To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:00
09:00
25min
Registration
me

Come early to get registered and hang out with us while we get ready for the event!

Blue Day
Blue Day
09:30
09:30
25min
Opening Remarks
me

Listen to some of our announcements for the day at the opening remarks!

Blue Day
Blue Day
10:00
10:00
25min
Mosaic Theory of Information Security
Margaret Fero

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.

Blue Day
Blue Day
10:30
10:30
25min
Blue Teaming for Human Rights
Megan DeBlois

Let’s take inventory ...
Money: 0
Staff dedicated to security: 0
IT staff: 0
Your adversary: Nation-state actors +
Good luck!

Human rights organizations across the globe face an uphill battle trying to detect nation-state actors trying to compromise their systems. What can we do to support them and how does this impact the rest of us?

Blue Day
Blue Day
11:00
11:00
10min
API's are not just the 21st century developers mullet, they're also how you are getting PWND
Tony Lauro

A look at all the ways API's are used in the attack process, from ATO (account takeover) and credential abuse automation, to BOT operations for inventory sniping and checkout procedures. This can all be automated and abused thanks to the speed, ease of use, and extensibility of API's.

Blue Day
Blue Day
11:30
11:30
25min
Don’t run with scissors: how to standardize the way your developers use dangerous aspects of your framework
Morgan Roman

Developers often do not know what the common issues are with the framework they are using. At the same time, most common frameworks ship with easy ways to shoot your application’s security in the foot. In this world we live in, developer education will fail if even one mistake is made, which will expose a dangerous vulnerability. In this talk, we’ll show how you can dramatically reduce the chance developers will shoot themselves in the foot by giving them safer versions of their common tools so your company can ship more secure code.
We will write wrapper classes and safe versions of common tools to eliminate XSS vectors, open redirects, XXE, SSRF, LFI, and other dangerous bugs in your codebase. After that we’ll show simple steps to educate developers and gain traction in your organization. Then we’ll show how easy it is to integrate SAST tools in your CI/CD pipeline to ensure your developers use your safe tools rather than the footguns built into common frameworks.
This session is ideal for security engineers interested in eliminating entire classes of security bugs inside their code base.

Blue Day
Blue Day
12:00
12:00
25min
Down the sinkhole with Kubernetes
Alex Ivkin

Dive into a typical Kubernetes cluster by messing with the popular sidecar containers and supporting infrastructure.

Blue Day
Blue Day
12:30
12:30
25min
TLSMy.net: Enabling HTTPS for home network devices
Karl Koscher

This talk introduces TLSMy.net, a new DNS-based service that allows home network devices to automatically request certificates that can be used with non-routable or dynamic IP addresses.

Blue Day
Blue Day
13:00
13:00
55min
Lunch Break
me

Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot

Blue Day
Blue Day
14:00
14:00
25min
Real Life Devsecops
pookie

The healthcare industry is traditionally viewed as slow to adopt new technologies, with precious few examples to the contrary! This talk is about unfettering the modern (security) engineer, even in an environment as restrictive as healthcare, and without breaking (all the) things.

Blue Day
Blue Day
14:30
14:30
25min
Static code analysis should work for developers, not for you
Aravind Sreenivasa

Most commercial static analysis tools today are generic and ineffective. They are not developer oriented as they are built for security professionals. In this presentation, we’ll discuss how we made the process developer friendly by building a code analysis platform that provides relevant findings during code review, with the help of open source static analysis tools.

Blue Day
Blue Day
15:00
15:00
25min
From private to public, working in local government.
Kos (Kyle Osborn)

Why do local governments constantly get compromised? What I've learned after leaving my glamorous pentesting job to join a local municipality.

Blue Day
Blue Day
15:30
15:30
25min
Purple Haze: The SpearPhishing Experience
Jesse (@bashexplode)

Someone great once said "pentesting doesn't have to be all dropping exploits and launching shells." I disagree. Not many people truly understand the grueling task of developing a new campaign, designing sick docs, building killer malware, or why the Red Team operates the way they do during a spearphishing campaign to ‘get those shells’. This talk will cover what the Red Team is really doing when they are trying to gain a foothold through social engineering as well as how Blue Teams can leverage this technical insight to combat the dreaded spearphish.

