIGS SECTION

Tamper Evident Village

Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Forum BR 24- Caesars

HILIGHT — Tamper-Evident King of the Hill Contest; a full-featured tamper challenge! Instead of the weekend-long contest we’re hosting a King of the Hill format where you tamper single items at your leisure and attempt to beat the current best. There can be only ONE! No sign ups required, play on-site when the TEV begins.

Data Duplication Village

Thursday: 16:00 to 19:00,Friday: 10:00 to 17:00, Saturday: 10:00 to 17:00, Sunday: 10:00 to 11:00
Location: Capri — Caesars

HILIGHT — The Memory Remains — Cold drive memory forensics 101, Lior Kolnik, August 11th 2:00 PM

Recon Village

Friday: 1200–1840, Saturday: 1000–1840, Sunday: 1000–1300
Location: Florentine I II — Caesars

HILIGHT — Using Deep Learning to uncover darkweb malicious actors and their close circle — Rod Soto and josephzadeh, August 10th 5:25 PM

Voting Machine Hacking Village

Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Forum BR 14–16 — Caesars

HILIGHT — This year the Voting Village is also partnering with r00tz Asylum to teach DEF CON’s youngest attendees about the importance of election security. The r00tz Asylum Election Security sessions will give young DEFCON attendees, aged 8–16, the opportunity to hack into replicas of the Secretary of State websites for several battleground states.

AI Village

Thursday: N/A,Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Florentine III — Caesars

HILIGHT — IntelliAV: Building an Effective On-Device Android Malware Detector, Mansour Ahmadi, Augut 10th 1:00 PM

DroneWarz Village

Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 14:00
Location: Abruzzi — Caesars

HILIGHT — MISSIONZ — BLUESKYZ — This is our defensive sandbox. These challenges allow you to engage in capture, interception, forensic discovery and threat modeling for drones captured during a mission. Teams that can capture an in mission drone and accurately determine the flight path, display surveillance images/FPV, and determine the drone’s

BCOS/Monero Village

Friday: 10:00–19:00, Saturday: 10:00–19:00, Sunday: 10:00–14:00
Location: Pompeian I — Caesars

HILIGHT — Hacking a Crypto Payment Gateway, Devin “Bearded Warrior” Pearson and Felix “Crypto_Cat” Honigwachs, August 10th 5:00 PM

VX (Chip-off) Village

Friday: 10:00 to 17:00, Saturday: 10:00 to 17:00
Location: Tribune — Caesars Place

HILIGHT — Visitors shall have an opportunity to remove the embedded emmc chip from the devices and re-solder on the small circuit board.

Ethics Village

Friday: 11:00 to 19:00, Saturday: 11:00 to 18:00
Location: Modena — Caesars Palace

HILIGHT — Diversity and Equality in Infosec, August 11th 5:00 PM

Skytalks

Location: Virginia City — Flamingo

SEE PART FIVE OF GUIDE IN SIGS SECTION

Cannabis Village (Puff Puff Hack)

Friday: 10:00 to 17:00, Saturday: 10:00 to 17:00
Location: Valley of Fire- Flamingo

HILIGHT — About the Open Cannabis Project, Beth Schechter, August 10th 3:00 PM

CAAD Village

Friday: 10:00 to 17:30, Saturday: 10:00 to 17:30
Location: Lake Mead- Flamingo

HILIGHT — How to leverage the open-source information to make an effective adversarial attack/defense against deep learning model, Wei Li & Xiaojin Jiao, August 10th 2:30 PM

Blue Team Village

Friday: 10:00–18:00, Saturday: 10:00–16:00, Sunday: 10:00–14:00
Location: Savoy — Flamingo

SEE PART FIVE IN GUIDE IN SIGS SECTION

ICS Village

Location: Red Rock- Flamingo

HILIGHT — A CTF That Teaches: Challenging the Next Generation of ICS Ethical Hackers, Brandon Workentin, August 10th 3:10 PM

Car Hacking Village

Friday: 10:00 to 19:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 12:00
Location: Red rock- Flamingo

HILIGHT — Grand theft auto: Digital key hacking, KEVIN2600, August 11th 12:06 PM

DEFCON CONTESTS & ACTIVITIES

DEFCON is always briming with activities and DEFCON 26 will be no exception. From movie, to locks, demo software and goofy fun there is always something to do of all backgrounds for all ages. Who knows, you might even win some prizes! Here are some of our hilights this year!

==DEMO LABS==

#WiFiCactus

Saturday 08/11/18 from 1000–1150 at Table One
Offense, defense, hardware

Mike Spicer

The newly upgraded #WiFiCactus for DEF CON 26 is a passive wireless monitoring backpack that listens to 60 channels of 2.4 and 5 gHz WiFi at the same time. New this year is the ability to capture 802.11AC traffic and upgrades to remove bandwidth bottlenecks. This tool uses Kismet to capture the data from the each radio and aggregates them into a single searchable web interface. This tool is also capable of identifying wireless threats, troubleshooting complex wireless environments and helping with correlation analysis between Bluetooth and WiFi.

http://palshack.org/the-hashtag-wifi-cactus-wificactus-def-con-25/

Mike Spicer
d4rkm4tter is a mad scientist who likes to hack hardware and software. He is particularly obsessed with wireless. He has a degree in computer science which he has put to use building and breaking a wide variety of systems.

DejaVU — An Open Source Deception Framework

Sunday 08/12/18 from 1200–1350 at Table Three
Offense/Defense

Bhadreshkumar Patel

Harish Ramadoss

Deception techniques — if deployed well — can be very effective for organizations to improve network defense and can be a useful arsenal for blue teams to detect attacks at very early stage of cyber kill chain. But the challenge we have seen is deploying, managing and administering decoys across large networks. Although there are lot of commercial tools in this space, we haven’t come across open source tools which can achieve this.

With this in mind, we have developed DejaVu which is an open source deception framework which can be used to deploy, configure and administer decoys centrally across the infrastructure. A web-based management console can be used by the defender to deploy multiple interactive decoys (HTTP Servers,SQL,SMB,FTP,SSH,client side–NBNS) strategically across their network on different VLANs. Logging and alerting dashboard displays detailed information about the alerts generated and can be further configured to generate high accuracy alert; and how these alerts should be handled.

Decoys can also be placed on the client VLANs to detect client side attacks such as responder/LLMNR attacks using client side decoys. Additionally, common attacks which the adversary uses to compromise such as abusing Tomcat/SQL server for initial foothold can be deployed as decoys, luring the attacker and enabling detection.

https://github.com/bhdresh/Dejavu

Bhadreshkumar Patel
Bhadreshkumar Patel is a Reverse Engineer by nature and Security Specialist/Pentester by profession with 10 years of experience in offensive and defensive side of security. Likes to code, break stuff, play with controllers. Got lucky in finding zero days in Facebook, NGFW, wireless routers, HMS etc. Dejavu is Bhadresh’s first conference submission, but not his first contribution to the security community.

