Come early to get registered and hang out with us while we get ready for the event!
Listen to some of our announcements for the day at the opening remarks!
In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they may already know.
Let’s take inventory ...
Money: 0
Staff dedicated to security: 0
IT staff: 0
Your adversary: Nation-state actors +
Good luck!
Human rights organizations across the globe face an uphill battle trying to detect nation-state actors trying to compromise their systems. What can we do to support them and how does this impact the rest of us?
A look at all the ways API's are used in the attack process, from ATO (account takeover) and credential abuse automation, to BOT operations for inventory sniping and checkout procedures. This can all be automated and abused thanks to the speed, ease of use, and extensibility of API's.
Developers often do not know what the common issues are with the framework they are using. At the same time, most common frameworks ship with easy ways to shoot your application’s security in the foot. In this world we live in, developer education will fail if even one mistake is made, which will expose a dangerous vulnerability. In this talk, we’ll show how you can dramatically reduce the chance developers will shoot themselves in the foot by giving them safer versions of their common tools so your company can ship more secure code.
We will write wrapper classes and safe versions of common tools to eliminate XSS vectors, open redirects, XXE, SSRF, LFI, and other dangerous bugs in your codebase. After that we’ll show simple steps to educate developers and gain traction in your organization. Then we’ll show how easy it is to integrate SAST tools in your CI/CD pipeline to ensure your developers use your safe tools rather than the footguns built into common frameworks.
This session is ideal for security engineers interested in eliminating entire classes of security bugs inside their code base.
Dive into a typical Kubernetes cluster by messing with the popular sidecar containers and supporting infrastructure.
This talk introduces TLSMy.net, a new DNS-based service that allows home network devices to automatically request certificates that can be used with non-routable or dynamic IP addresses.
Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot
The healthcare industry is traditionally viewed as slow to adopt new technologies, with precious few examples to the contrary! This talk is about unfettering the modern (security) engineer, even in an environment as restrictive as healthcare, and without breaking (all the) things.
Most commercial static analysis tools today are generic and ineffective. They are not developer oriented as they are built for security professionals. In this presentation, we’ll discuss how we made the process developer friendly by building a code analysis platform that provides relevant findings during code review, with the help of open source static analysis tools.
Why do local governments constantly get compromised? What I've learned after leaving my glamorous pentesting job to join a local municipality.
Someone great once said "pentesting doesn't have to be all dropping exploits and launching shells." I disagree. Not many people truly understand the grueling task of developing a new campaign, designing sick docs, building killer malware, or why the Red Team operates the way they do during a spearphishing campaign to ‘get those shells’. This talk will cover what the Red Team is really doing when they are trying to gain a foothold through social engineering as well as how Blue Teams can leverage this technical insight to combat the dreaded spearphish.
Registration opens for Red Day and Conference Reception Party starts. Reception talks start off with 2 Tools Talks, then Demo / Lightning Talks, and then Hacker Jeopardy.
USB seems hard -- and it shouldn't. A serious lack of inexpensive tooling has made this relatively simple (and near-omnipresent) protocol seem overwhelming -- to the point where even 'highly-secured' targets ignore USB as a vector for hacking and reverse engineering. In this talk, we discuss our efforts to dispel USB's aura of mystery -- and empower hackers and engineers to observe and interact directly with USB using a set of open-source tools that includes analyzers, fuzzers, and a variety of other USB-poking hardware and software.
I’ve created an open source web interface to the Proxmark3-rdv4 hardware that makes it easy for anyone to work with the tools. I do a quick overview of technologies, and a live demo of the tool.
Even in these modern times, we still trade credentials for authentication or session tokens. In typical applications, session tokens received on the client side are stored in either the browser's local storage or as cookies. As an attacker, I want to steal a user's auth token, hijack their session and then take over their account. The browser and a naive user are good attack vectors. We’ll run through how to architect your website to take advantage of various browser-based protections that reduce the impact of common attacks, such as cross-site scripting and privilege escalation.
We present the results of our government-funded R&D to develop an intelligent automated “vulnerability assessor and penetration tester (VAPT), usable as a virtual appliance for use on enterprise networks or cyber ranges, and as a portable device for use on embedded systems. It consists of two parts, an AI-supported vulnerability assessor and an AI-supported penetration tester. In one use case it intelligently automates software vulnerability assessment for embedded systems; in another use case, it intelligently automates the tasks of an ethical hacker (penetration tester) via the network, finding systems on the network, discovering vulnerabilities, and exposing them.