Blue Day
Blue Day
16:00
16:00
55min
Red Day Registration & Reception Begins
me

Registration opens for Red Day and Conference Reception Party starts. Reception talks start off with 2 Tools Talks, then Demo / Lightning Talks, and then Hacker Jeopardy.

Tools
Blue Day
16:30
16:30
25min
Hacking Even More USB with USB-Tools
Kate Temkin & Mikaela Szekely

USB seems hard -- and it shouldn't. A serious lack of inexpensive tooling has made this relatively simple (and near-omnipresent) protocol seem overwhelming -- to the point where even 'highly-secured' targets ignore USB as a vector for hacking and reverse engineering. In this talk, we discuss our efforts to dispel USB's aura of mystery -- and empower hackers and engineers to observe and interact directly with USB using a set of open-source tools that includes analyzers, fuzzers, and a variety of other USB-poking hardware and software.

Blue Day
Blue Day
17:00
17:00
25min
Card cloning doesn't have to be hard.
David M. N. Bryan - Aka VideoMan

I’ve created an open source web interface to the Proxmark3-rdv4 hardware that makes it easy for anyone to work with the tools. I do a quick overview of technologies, and a live demo of the tool.

Red Day
Blue Day
17:30
17:30
10min
Token Up: Keeping Hands out of the Cookie Jar
Erin Browning

Even in these modern times, we still trade credentials for authentication or session tokens. In typical applications, session tokens received on the client side are stored in either the browser's local storage or as cookies. As an attacker, I want to steal a user's auth token, hijack their session and then take over their account. The browser and a naive user are good attack vectors. We’ll run through how to architect your website to take advantage of various browser-based protections that reduce the impact of common attacks, such as cross-site scripting and privilege escalation.

Blue Day
Blue Day
17:40
17:40
10min
AI HACKER! Automatic vulnerability assessment & pen-testing of embedded & other systems
Ulrich Lang, PhD

We present the results of our government-funded R&D to develop an intelligent automated “vulnerability assessor and penetration tester (VAPT), usable as a virtual appliance for use on enterprise networks or cyber ranges, and as a portable device for use on embedded systems. It consists of two parts, an AI-supported vulnerability assessor and an AI-supported penetration tester. In one use case it intelligently automates software vulnerability assessment for embedded systems; in another use case, it intelligently automates the tasks of an ethical hacker (penetration tester) via the network, finding systems on the network, discovering vulnerabilities, and exposing them.

Lightning Talks
Blue Day
17:50
17:50
10min
Challenges of X.509 certs
Mike

The application of IoT security to medical devices fails from a clinical perspective. This session will explore the growing debate on whether the use of X.509 certificates is the right solution to securing medical devices.

Lightning Talks
Blue Day
18:00
18:00
10min
Navigating the Infosec Job Search
Kirsten Sireci Renner

This is a discussion about closing the gap between the search for the right job in Infosec, and resolving the [perceived] shortage in available talent. We’ll discuss the challenges on both sides, for employers and candidates, touch on some points and truths that are constant, and identify some tactics for success.

Lightning Talks
Blue Day
18:10
18:10
10min
Mocking HTTP Services with Burp
Shea Polansky

Burp Suite is the standard tool for manipulating HTTP traffic, but it focuses on manually manipulating requests and responses. This talk presents a Burp extensions that bridges the gap and allows you to automatically manipulate requests using external software, all within Burp.

Lightning Talks
Blue Day
18:20
18:20
10min
Ethercombing - Blockchain brute force cryptanalysis
Adrian Bednarek

By performing brute force crypt-analysis on public keys to discover private keys we stumbled on someone doing the same thing, holding over 8 million USD worth of stolen cryptocurrency.