Harish Ramadoss
Harish Ramadoss has over seven years of experience in offensive security space focusing on application and infrastructure security assessments. Led large scale penetration testing engagements for various clients across Finance, Government and Defense.

GyoiThon

Sunday 08/12/18 from 1000–1150 at Table Two
Offense

Isao Takaesu

Masuya Masafumi

Toshitsugu Yoneyama,

GyoiThon is a fully automated penetration testing tool against web server. GyoiThon nondestructively identifies the software installed on web server (OS, Middleware, Framework, CMS, etc…) using multiple methods such as machine learning, Google Hacking, pattern matching. After that, GyoiThon executes valid exploits for the identified software. Finally, GyoiThon generates report of scan results. GyoiThon executes the above processing fully automatically.

GyoiThon consists of three engines:

• Software analysis engine:
  It identifies software based on HTTP response obtained by normal access to web server using Machine Learning base and signature base. In addition, it uses Google Hacking.
• Vulnerability determination engine:
  It collects vulnerability information corresponding to identified software by the software analysis engine. And, it executes an exploit corresponding to the vulnerability of the software and checks whether the software is affected by the vulnerability.
• Report generation engine:
  It generates a report that summarizes the risks of vulnerabilities and the countermeasure.

Traditional penetration testing tools are very inefficient because they execute all signatures. On the other hand, GyoiThon is very efficient because it executes only valid exploits for the identified software. As a result, the user’s burden will be greatly reduce, and GyoiThon will greatly contribute to the security improvement of many web servers.

https://github.com/gyoisamurai/GyoiThon

Isao Takaesu
Isao Takaesu is working in Mitsui Bussan Secure Directions, Inc. as security engineer and researcher. In the past, he found out numerous vulnerabilities in server of client and he proposed countermeasures to client. He thinks that there’s more and want to efficiently find out vulnerabilities. Therefore, He’s focusing on artificial intelligence technology and developing fully automated penetration testing tool using machine learning.

Masuya Masafumi
Masafumi Masuya is a security engineer on the Mitsui Bussan Secure Directions, Inc. He loves network security assessment, so he found many vulnerabilities in various servers of enterprises. He is always thinking about a method to efficiently perform network security assessment, even while sleeping. He especially loves cURL and Japanese word ‘Gyoi’. “Gyoi” means that there is nothing you cannot do!

Toshitsugu Yoneyama
Toshitsugu Yoneyama is a Security Researcher and Manager on the Mitsui Bussan Secure Directions, Inc. He has reported several vulnerabilities in Juniper, Nessus, Amazon, Apache and various routers. He participated alone in Hack2win which is a hacking competition in CodeBlue 2017, and he pwned several devices by remote attack and get the 3rd prize.

HealthyPi — Connected Health

Saturday 08/11/18 from 1400–1550 at Table Four
Hardware and biohacking

Ashwin K Whitchurch

We (at ProtoCentral) developed the HealthyPi HAT for the Raspberry Pi as a way of opening up the healthcare and open source medical to anyone. The HealthyPi is made of the same “medical-grade” components found in regular vital sign monitors, for a fraction of the cost of such system. This is our way of democratizing medical hardware to develop new areas of research.

Our objective when we began developing the HealthyPi was to make a simple vital sign monitoring system which is simple, affordable, open-source (important !) and accessible. HealthyPI is completely open-source and is our way of “hacking” patient monitoring systems by getting data that you need, in the way that you need and extending on that without getting involved in sticky proprietary NDAs and such.

*Demo will allow people to come, check out and play with (and possibly hack) the HealthyPi device while getting their vital signs monitored.*

https://github.com/Protocentral/protocentral-healthypi-v3

Ashwin K Whitchurch
Ashwin K Whitchurch is the CEO of ProtoCentral (Circuitects Electronics Solutions Pvt Ltd) based out of Bangalore in India. The company makes, sells and supprts open source hardware products, most of them for healthcare and medical applications. Ashwin has published research papers, book chapters and reviews in well-known international journals and conferences. ProtoCentral (and Ashwin) has been present in many hardware gatherings including Maker Faire ( New York & Rome), Hackaday Superconference, OSHWA Summit and has given talks on his projects with open source hardware.

Orthrus

Saturday 08/11/18 from 1000–1150 at Table Four
InfoSec

Nick Sayer

Orthrus is a small appliance that allows the user to create a cryptographically secured USB volume from two microSD cards. The data on the two cards is encrypted with AES-256 XEX mode, and all of the key material used to derive the volume key is spread between the two cards. There are no passwords to manage. If you have both cards, you have everything. If you have only one, you have half the data encrypted with a key you cannot reconstruct. This allows for “two-man control” over a dataset. Orthrus itself has no keys of its own and a volume created or written with one Orthrus can be used with any other (or on any other thing that implements the Orthrus open specification). Orthrus is open source hardware and firmware.

https://hackaday.io/project/20772-orthrus

Nick Sayer
Nick Sayer has been a software developer for most of his life and has spent the last ten years specializing in his day job on security and cryptography. He recently rediscovered the hardware hobby he abandoned in his teens and has a store on Tindie full of his creations, all of which are open.

Passionfruit

Sunday 08/12/18 from 1000–1150 at Table Five
iOS reverse engineer, Mobile security research

Zhi Zhou

Yifeng Zhang

Passionfruit is a cross-platform app analyze tool for iOS. It aims to provide a powerful and user friendly gui for app pentesting and reverse engineering. In this demo we’ll cover the most common tasks in iOS RE, like dumping decrypted apps from AppStore, exploring filesystem and other runtime introspections.

https://github.com/chaitin/passionfruit

Zhi Zhou
AntFinancial Zhi Zhou is a security engineer at AntFinancial LightYear Lab, who mainly focus on applied software security, including both mobile and desktop platforms. He’s been working on blackbox assessment, vulnerability exploit and new attack surface discovery. He was a speaker at BlackHat USA 2017.

Yifeng Zhang
Chaitin Tech Yifeng Zhang is a penetration tester at Chaitin Tech, working in mobile security and financial malware. He has been dedicated to developing security tools to make pen-testing more efficient and effective.

==ACTIVITY AREAS==

Lockpicking village

Friday: 10:00 to 18:00, Saturday: 10:00 to 18:00, Sunday: 10:00 to 13:00
Location: Forum BR 24- Caesars

Hardware Hacking Village

Friday: 10:00 to 19:00, Saturday: 10:00 to 19:00, Sunday: 10:00 to 13:00
Location: Forum BR 17–19 — Caesars

Mobile Museum

Friday, Saturday, &Sunday
Location: Florentine IV- Caesars

Laser Cutting Village

Location: Calibria — Caesars

==COMMUNITY ACTIVITIES==

8th Defcon Bike Ride

Event
Friday: 0600

At 6am on Friday, the @cycle_override crew will be hosting the 8th Defcon Bikeride. We’ll meet at a local bikeshop, get some rental bicycles, and about 7am will make the ride out to Red Rocks. It’s about a 15 mile ride, all downhill on the return journey. So, if you are crazy enough to join us, get some water, and head over to cycleoverride.org for more info. See at 6am Friday! @jp_bourget @gdead @heidishmoo. Go to cycleoverride.org for more info.