The application of IoT security to medical devices fails from a clinical perspective. This session will explore the growing debate on whether the use of X.509 certificates is the right solution to securing medical devices.
This is a discussion about closing the gap between the search for the right job in Infosec, and resolving the [perceived] shortage in available talent. We’ll discuss the challenges on both sides, for employers and candidates, touch on some points and truths that are constant, and identify some tactics for success.
Burp Suite is the standard tool for manipulating HTTP traffic, but it focuses on manually manipulating requests and responses. This talk presents a Burp extensions that bridges the gap and allows you to automatically manipulate requests using external software, all within Burp.
By performing brute force crypt-analysis on public keys to discover private keys we stumbled on someone doing the same thing, holding over 8 million USD worth of stolen cryptocurrency.
A 25 minute run-down of everything you need to know to understand why you should set up a retirement account in your 20s or 30s, how the different ones work (a 401k vs. Roth IRA vs. Traditional IRA) to pick what's best for you, how to get you started, and how to leverage index funds to get you investing without having to make predictions about stocks.
What if spotting vulnerabilities in your VPN, was as easy as checking for allergens in your applesauce? A Software Bill of Materials (SBOM) brings proven supply chain principles to modern software systems.
This talk will focus on the security and attacks against kiosk systems.
Humans are prone to fail, and fails can happen anywhere. This is a whimsical adventure in severe fails that Pookie has personally encountered within the past year. We'll describe real "accidental" scenarios where escalation from partial trust to full systems compromise is possible. (no shodan needed)
Hacker Jeopardy is back! Get a team together, test your brains, and win a place in Vegas at DefCon in 2020.
Come early to get registered and hang out with us while we get ready for the event!
Listen to some of our announcements for the day at the opening remarks!
Utilizing UEFI Firmware Variables to hide malicious payloads from EDR solutions on both Linux and Windows platforms.
The year is 2019. Mainframes rule the world. They've ruled the world since the 1960s, but i bet you can't even name a single vuln or exploit. This talk aims to change that by presenting current and cutting edge research in to mainframe (specifically the big boy itself z/OS) attacks. New techniques and tools will be released.
On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year later is this not fixed? This talk will demonstrate how this "calishing" attack can be utilized in a Red Team operation where the target organization uses G-Suite. I will demonstrate this by leveraging an open source python tool that I have developed, G-Calisher, based on Beau Bullock's and Michael Felch's PowerShell module "Invoke-InjectGEventAPI" from their MailSniper tool. I will lead the audience through the entire kill chain from recon (How to determine if an organization is using G-suite for its email) through Command and Control. I will also discuss how the organization can stop this attack.
I'll be available to help you spiff up your resume and do practice interviews. Come find me on the patio (Patio Track) to discuss.
Red Teaming inside Google Cloud Platform (GCP): Breach into Targets, Expand Access within Kubernetes (K8s) environments, & Persist!
During real world attacks and red team engagements using vulnerable drivers to read, write, and allocate is a powerful tool. This talk will cover how to a) load a vulnerable driver in Windows via code samples and b) use said vulnerable driver to perform some basic actions (read lsass, turn off a service) that a threat actor might do.
NAT Pinning is a combination of techniques to allow an attacker to remotely access any TCP/UDP services bound on a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.
Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot
Pen testing doesn't have to be all dropping exploits and launching shells. Learning to ask the right questions at the right time can lead to a better understanding of vulnerabilities on your targets than actually running tests.
Meltdown (BlackHat USA 2018) was the first instance of a hardware vulnerability which broke the security guarantees of modern CPUs. Meltdown allowed attackers to leak arbitrary memory by exploiting that Intel CPUs use lazy fault handling and continue transient execution with data retrieved by faulting loads. With stronger kernel isolation, a software workaround to prevent Meltdown attacks, and new CPUs with this vulnerability fixed, Meltdown seemed to be a solved issue.
In this talk, we show that Meltdown is still an issue, on current off-the-shelf CPUs. We present ZombieLoad, a Meltdown-type attack which leaks data across multiple privilege boundaries: processes, kernel, SGX, hyperthreads, and even across virtual machines. We show that Meltdown mitigations do not affect ZombieLoad.
The ZombieLoad attack can be mounted without any user interactions from an unprivileged application, both on Linux and Windows.
To demonstrate the danger of the ZombieLoad attack, we present multiple attacks, such as monitoring the browsing behavior, stealing cryptographic keys, and leaking the root-password hash on Linux. In a live demo, we show that such attacks are not only practical but also easy to mount. We will then discuss mitigations against the ZombieLoad attack.