Lightning Talks
Blue Day
18:30
18:30
10min
You're probably a young professional and you should probably be investing. Here's how.
Mike Arnoult

A 25 minute run-down of everything you need to know to understand why you should set up a retirement account in your 20s or 30s, how the different ones work (a 401k vs. Roth IRA vs. Traditional IRA) to pick what's best for you, how to get you started, and how to leverage index funds to get you investing without having to make predictions about stocks.

Lightning Talks
Blue Day
18:40
18:40
10min
Blue Team Set Us Up The SBOM
Beau Woods

What if spotting vulnerabilities in your VPN, was as easy as checking for allergens in your applesauce? A Software Bill of Materials (SBOM) brings proven supply chain principles to modern software systems.

Lightning Talks
Blue Day
18:50
18:50
10min
Kiosk Red Pills
Somerset Recon

This talk will focus on the security and attacks against kiosk systems.

Lightning Talks
Blue Day
19:00
19:00
10min
Exploratory Penetration
pookie

Humans are prone to fail, and fails can happen anywhere. This is a whimsical adventure in severe fails that Pookie has personally encountered within the past year. We'll describe real "accidental" scenarios where escalation from partial trust to full systems compromise is possible. (no shodan needed)

Lightning Talks
Blue Day
19:15
19:15
225min
HACKER JEOPARDY: The Road to Vegas, Baby!
Geo... Mark? Hardly!!

Hacker Jeopardy is back! Get a team together, test your brains, and win a place in Vegas at DefCon in 2020.

Tools
Blue Day
09:00
09:00
25min
Registration
me

Come early to get registered and hang out with us while we get ready for the event!

Red Day
Red Day
09:30
09:30
25min
Opening Remarks
me

Listen to some of our announcements for the day at the opening remarks!

Red Day
Red Day
10:00
10:00
25min
EDR Is Coming; Hide Yo Sh!t
Topher Timzen

Utilizing UEFI Firmware Variables to hide malicious payloads from EDR solutions on both Linux and Windows platforms.

Red Day
Red Day
10:30
10:30
25min
Cutting Edge Techniques to Pwn the Gibson
Soldier of FORTRAN

The year is 2019. Mainframes rule the world. They've ruled the world since the 1960s, but i bet you can't even name a single vuln or exploit. This talk aims to change that by presenting current and cutting edge research in to mainframe (specifically the big boy itself z/OS) attacks. New techniques and tools will be released.

Red Day
Red Day
11:00
11:00
25min
Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.
Antonio Piazza

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.

Red Day
Red Day
11:00
180min
Mock Interview Resume Review Workshop
Kirsten Sireci Renner

I'll be available to help you spiff up your resume and do practice interviews. Come find me on the patio (Patio Track) to discuss.

Patio Bar
The Patio
11:30
11:30
25min
May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)
Bryce Kunz (@TweekFawkes)

Red Teaming inside Google Cloud Platform (GCP): Breach into Targets, Expand Access within Kubernetes (K8s) environments, & Persist!

Red Day
Red Day
12:00
12:00
25min
Using drivers for kernel operations during a Red Team operation
Caleb McGary

During real world attacks and red team engagements using vulnerable drivers to read, write, and allocate is a powerful tool. This talk will cover how to a) load a vulnerable driver in Windows via code samples and b) use said vulnerable driver to perform some basic actions (read lsass, turn off a service) that a threat actor might do.

Red Day
Red Day
12:30
12:30
25min
NAT Pinning 2.0: bypassing routers & firewalls via web+NAT abuse
Samy Kamkar

NAT Pinning is a combination of techniques to allow an attacker to remotely access any TCP/UDP services bound on a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.

Red Day
Red Day
13:00
13:00
55min
Lunch Break
me

Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot

Red Day
Red Day
14:00
14:00
25min
Pen testing by asking questions: the Art of Elicitation
Bruce Potter

Pen testing doesn't have to be all dropping exploits and launching shells. Learning to ask the right questions at the right time can lead to a better understanding of vulnerabilities on your targets than actually running tests.