More Info: https://twitter.com/cycle_override, http://cycleoverride.org

Drunk Hacker History

Contest | Location: Contest Stage
Saturday: Saturday night

One night only at DEF CON 26, Drunk Hacker History is back by popular demand for a 4th historic year! The past three years proved to the entire galaxy that in the game of intoxicated nostalgic recall, there are no losers and those who won, lost. The DEF CON community has a history of sorts. It is a history is filled with mephitic adventures, quarter-truths, poor life choices, incontinence, and various forms of C2H6O. This year, we will connect our stacks to extract some of the most celebrated, exaggerated and entertaining moments in Hacker History through the interpretation of a group of well-trained participants. In the end, we will, again, crown the Drunkest Hacker in History and you, the audience, will rejoice! Hosted by c7five & jaku, if you like eating from an 80s candy cannon, “Cats” the musical, and feats of strength, you won’t want to miss the return of Drunk Hacker History! Presented in DEF CON 4D and made possible by a grant from monkeyhelpers.org.

More Info: @DrunkHackerHist

DEF CON Scavenger Hunt

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

Do you have specialty skills that you haven’t found an outlet for? Like making replicas of colonial era Presidents heads out of macaroni and cheese or stitching wool sweaters for Venus fly traps? Well as it turns out there’s a competition made special just for you! Come on down to the Defcon Scavenger Hunt, now in its 21st year! We are the contest that you might not have known by name but you’ve probably seen, heard, or smelled all over Defcon. With competitions that involve you with almost every aspect of Defcon; we’re arguably the best way you can spend your weekend. First through third place will receive fabulous prizes, while all other participants will presumably walk away with a little more dignity left.

More Info: http://defconscavhunt.com, @DefConScavHunt

Hacker Karaoke

Event | Location: Emperors Chillout — Caesars
Friday: 20:00–2:00, Saturday: 20:00–2:00

Do you like to sing? Do you want to perform? Ever wanted to sing in front of others? Come on down to the 10th Annual Hacker Karaoke, DEFCON’s on-site karaoke experience. You can be a star, or if you don’t want to be a star, you can also take pride in making an utter fool of yourself.

More Info: https://hackerkaraoke.org/, @hackerkaraoke

Ham Radio Exams

Event | Location: Anzio, Caesars
Friday: 10:00–16:00, Saturday: 12:00–18:00

Take HAM Radio Exams at DEF CON 26!

Laser Shooting Gallery

Event | Location: Venice, Caesars

Experience the beauty of the Las Vegas area by shooting at inanimate objects with REAL lasers! Shoot aliens, robots, barrels and even cacti and try to get the high score. A presentation on how the gallery was conceived and constructed will occur Friday and Saturday at 3 PM in the shooting gallery room. Brought to you by the fine folks from Notacon.

Mohawk-Con

Event | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

Mohawk-Con returns for another year of shaving & coloring heads and transforming you into the cool kid at the con. Charitable event to support the EFF & Hackers For Charity, get a cool new hawk in support of the causes that matter to you.

More Info: https://www.facebook.com/MohawkCon/

Recon Village Hackathon

Contest | Location: Recon Village — Florentine II
RECON Village Hours

Do you fancy writing some code this DEFCON and make something productive? Come make a Open Source Tool / Product around Recon/OSINT and compete against other participants. Top teams demonstrate the product Angel Investor style to our judges and winners get exciting prizes. You can either make something from scratch or write a plugin/module for any ‘Open Source’ tool.

We make sure that the concentration music plays on, energy drinks flow while you compete for solving some interesting problems using Recon/OSINT. We are sure the Hacker environment at DEFCON helps in such challenges and that’s the reason we are hosting a HACKATHON this year at DEFCON 26 Vegas. Believe us, we can’t be more excited.

With this HACKATHON, we strive to achieve multiple objectives at the same time. You and your team distil a visionary concept down to an actionable solution. You get a sense of achievement. You meet like minded people. Community goes bigger with your contribution. Everybody Wins. Only Rule: Anything you write has to be open source and freely available to public.

Are you game? Go Register now.

More Info: http://reconvillage.org/hackathon/

==CONTESTS & GAMES==

Hacker Jeopardy

Date: Friday, August 10th and Saturday Augsut 11th

Location: Track 3

Time: 8:00 PM Each Night

To enter, Email hackerjeopardy@gmail.com with the following:

— Team Name

— Handles of 3 (and only 3) idiot players

— Contact phone #

— Evidence proving why you should be on HJ

Whose Slide is it Anyway?

Contest | Location: Contest Floor

“Whose Slide Is It Anyway?” is an unholy union of improv comedy, hacking and slide deck sado-masochism.

Our team of slide monkeys will create a stupid amount of short slide decks on whatever nonsense tickles our abnormal fancies. Slides are not exclusive to technology, they can and will be about anything. Contestants will take the stage and choose a random number corresponding to a specific slide deck. They will then improvise a minimum 5 minute / maximum 10 minute lightning talk, becoming instant subject matter experts on whatever topic/stream of consciousness appears on the screen.

What you playing for? Awesome prize packs from our generous sponsors Red Canary, TrustedSec, Binary Defense, Toool, Dragos, CoreGroup and more! Players are chosen on a first come, first served basis so get there early.

Whether you delight in the chaos of watching your fellow hackers squirm or would like to sacrifice yourself to the Contest Gods, it’s a night of schadenfreude for the whole family.

More Info: @ImprovHacker, https://www.ImprovHacker.com

BadgeLife Contest

Contest | Location: Contest Floor
All Con

Badges have been around Defcon for years, and badge hacking happens every year! This year, let’s make it an official contest! Let’s award prizes! Let’s judge badges on originality, functionality, best counterfeit, and our personal favorite OMGWTFBBQ!

More Info: http://badgelife.org, @dcbadgelife

Coindroids

Contest | Location: Contest Floor
Friday — Sunday: Contest Floor Hours

The year is 20X5 and humanity has fallen: now there are only Coindroids. The machines we designed to manage our finances have supplanted and destroyed the human race by turning our own economy against us. Now they battle each other in the ruins of our fallen cities, driven by a single directive: money is power.

Battle your way to the top of the leaderboard by attacking rival droids, or assemble your hacker-fam and compete in the quest to infiltrate Imperial One.

New to cryptocurrencies? No DEFCOIN to play with? Not a problem! Just come visit our booth in the contest area and we can help get you started.

More Info: https://www.coindroids.com, @coindroids, https://www.facebook.com/Coindroid/

DEF CON Beard and Moustache Contest

Contest | Location: Contest Stage
Friday: 1800–2000

Held every year since DEF CON 19 in 2011 (R.I.P. Riviera), the DEF CON Beard and Moustache Contest highlights the intersection of facial hair and hacker culture.