We outline challenges for future research on Meltdown-type attacks and mitigations. Finally, we will discuss the short-term and long-term implications for hardware vendors, software vendors, and users.
Talk will mainly focus on how to write proof-of-concepts for recent processor software side-channels and discovery of MDS attacks rather than explaining processor vulnerabilities themselves.
PERCH is a tool that adds a new peripheral layer to Ghidra. The parsing of Trace32's .per files enables the augmentation of Ghidra projects with labeled MMIO mappings from thousands of different processors.
All smart devices, from cars to IoT, are based around processors. Often these processors are not considered as part of the threat model when designing a product: There is an implicit trust that they just work and that the security features in the datasheet do what they say. This is especially fatal when the processors are used for security products, such as bitcoin wallets, cars, or authentication tokens.
In this presentation we will take a look at using fault injection attacks to break some of the most popular IoT processors - using less than 100USD of equipment.
We will also release software & hardware tools to do so.
First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is
a proprietary hardware security module that is used in a wide range of
Cisco products, including enterprise routers, switches and firewalls.
TAm is the foundational root of trust that underpins all other Cisco
security and trustworthy computing mechanisms in such devices. We
disclose two 0-day vulnerabilities and show a remotely exploitable
attack chain that reliably bypasses Cisco Trust Anchor. We present an
in-depth analysis of the TAm, from both theoretical and applied
perspectives. We present a series of architectural and practical flaws
of TAm, describe theoretical methods of attack against such flaws. Next,
we enumerate limitations in current state-of-the-art offensive
capabilities that made the design of TAm seem secure.
Using Cisco 1001-X series of Trust Anchor enabled routers as a
demonstrative platform, we present a detailed analysis of a current
implementation of TAm, including results obtained through hardware
reverse engineering, Trust Anchor FPGA bitstream analysis, and the
reverse engineering of numerous Cisco trustworthy computing mechanisms
that depend on TAm. Finally, we present two 0-day vulnerabilities within
Cisco IOS and TAm and demonstrate a remotely exploitable attack chain
that results in persistent compromise of an up-to-date Cisco router.
We discuss the implementation of our TAm bypass, which involves novel
methods of reliably manipulating FPGA functionality through bitstream
analysis and modification while circumventing the need to perform RTL
reconstruction. The use of our methods of manipulation creates numerous
possibilities in the exploitation of embedded systems that use FPGAs.
While this presentation focuses on the use of our FPGA manipulation
techniques in the context of Cisco Trust Anchor, we briefly discuss
other uses of our bitstream modification techniques.
Come join us for a bonfire luau on the beach next to the event venue to watch the sunset.
Head on down to the Gaslamp to party with DJ Keith Myers and James Ford at the Hard Rock hotel! They'll be rocking the dance floor until 2am.
We'll have food available between 10:00 and 13:00 and other activities all day!
Go skydiving with your fellow hackers! This activity has a fee to cover the skydiving costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check-in with us inside the Tower Club next to the point:
http://www.pacificcoastskydiving.com/tandem-sky-diving-in-california-weight-limit.htm
Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively slow paced so everyone can bike together and will take roughly 2-3 hours for the full round-trip. See you there!
Get trapped with Samy at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check-in at the bar in the Tower Club
Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.
Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check-In at the lawn in front of the MBSC
Check out the world famous San Diego Zoo! This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check in on the lawn in front of the point.
Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.
Head on over to Sea World to see the amazing sea creatures and theme park attractions. This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.
Check-In at the lawn in front of the MBSC
Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.
Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.
Check-In at the lawn in front of the MBSC
We discovered that the conference venue has a Paddle Pub so we decided to switch this to a Microbrew Boat! We'll be stocking the boat with some of the best beer from Micro Breweries around San Diego and setting sail just in the afternoon. If you're interested in joining the boat, go see registration during the con and they may be able to fit you in. The boat trip includes beer and captained boat for 2 hours. Make sure to show up at 2:30, the boat will be leaving dock at 3:00pm sharp! https://paddlepub.com/san-diego/
Check-In at the Hot Tub Cruizin stand in the bathroom courtyard
Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively slow paced so everyone can bike together and will take roughly 2-3 hours for the full round-trip. See you there!
Get trapped with Kos at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check-in at the bar in the Tower Club
Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH
Check-In at the lawn in front of the MBSC
Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.