Red Day
Red Day
14:30
14:30
25min
ZombieLoad: Leaking Data on Intel CPUs
Daniel Moghimi

Meltdown (BlackHat USA 2018) was the first instance of a hardware vulnerability which broke the security guarantees of modern CPUs. Meltdown allowed attackers to leak arbitrary memory by exploiting that Intel CPUs use lazy fault handling and continue transient execution with data retrieved by faulting loads. With stronger kernel isolation, a software workaround to prevent Meltdown attacks, and new CPUs with this vulnerability fixed, Meltdown seemed to be a solved issue.

In this talk, we show that Meltdown is still an issue, on current off-the-shelf CPUs. We present ZombieLoad, a Meltdown-type attack which leaks data across multiple privilege boundaries: processes, kernel, SGX, hyperthreads, and even across virtual machines. We show that Meltdown mitigations do not affect ZombieLoad.
The ZombieLoad attack can be mounted without any user interactions from an unprivileged application, both on Linux and Windows.

To demonstrate the danger of the ZombieLoad attack, we present multiple attacks, such as monitoring the browsing behavior, stealing cryptographic keys, and leaking the root-password hash on Linux. In a live demo, we show that such attacks are not only practical but also easy to mount. We will then discuss mitigations against the ZombieLoad attack.

We outline challenges for future research on Meltdown-type attacks and mitigations. Finally, we will discuss the short-term and long-term implications for hardware vendors, software vendors, and users.

Red Day
Red Day
15:00
15:00
25min
Writing PoCs for processor software side-channels
Volodymyr Pikhur

Talk will mainly focus on how to write proof-of-concepts for recent processor software side-channels and discovery of MDS attacks rather than explaining processor vulnerabilities themselves.

Red Day
Red Day
15:30
15:30
25min
PERCH: Adding a peripheral layer to Ghidra
Rick Housley

PERCH is a tool that adds a new peripheral layer to Ghidra. The parsing of Trace32's .per files enables the augmentation of Ghidra projects with labeled MMIO mappings from thousands of different processors.

Red Day
Red Day
16:00
16:00
25min
chip.fail
Thomas Roth and Josh Datko

All smart devices, from cars to IoT, are based around processors. Often these processors are not considered as part of the threat model when designing a product: There is an implicit trust that they just work and that the security features in the datasheet do what they say. This is especially fatal when the processors are used for security products, such as bitcoin wallets, cars, or authentication tokens.

In this presentation we will take a look at using fault injection attacks to break some of the most popular IoT processors - using less than 100USD of equipment.

We will also release software & hardware tools to do so.

Red Day
Red Day
16:30
16:30
25min
100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans
Jatin Kataria, Ang Cui

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is
a proprietary hardware security module that is used in a wide range of
Cisco products, including enterprise routers, switches and firewalls.
TAm is the foundational root of trust that underpins all other Cisco
security and trustworthy computing mechanisms in such devices. We
disclose two 0-day vulnerabilities and show a remotely exploitable
attack chain that reliably bypasses Cisco Trust Anchor. We present an
in-depth analysis of the TAm, from both theoretical and applied
perspectives. We present a series of architectural and practical flaws
of TAm, describe theoretical methods of attack against such flaws. Next,
we enumerate limitations in current state-of-the-art offensive
capabilities that made the design of TAm seem secure.
Using Cisco 1001-X series of Trust Anchor enabled routers as a
demonstrative platform, we present a detailed analysis of a current
implementation of TAm, including results obtained through hardware
reverse engineering, Trust Anchor FPGA bitstream analysis, and the
reverse engineering of numerous Cisco trustworthy computing mechanisms
that depend on TAm. Finally, we present two 0-day vulnerabilities within
Cisco IOS and TAm and demonstrate a remotely exploitable attack chain
that results in persistent compromise of an up-to-date Cisco router.
We discuss the implementation of our TAm bypass, which involves novel
methods of reliably manipulating FPGA functionality through bitstream
analysis and modification while circumventing the need to perform RTL
reconstruction. The use of our methods of manipulation creates numerous
possibilities in the exploitation of embedded systems that use FPGAs.
While this presentation focuses on the use of our FPGA manipulation
techniques in the context of Cisco Trust Anchor, we briefly discuss
other uses of our bitstream modification techniques.