More Info: http://www.dcbeard.com/, @DCBeardContest

DEF CON Blitz Chess Tournament

Contest | Location: Contest Stage
Saturday: 1800–2000

The first-ever DEF CON Chess Tournament, in Blitzkrieg format, in which there will be just 5 minutes on each player’s clock. During the tournament, each player will play every other player one time. A victory is 1 point, a draw 1/2, and a loss 0. At the end of the tournament, the player with the highest score wins the grand prize (tbd) and a trophy. In the event of a tie, there will be a sudden death playoff between the highest scorers to determine the champion.

Send name, rating to @defconchess

Defcon Ham Radio Fox Hunting Contest

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

In the world of amateur radio, groups of hams will often put together a transmitter hunt (also called “fox hunting”) in order to hone their radio direction finding skills to locate one or more hidden radio transmitters broadcasting. The Defcon Fox Hunt will require participants to locate a number of hidden radio transmitters broadcasting at very low power which are hidden throughout the conference. Each transmitter will provide a clue to a larger puzzle, requiring participants to piece together the information broadcasted from each transmitter. Once they’ve decoded the final puzzle, they will be sent to find one final ultra low power transmitter broadcasting a passphrase which they will enter on a contest website and receive their trophy for completing the contest. A map with rough search areas will be given to participants to guide them on their hunt. Additional hints and tips will be provided throughout Defcon to help people who find themselves stuck.

More Info: http://defcon26foxhunt.com

Dungeons@DEFCON

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00

A puzzling campaign for 1–4 players.

20 08 05 18 05 19 20 18 05
01 19 21 18 05 09 14 20 08
05 04 21 14 07 05 15 14 19
02 05 12 15 23 04 05 06 03
15 14 01 19 19 05 13 02 12
05 25 15 21 18 16 01 18 20
25 01 14 04 06 09 14 04 21
19

EFF Tech Trivia

Contest | Location: Contest Stage
Friday: 16:00–18:00

EFF’s team of technology experts have crafted challenging trivia about the fascinating, obscure, and trivial aspects of digital security, online rights, and Internet culture. Competing teams will plumb the unfathomable depths of their knowledge, but only the champion hive mind will claim the First Place Tech Trivia Cup and EFF swag pack. The second and third place teams will also win great EFF gear.

More Info: @EFF, https://eff.org

Hack Fortress

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00

Teams of 10 (4 Hackers + 6 TF2 players) will compete to score more points than their opponents during each match. The goal is simple: score more points than your competitors. How you do that is where the challenge comes in. The TF2 players will be frantically trying to kill, capture and win rounds against the opposing TF2 players. At the same time, the hackers will be attempting to solve a variety of hacking challenges. As tasks are completed, credits in our ‘hackconomy’ are gained. These can be used to purchase effects to help your team or hinder your opponents in both hacking and TF2.

More Info: http://hackfortress.net, @tf2shmoo, hackfortresstv (twitch) /r/HackFortresshackfortress.net

Spell Check: The Hacker Spelling Bee

Contest | Location: Contest Stage
Saturday: 15:00–17:00

The year is 1983. Supplies and entertainment are both running low and the machines are closing in. Suddenly, a technical editor from the future appears with a security style guide from 2018 and challenges you to spell terms as they appear in the guide. Maybe this quaint ritual will warm the hearts of the robots and bring in a new era of understanding to this troubled world. You’re confident you can make it past “asset” and “botnet,“ but you get a sinking feeling that in later rounds, capitalization is going to count too. The odds are against you, but it’s the end of the world… you might as well go out in a blaze of glory.

More Info: https://www.bishopfox.com/news/2018/07/def-con-26-spellcheck-the-hacker-spelling-bee/

ission SE Impossible

Contest | Location: SE Village
Friday: All day

What is Mission SE Impossible (MSI)? Maybe the best way to describe it is if the Gringo Warrior Challenge had a baby with Ethan Hunt while getting some scotch soaked DNA from the Human Hacker, it would give birth to Mission SE Impossible. Also, this baby could shoot lasers out of it’s eyes.

With lock picking, hand cuffs, laser obstacle course, some ciphers, and safe cracking MSI quickly became extremely popular in the SE Village. Folks of all ages have signed up and competed in this event and are watched by an enthusiastic crowd who is always willing to help out.

More Info: http://www.social-engineer.org/social-engineer-village/, @humanhacker

SOHOpelessly Broken

Contest | Location: IoT Village
Friday: 10:00–19:00, Saturday: 10:00–19:00, Sunday: 10:00–13:00

SOHOpelessly Broken CTF:
A DEF CON 24 and 25 Black Badge ctf at IoT Village, players compete against one another by exploiting off-the-shelf IoT devices on a segmented network. These 15+ devices all have known vulnerabilities, but to successfully exploit these devices requires lateral thinking, knowledge of networking, and competency in exploit development. CTFs are a great experience to learn more about security and test your skills, so join up in a team (or even by yourself) and compete for fun and prizes! Scan the network to find every device and exploit as many as you can over the weekend. The top three teams will be rewarded!

Zero-Day Contest:
The Zero-Day contest is focused on the discovery and demonstration of new exploits (0-day vulnerabilities). This track relies on the judging of newly discovered attacks against connected embedded electronic devices. Devices that are eligible for the contest can be found at https://www.sohopelesslybroken.com/contests.php#0day and you can start submitting entries now! The winners who score the highest on their judged entries will be rewarded with cash prizes. Contestants will need to provide proof that they disclosed the vulnerability to the vendor.

More Info: http://www.sohopelesslybroken.com, @SOHObroken

TeleChallenge

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

Let your fingers do the hacking on your touch-tone phone! Dive into the telephonic world with a challenge that will pit your wits against the complexities of phone systems, and the people and companies that inhabit them. The TeleChallenge is an immersive environment where all you need to get started is your phone. To win you’ll hack your way into, around, and through a myriad of phone-connected services. How do you start? How do you play? How do you win? Good questions! Set sail with the TeleChallenge!

More Info: @telechallenge

The Schemaverse Championship

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

The Schemaverse [skee-muh vurs] is a space battleground that lives inside a PostgreSQL database. Mine the hell out of resources and build up your fleet of ships, all while trying to protect your home planet. Once you’re ready, head out and conquer the map from other DEF CON rivals.

This unique game gives you direct access to the database that governs the rules. Write SQL queries directly by connecting with any supported PostgreSQL client or use your favourite language to write AI that plays on your behalf. This is DEF CON of course so start working on your SQL Injections — anything goes!

More Info: http://schemaverse.com, @schemaverse

Tin Foil Hat Contest

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: Contest Stage 12:00–13:00

What with aliens and the NSA, a hacker can’t always tell who’s listening (or who’s transmitting…). Show us your skills by building a tin foil hat to shield your subversive thoughts. There are 2 categories: stock, and unlimited. The hat in each category that blocks the most signal will receive the “Substance” award for that category. We all know that hacker culture is all about looking good, though, so a single winner will be selected from all submissions for “Style”. Finally, a single overall winner will be selected from all combined categories for “Style and Substance”.

More Info: http://www.psychoholics.org/tfh, @DC_Tin_Foil_Hat

Tin Foil Hat Contest

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: Contest Stage 12:00–13:00

What with aliens and the NSA, a hacker can’t always tell who’s listening (or who’s transmitting…). Show us your skills by building a tin foil hat to shield your subversive thoughts. There are 2 categories: stock, and unlimited. The hat in each category that blocks the most signal will receive the “Substance” award for that category. We all know that hacker culture is all about looking good, though, so a single winner will be selected from all submissions for “Style”. Finally, a single overall winner will be selected from all combined categories for “Style and Substance”.

More Info: http://www.psychoholics.org/tfh, @DC_Tin_Foil_Hat

VulnSec Vulnerable Image Building Contest

Contest | Location: Contest Floor
Friday: 10:00–20:00, Saturday: 10:00–20:00, Sunday: 10:00–12:00

Tired of traditional DefCon events? DefCon attendees have been asked to submit the most devious virtual images for this contest. We have something for every hacker from the most experienced to the wannabe n00bs. VulnSec provides an on-site Cyber Range for contestants to have their images pwned by DefCon attendees. So, bring your hacking tools or use our provided Kali images to participate in this unique “by hackers for hackers” event. Still not interesting enough? Stop by, check our schedule for scheduled time trials and special events. Come out, test your abilities and claim a spot on our scoreboard!

DEFCON 201 TALK HILIGHTS FOR DEFCON 26

This is the section where we have comb through the entire list of talks on both days and list our hilights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention scheduel beforehand and make up your own talk hilight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizzare. (Sometimes, all three!)

Pwning “the toughest target”: the exploit chain of winning the largest bug bounty in the history of ASR program

Thursday at 11:00 in 101 Track, Flamingo
45 minutes |

Guang Gong — Alpha Team at Qihoo 360

Wenlin Yang — Alpha Team at Qihoo 360

Jianjun Dai — Security researcher of Qihoo360 Alpha Team

In recent years, Google has made many great efforts in exploit mitigation and attack surface reduction to strengthen the security of android system. It is becoming more and more difficult to remotely compromise Android phones especially Google’s Pixel phone.

The Pixel phone is protected by many layers of security. It was the only device that was not pwned in the 2017 Mobile Pwn2Own competition. But our team discovered a remote exploit chain — the first of its kind since the Android Security Rewards (ASR) program expansion, which could compromise The Pixel phone remotely. The exploit chain was reported to Android security team directly. They took it seriously and patched it quickly. Because of the severity and our detailed report, we were awarded the highest reward ($112,500) in the history of the ASR program.

In this talk we will detail how we used the exploit chain to inject arbitrary code into system_server process and get system user permissions. The exploit chain includes two bugs, CVE-2017–5116 and CVE-2017–14904. CVE-2017–5116 is a V8 engine bug related with Webassembly and SharedArrayBuffer. It is used to get remote code execution in sandboxed Chrome render process. CVE-2017–14904 is a bug in Android’s libgralloc module that is used to escape from the sandbox. The way we used for sandbox escaping is very interesting, rarely talked about before. All details of vulnerabilities and mitigation bypassing techniques will be given in this talk.

WAGGING THE TAIL — COVERT PASSIVE SURVEILLANCE AND HOW TO MAKE THEIR LIFE DIFFICULT

Thursday at 14:00 in 101 Track, Flamingo
45 minutes |

Si — Independent Security Consultant

Agent X — Hacker

In this modern digital age of technically competent adversaries we forget that there may still be a need to conduct old school physical surveillance against a target. Many organisations utilise surveillance teams and these may be in-house in the case of government agencies or third-party teams contracted for a specific task and their targets range from suspected terrorists to people accused of bogus insurance claims.

Whilst most people think that they may never be placed under surveillance some professions increase this probability. For example, if you are a member of the press with sources that you only meet face to face you could be a target especially if the source is a whistleblower or has information that their employer would rather they didn’t give to you. Would it seem far-fetched to think that a hacker, security researcher or a member of the EFF could be placed under surveillance? Maybe even some current and former DEF CON speakers and attendees?

These teams are not the lone Private Investigator sat in their car at the bottom of your street but are highly trained individuals whose job is to remain undetected. Their mission is to observe and identify interactions and document everything they see. They aim to be “The Grey Man”, that person, when asked to describe, you are unable to. Their techniques have changed very little over decades because they work.

This talk will focus on mobile and foot surveillance techniques used by surveillance teams. It will also include tips on identifying if you are under surveillance and how to make their life difficult.

Building the Hacker Tracker

Thursday at 15:00 in 101 Track, Flamingo
20 minutes |

Whitney Champion — Senior Systems Engineer

Seth Law — Application Security Consultant, Redpoint Security

In 2012, back when DEF CON still fit in the Riviera (RIP), I recognized a gap to fill. I wanted to create a mobile version of the paper DEF CON booklet that everyone could use at the con.

I was unable to attend the conference that year. I was 8 months pregnant with my first child, and because I couldn’t be there in person, I spent a lot of time wishing I was.

So I built it. I spent countless hours pouring my heart into what became the Hacker Tracker, shiny graphics and all, and was committing code up until the minute I went into labor.

Fast forward a few years: Seth was frustrated with the lack of a mobile app for iOS while attending DEF CON. Subsequently, he found the Android version of Hacker Tracker and reached out to me about creating an iOS version. I was thrilled that someone wanted to join me and help grow the project. Not long after that, I recruited Chris to work on the app as well.

Now, 6 years since its inception, a small team supports the app development across iOS and Android and the apps are being used by half a dozen different conferences, representing several thousand users.

From nothing to something, we’ve experienced quite a bit in 6 years. Join us as we share our moments of joy, fear, and panic,”things not to do”, and more.

Welcome To DEF CON & Badge Maker Talk

Friday at 10:00 in Track 1
45 minutes | Demo

The Dark Tangent

The Dark Tangent

One-liners to Rule Them All

Friday at 11:00 in Track 2
45 minutes | Demo

egypt — Security Analyst, Black Hills Information Security

William Vu — Security Researcher, Rapid7

It began with the forging of the command line. And some things that should not have been forgotten, were lost. History became legend, legend became myth.

Sometimes you just need to pull out the third column of a CSV file. Sometimes you just need to sort IP addresses. Sometimes you have to pull out IP addresses from the third column and sort them, but only if the first column is a particular string and for some reason the case is random.

In this DEF CON 101 talk, we’ll cover a ton of bash one-liners that we use to speed up our hacking. Along the way, we’ll talk about the concepts behind each of them and how we apply various strategies to accomplish whatever weird data processing task comes up while testing exploits and attacking a network.

Hacking the Brain: Customize Evil Protocol to Pwn an SDN Controller

Friday at 13:30 in Track 2
20 minutes | Demo, Exploit

Feng Xiao — Hacker

Jianwei Huang — Hacker

Peng Liu

Raymond G. Tronzo, M.D. Professor of Cybersecurity

Software-Defined Networking (SDN) is now widely deployed in production environments with an ever-growing community. Though SDN’s software-based architecture enables network programmability, it also introduces dangerous code vulnerabilities into SDN controllers. However, the decoupled SDN control plane and data plane only communicate with each other with pre-defined protocol interactions, which largely increases the difficulty of exploiting such security weaknesses from the data plane.