Red Day
Red Day
17:00
17:00
120min
Beach Bonfire Luau & Fireside Closing Remarks
me

Come join us for a bonfire luau on the beach next to the event venue to watch the sunset.

Red Day
Red Day
21:00
21:00
180min
Party @ The Hard Rock
me

Head on down to the Gaslamp to party with DJ Keith Myers and James Ford at the Hard Rock hotel! They'll be rocking the dance floor until 2am.

Red Day
Red Day
10:00
10:00
450min
Food and Chill
me

We'll have food available between 10:00 and 13:00 and other activities all day!

Patio Bar
The Patio
10:00
180min
Skydiving
Jesse (@bashexplode), Volodymyr Pikhur

Go skydiving with your fellow hackers! This activity has a fee to cover the skydiving costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-in with us inside the Tower Club next to the point:
http://www.pacificcoastskydiving.com/tandem-sky-diving-in-california-weight-limit.htm

Skydiving
Skydiving
11:00
11:00
180min
Bike Ride
Bruce Potter

Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively slow paced so everyone can bike together and will take roughly 2-3 hours for the full round-trip. See you there!

Bike Ride
Bike Ride
11:00
180min
Escape Rooms
Samy Kamkar

Get trapped with Samy at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-in at the bar in the Tower Club

Escape Rooms
Escape Rooms
11:00
180min
Hot Tub Island
Jatin Kataria, Ang Cui

Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.

Hot Tub Island
Hot Tub Island
11:00
180min
Sail Boat Racing
Thomas Roth and Josh Datko

Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-In at the lawn in front of the MBSC

Sail Boat Racing
Sail Boat Racing
11:00
180min
San Diego Zoo
Caleb McGary, Megan DeBlois

Check out the world famous San Diego Zoo! This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check in on the lawn in front of the point.

San Diego Zoo
San Diego Zoo
11:00
180min
Scavenger Hunt
Antonio Piazza

Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.

Scavenger Hunt
Scavenger Hunt
11:00
180min
Sea World
Kashish Mittal

Head on over to Sea World to see the amazing sea creatures and theme park attractions. This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Sea World
Sea World
11:30
11:30
150min
Jet Skiing
Daniel Moghimi

Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.

Check-In at the lawn in front of the MBSC

Jet Skiing
Jet Skiing
14:00
14:00
180min
Hot Tub Island
Rick Housley

Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.

Hot Tub Island
Hot Tub Island
14:00
180min
Jet Skiing
Alex Ivkin

Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.

Check-In at the lawn in front of the MBSC

Jet Skiing
Jet Skiing
14:30
14:30
180min
Micro Brewery Boat
Karl Koscher

We discovered that the conference venue has a Paddle Pub so we decided to switch this to a Microbrew Boat! We'll be stocking the boat with some of the best beer from Micro Breweries around San Diego and setting sail just in the afternoon. If you're interested in joining the boat, go see registration during the con and they may be able to fit you in. The boat trip includes beer and captained boat for 2 hours. Make sure to show up at 2:30, the boat will be leaving dock at 3:00pm sharp! https://paddlepub.com/san-diego/

Check-In at the Hot Tub Cruizin stand in the bathroom courtyard

Micro Brewery Boat
Micro Brewery Tour
15:00
15:00
180min
Bike Ride
David M. N. Bryan - Aka VideoMan

Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively slow paced so everyone can bike together and will take roughly 2-3 hours for the full round-trip. See you there!

Bike Ride
Bike Ride
15:00
180min
Escape Rooms
Kos (Kyle Osborn)

Get trapped with Kos at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-in at the bar in the Tower Club

Escape Rooms
Escape Rooms
15:00
180min
Sail Boat Racing
Topher Timzen

Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-In at the lawn in front of the MBSC

Sail Boat Racing
Sail Boat Racing
15:00
180min
Scavenger Hunt
Aravind Sreenivasa

Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.

Scavenger Hunt
Scavenger Hunt