In this talk, we extend the attack surface and introduce Custom Attack, a novel attack against SDN controllers that leverages legitimate SDN protocol messages (i.e., the custom protocol field) to facilitate Java code vulnerability exploitation. Our research shows that it was possible for a weak adversary to execute arbitrary command or manipulate data in the SDN controller without accessing the SDN controller or any applications, but only controlling a host or a switch.

To the best of our knowledge, Custom Attack is the first attack that can remotely compromise SDN software stack to simultaneously cause multiple kinds of attack effects in SDN controllers. Till now we have tested 5 most popular SDN controllers and their applications and found all of them are vulnerable to Custom Attack in some degree. 14 serious vulnerabilities are discovered, all of which can be exploited remotely to launch advanced attacks against controllers (e.g., executing arbitrary commands, exfiltrating confidential files, crashing SDN service, etc.).

This presentation will include:

• an overview of SDN security research and practices.
• a new attack methodology for SDN that is capable of compromising the entire network.
• our research process that leads to these discoveries, including technical specifics of exploits.
• showcases of interesting Custom Attack chains in real-world SDN projects.

The L0pht Testimony, 20 Years Later (and Other Things You Were Afraid to Ask)

Friday at 17:00 in Track 2
45 minutes | Audience Participation

L0pht Heavy Industries — Hacker Collective

Elinor Mills — Senior Vice President of Content and Media Strategy at Bateman Group

DilDog Hacker, Co-Founder, Veracode

Joe Grand, Kingpin Hacker

Space Rogue — Global Strategy Lead for X-Force Red, IBM

Mudge Head of Security, Stripe.

Silicosis — Hacker

John Tan — Hacker

Weld Pond Hacker, Co-Founder, Veracode

2018 is the 20th anniversary of the hacker think-tank L0pht Heavy Industries testimony before the US Senate Homeland Security & Governmental Affairs Committee on the topic of weak computer security in government. The testimony made national news when the group announced they could take down the Internet in 30 minutes. It was also the first-time hackers using handles appeared before a US Legislative body.

Members of the L0pht have grown from their hacker roots to become distinguished leaders and contributors in the security community and beyond. They run multi-million dollar security-focused organizations, have lobbied the government for better security laws, work for some of the largest companies in the world, and continue to spread the message of the positive aspects of hacking.

With several of the L0pht’s original members, this discussion will cover the original testimony and the changes that have happened over the last 20 years. Is the government any more secure? Have they provided enough influence to help protect its citizens’ data? What steps should we take to ensure user security and privacy in the future? We are hoping for audience participation and also welcome questions about any other time in the L0pht’s relatively short, but poignant, existence.

Oh Noes! — A Role Playing Incident Response Game

Friday at 20:00 in Roman Chillout
Fireside Hax | Demo, Audience Participation, Tool

Bruce Potter — Founder, The Shmoo Group

Robert Potter — Hacker

The term”incident response exercise” can strike fear in the hearts of even the mostly steely-eyed professional. The idea of sitting around a table, talking through a catastrophic security event can be both simultaneously exhausting and incredibly boring. However, what instead of an participating in an”incident response exercise,” you instead got to plan an”incident response role playing game?”

Enter our IR roleplaying game,”Oh Noes! An Adventure Through the Cybers and Shit.” As part of our day job, we do quarterly IR exercises. In order to make these exercises more engaging, more fun, and more useful, we turned these exercises into a role playing game. We found it so useful and fun, we’re releasing it at DEF CON along with numerous scenarios for your dungeon master to take you through.

At this talk, we will talk about gamifying IR exercises and the rules of Oh Noes! We will equip you with dice and your own character sheet and we will walk you through the character creating process. That’s right, in Oh Noes! you create your own character with specific skills and abilities that you level up as you play. A group of us will play through a short scenario so you can see how the game works. We will provide several sample scenarios, some ripped from the headlines (and some cribbed from @badthingsdaily) as well as provide guidance on what makes successful scenarios as you transition to be your own dungeon master.

It WISN’t me, attacking industrial wireless mesh networks

Saturday at 10:00 in Track 1
45 minutes | Demo

Erwin Paternotte — Lead security consultant at Nixu

Mattijs van Ommeren principal security consultant at Nixu

Wireless sensor networks are commonly thought of as IoT devices communicating using familiar short-range wireless protocols like Zigbee, MiWi, Thread and OpenWSN. A lesser known fact is that about a decade ago, two industrial wireless protocols (WirelessHART and ISA100.11a) have been designed for industrial applications, which are based on the common IEEE 802.15.4 RF standard. These Wireless Industrial Sensor Networks (WISN) are used in process field device networks to monitor temperature, pressure, levels, flow or vibrations. The petrochemical industry uses WISN in oil and gas fields and plants around the world.

Both IEC ratified standards have been commonly praised by the ICS industry for their security features, including strong encryption on multiple layers within the protocol stack, resistance to RF interference, and replay protection. While the standards in general look safe on paper, there are potential interesting attack vectors that require verification. However, security research so far has not yielded any significant results beyond basic attack vectors. Often these attacks have only been theorized, and not (publically) demonstrated. In addition, vendor implementations have not been thoroughly tested for security by independent third parties, due to protocol complexity and the lack of proper (hardware/software) tools. We strongly believe in Wright’s principle,”Security does not improve until practical tools for exploration of the attack surface are made available.”

Jailbreaking the 3DS through 7 years of hardening

Saturday at 11:00 in Track 3
45 minutes | Demo, Exploit

smea — Hacker

The 3DS was one of Nintendo’s first serious attempts at security, featuring a cool microkernel based OS and actual exploit mitigations. That didn’t stop it from getting hacked pretty hard, making it possible for people to write their own homebrew software for the console. But Nintendo isn’t one to back off from a fight and, as a result, has put significant effort into not only fixing vulnerabilities but also introducing new security features targeted specifically at killing exploit techniques used by hackers. This talk will describe hacking the console through all these defensive features by walking through a 0-day exploit chain that takes us all the way from zero access to a full system jailbreak.

Detecting Blue Team Research Through Targeted Ads

Saturday at 13:30 in Track 2
20 minutes |

0x200b — Hacker

When my implant gets discovered how will I know? Did the implant stop responding for some benign reason or is the IR team responding? With any luck they’ll upload the sample somewhere public so I can find it, but what if I can find out if they start looking for specific bread crumbles in public data sources? At some point without any internal data all blue teams turn to OSINT which puts their searches within view of the advertising industry. In this talk I will detail how I was able to use online advertising to detect when a blue team is hot on my trail.

Sex Work After SESTA/FOSTA

Saturday at 14:30 in Track 2
20 minutes |

ALSO AT: SKYTALKS

Maggie Mayhem — MaggieMayhem.Com

Surveillance had been a fact of life for sex workers wherever they have faced prohibition. Only two elements, communication and association, can differentiate between commercial and personal sex, criminal enforcement of prostitution laws have necessarily meant targeting the speech and affiliation of perceived sex workers. Enforcement of this nature is facilitated by profiling, institutional bias, and broad overreaching policies that fundamentally violate individual human rights. This has included condoms as evidence, non-consensual medical screenings, and targeted harassment of black transgender women as well as license plate recording projects and stings that focus disrupting immigration or migrant workers.

For all of its risks, screening potential clients is safer over email than it is in person during a street based negotiation often in an isolated part of town. SESTA (Stop Enabling Sex Traffickers Act) comes at a time when compelling research demonstrates that Craigslist resulted in a 17% drop in the female homicide rate. SESTA will also put victims at risk by delaying their identification and recovery by eliminating a digital paper trail. Additionally, Section 230 of the Communications Decency Act is a vital protection for a free internet. Subverting SESTA will create greater economic disparity between sex workers and ultimately empower pimps and agencies over independent providers.

Fire & Ice: Making and Breaking macOS Firewalls

Saturday at 14:30 in Track 3
20 minutes | Demo, Tool, Exploit

Patrick Wardle — Chief Research Officer, Digita Security

In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.

However on macOS, firewalls are rather poorly understood. Apple’s documentation surrounding it’s network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.

This talk aims to take a peek behind the proverbial curtain revealing how to both create and ‘destroy’ macOS firewalls.

In this talk, we’ll first dive into what it takes to create an effective firewall for macOS. Yes we’ll discuss core concepts such as kernel-level socket filtering — but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).

Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we’ll don our ‘gray’ (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today’s most vigilant Mac firewalls.

But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow’s sophisticated Mac malware!

Reverse Engineering Windows Defender’s Emulator

Saturday at 15:00 in Track 2
45 minutes | Demo, Tool

Alexei Bulazel — Hacker

Windows Defender Antivirus’s mpengine.dll implements the core of Defender’s functionality in an enormous ~11 MB, 30,000+ function DLL.

In this presentation, we’ll look at Defender’s emulator for analysis of potentially malicious Windows binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering any antivirus binary emulator before.

We’ll cover a range of topics including emulator internals — machine code to intermediate language translation and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender’s antivirus features; the virtual environment; etc. — building custom tooling for instrumenting the emulator; tricks that binaries can use to evade or subvert analysis; and attack surface within the emulator.

Attendees will leave with an understanding of how modern antivirus software conducts emulation-based dynamic analysis on the endpoint, and how attackers might go about subverting or attacking these systems. I’ll publish code for a binary for exploring the emulator from within, patches that I developed for instrumenting Defender built on top of Tavis Ormandy’s loadlibrary project, and IDA scripts to help with analyzing mpengine.dll and Defender’s “VDLLs”

80 to 0 in under 5 seconds: Falsifying a medical patient’s vitals

Saturday at 16:00 in Track 1
45 minutes | Demo

Douglas McKee — Senior Security Researcher for the McAfee Advanced Threat Research team

It seems each day that passes brings new technology and an increasing dependence upon it. The medical field is no exception; medical professionals rely upon technology to provide them with accurate information and base life-changing decisions on this data.

In recent years there has been more attention paid to the security of medical devices; however, there has been little research done on the unique protocols used by these devices. In large, health care systems medical personnel take advantage of to make decisions on patient treatment and other critical care, use central monitoring stations. This information is gathered from many devices on the network using uncommon networking protocols. What if this information wasn’t accurate when a doctor prescribed medication? What if a patient was thought to be peacefully resting, when in fact they are under cardiac arrest?

McAfee’s Advanced Threat Research team has discovered a weakness in the RWHAT protocol, one of the networking protocols used by medical devices to monitor a patient’s condition. This protocol is utilized in some of the most critical systems used in hospitals. This weakness allows the data to be modified by an attacker in real-time to provide false information to medical personnel. Lack of authentication also allows rogue devices to be placed onto the network and mimic patient monitors.

This presentation will include a technical dissection of the security issues inherent in this relatively unknown protocol. It will describe real-world attack scenarios and demonstrate the ability to modify the communications in-transit to directly influence the receiving devices. We will also explore the general lack of security mitigations in the medical devices field, the risks they pose, and techniques to address them. The talk will conclude with a demonstration using actual medical device hardware and a live modification of a patient’s critical data.

The Road to Resilience: How Real Hacking Redeems this Damnable Profession

Saturday at 17:00 in Track 1
45 minutes |

Richard Thieme, a.k.a. neural cowboy — Author and professional speaker, ThiemeWorks

Two years ago Richard Thieme spoke on “Playing Through the Pain: The Impact of Dark Knowledge on Security and Intelligence Professionals” for Def Con 24. He relied on dozens of experiences provided by colleagues over a quarter-century, colleagues from NSA, CIA, corporate, and military. Responses to the presentation have often been emotional and have corroborated his thesis. The real impact of this work on people over the long term has to be mitigated by counter-measures and strategies so scars can be endured or,even better,incorporated and put to use.

In this presentation, Thieme elaborates those strategies and counter-measures. In what is likely his final speech at Def Con, he speaks directly to the “human in the machine” AS a human being. It’s not about leaving the profession: it’s about what we can do to thrive and transcend the challenges. It‘s about “saving this space,” this play space of hacking, work and life, and knowing the cost of being fully human while encountering dehumanizing impacts.

It is easier to focus on exploits, cool tools, zero days, and the games we play in the space that “makes us smile.” It is not so easy to know how to play through the pain successfully. The damage to us does not show up in brain scans. It shows up in our families, our relationships, and our lives.

Thieme is not preaching, he is sharing insights based on what he too has had to transcend in his own life. They call a lot of us “supernormals,” which means we discovered resilient responses to deprivation, abuse, profound loss … or the daily challenges of work that makes clear that evil is real. We are driven, we never quit, we fight through adversity, we create and recreate personas that work, we do what has to be done. It pays to know how we do that and know THAT we know so we can recreate resilience in the face of whatever comes our way.

A contractor for NSA suggested that everyone inside the agency should see the video of “Playing Through the Pain.” A long-time Def Con attendee asks all new hires to watch “Staring into the Abyss,” a talk Thieme did a few years before. This subject matter is seldom discussed aloud “out here” and by all accounts is not taken seriously “inside,” which is perhaps why there have been half a dozen suicides lately at NSA and a CIA veteran said, “I have 23 suicides on my mind, the most recent senior people who could not live with what they knew.”

The assumption baked into this talk: real hacking, its ethos and its execution, provides the tools we need to do this damn thing right.

This talk is in honor of Perry Barlow and the EFF.

EFF Fireside Hax (AKA Ask the EFF)

Saturday at 20:00 in Roman Chillout
Fireside Hax | Audience Participation

Kurt Opsahl — Deputy Executive Director & General Counsel, Electronic Frontier Foundation

Nate Cardozo — EFF Senior Staff Attorney

Jamie Lee Williams — EFF Staff Attorney

Andrés Arrieta — Technology Products Manager

Katiza Rodriguez — International Rights Director

Nathan ‘nash’ Sheard — Grassroots Advocacy Organizer

Relax and enjoy a Fireside Hax chat while you get the latest information about how the law is racing to catch up with technological change from staffers at the Electronic Frontier Foundation, the nation’s premiere digital civil liberties group fighting for freedom and privacy in the computer age. This Fireside Hax discussion will include updates on current EFF issues such as the government’s effort to undermine encryption (and add backdoors), the fight for network neutrality, discussion of our technology projects to spread encryption across the Web and emails, updates on cases and legislation affecting security research, and much more. Half the session will be given over to question-and-answer, so it’s your chance to ask EFF questions about the law and technology issues that are important to you.

Beyond the Lulz: Black-Hat Trolling, White-Hat Trolling, Attacking and Defending Our Attention Landscape

Saturday at 20:00 in Octavius 9
Fireside Hax |

Matt Goerzen — Researcher, Data & Society

Dr. Jeanna Matthews — Fellow at Data & Society, Associate Professor of Computer Science at Clarkson University

Joan Donovan — Media Manipulation/Platform Accountability Research Lead, Data and Society in Manhattan

White hat or critical grey hat trolling? Trolling as art? Trolling as hybrid warfare? Trolling as propaganda? In this Fireside Hax, we will challenge your assumptions about trolling. Trolls are attention hackers, using social and technical means to bait journalists, set agendas, game media gatekeepers, and direct audiences. Sometimes they also have fun. We will discuss a range of trolling techniques like sockpuppeting, dogpiling, doxing, attention honeypots, and cognitive denial of service attacks that we have not seen concisely catalogued elsewhere. We will also discuss high-profile examples of trolling such as”training” the Microsoft Tay chatbot, fake Antifa accounts, Russian sockpuppet accounts, and Phineas Fisher’s use of Hacking Team’s twitter account — and ask attendees to consider each as black hat attacks or grey hat attempts to point out critical societal vulnerabilities that should be”patched.” We will also talk about”troll the troll” accounts like ImposterBuster and YesYoureRacist and the role”white hat trolls” might play in auditing platforms or proposing platform-based controls. Time permitting, we will discuss art projects that trollishly critiqued the European Commission, Google AdSense, and the NSA. This will not be a lecture and it will not shy away from controversy. Join two members of the Media Manipulation Team at Data & Society to collectively consider the role trolling can play in pointing out the flaws in our attention/media landscape.

Breaking Extreme Networks WingOS: How to own millions of devices running on Aircrafts, Government, Smart cities and more.

Sunday at 11:00 in Track 1
45 minutes | Demo, Exploit

Josep Pi Rodriguez — Senior security consultant, IOActive

Extreme network’s embedded WingOS (Originally created by Motorola) is an operating system used in several wireless devices such as access points and controllers. This OS is being used in Motorola devices, Zebra devices and Extreme network’s devices. This research started focusing in an access point widely used in many Aircrafts by several worldwide airlines but ended up in something bigger in terms of devices affected as this embedded operating system is not only used in AP’s for Aircrafts but also in Healthcare, Government, Transportation, Smart cities, small to big enterprises… and more.

Based on public information, we will see how vulnerable devices are actively used (outdoors) in big cities around the world. But also in Universities, Hotels,Casinos, Big companies, Mines, Hospitals and provides the Wi-Fi access for places such as the New york City Subway.

In this presentation we will show with technical details how several critical vulnerabilities were found in this embedded OS. First we will introduce some internals and details about the OS and then we will show the techniques used to reverse engineering the mipsN32 ABI code for the Cavium Octeon processor. It will be discussed how some code was emulated to detect how a dynamic password is generated with a cryptographic algorithm for a root shell backdoor. Besides, it will be shown how some protocols used by some services were reverse engineered to find unauthenticated heap and stack overflow vulnerabilities that could be exploitable trough Wireless or Ethernet connection.

This OS also uses a proprietary layer 2/3 protocol called MiNT. This protocol is used for communication between WingOS devices through VLAN or IP. This protocol was also reverse engineered and remote heap/stack overflow vulnerabilities were found on services using this protocol and will be shown. As a live demonstration, 2 devices will be used to exploit a remote stack overflow chaining several vulnerabilities as the attacker could do inside an aircraft (or other scenarios) through the Wi-Fi. As there are not public shellcodes for mipsN32 ABI, the particularities of creating a Shellcode for mipsN32 ABI will be also discussed.

barcOwned — Popping shells with your cereal box

Sunday at 13:00 in Track 3
20 minutes | Demo

Michael West — Technical Advisor at CyberArk

magicspacekiwi (Colin Campbell) — Web Developer

Barcodes and barcode scanners are ubiquitous in many industries and work with untrusted data on labels, boxes, and even phone screens. Most scanners also allow programming via barcodes to manipulate and inject keystrokes. See the problem? By scanning a few programming barcodes, you can infect a scanner and access the keyboard of the host device, letting you type commands just like a Rubber Ducky. This culminates in barcOwned — a small web app that allows you to program scanners and execute complex, device-agnostic payloads in seconds. Possible applications include keystroke injection (including special keys), infiltration and exfiltration of data on air-gapped systems, and good ol’ denial of service attacks.

Hacking BLE Bicycle Locks for Fun and a Small Profit

Sunday at 14:00 in Track 2
45 minutes | Demo, Tool

Vincent Tan — Senior Security Consultant, MWR InfoSecurity

Hack a lock and get free rides! (No free beer yet though…). This talk will explore the ever growing ride sharing economy and look at how the BLE “Smart” locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn’t.

Previous talks on attacking BLE targeted the protocol itself using various hardware and software such as Ubertooth and Wireshark, which could be potentially difficult for someone new wanting to explore BLE and the ever connected IoT world. I’ll simplify and stupidify the entire process such that anyone with a mobile phone and basic experience with Frida can go about breaking locks and hacking BLE the world over.

PANEL: DEF CON GROUPS

Sunday at 15:00 in Track 1
45 minutes | Audience Participation

Brent White (B1TK1LL3R) DEF CON Groups Global Coordinator

Jeff Moss (The Dark Tangent) Founder, DEF CON

Jayson E. Street DEF CON Groups Global Ambassador

S0ups

Tim Roberts (byt3boy)

Casey Bourbonnais

April Wright

Do you love DEF CON? Do you hate having to wait for it all year? Well, thanks to DEF CON groups, you’re able to carry the spirit of DEF CON with you year round, and with local people, transcending borders, languages, and anything else that may separate us!

In this special event, your DEF CON groups team who works behind the scenes to make DCG possible will introduce themselves and provide status updates. After we’re done talking, the remainder of time will be an informal open floor right there in the room to mingle and talk all things DCG.

There will be a:

Designated area in the room for those wanting to start/join a group
Designated area in the room for those wanting to share project ideas.

CONTINUE TO: HACKER SUMMER CAMP 2018 Guide — Part Five: SIGS, EVENTS AND PARTIES