»Hacking Even More USB with USB-Tools« Kate Temkin & Mikaela Szekely; Talk (25 minutes)

USB seems hard -- and it shouldn't. A serious lack of inexpensive tooling has made this relatively simple (and near-omnipresent) protocol seem overwhelming -- to the point where even 'highly-secured' targets ignore USB as a vector for hacking and reverse engineering. In this talk, we discuss our ...


»Writing PoCs for processor software side-channels« Volodymyr Pikhur; Talk (25 minutes)

Talk will mainly focus on how to write proof-of-concepts for recent processor software side-channels and discovery of MDS attacks rather than explaining processor vulnerabilities themselves.


»chip.fail« Thomas Roth and Josh Datko; Talk (25 minutes)

All smart devices, from cars to IoT, are based around processors. Often these processors are not considered as part of the threat model when designing a product: There is an implicit trust that they just work and that the security features in the datasheet do what they say. This is especially fat...


»EDR Is Coming; Hide Yo Sh!t« Michael Leibowitz, Principal Troublemaker and Topher Timzen, Principal Vulnerability Enthusiast; Talk (25 minutes)

Utilizing UEFI Firmware Variables to hide malicious payloads from EDR solutions on both Linux and Windows platforms.


»Cutting Edge Techniques to Pwn the Gibson« Soldier of FORTRAN; Talk (25 minutes)

The year is 2019. Mainframes rule the world. They've ruled the world since the 1960s, but i bet you can't even name a single vuln or exploit. This talk aims to change that by presenting current and cutting edge research in to mainframe (specifically the big boy itself z/OS) attacks. New technique...


»ZombieLoad: Leaking Data on Intel CPUs« Daniel Moghimi; Talk (25 minutes)

Meltdown (BlackHat USA 2018) was the first instance of a hardware vulnerability which broke the security guarantees of modern CPUs. Meltdown allowed attackers to leak arbitrary memory by exploiting that Intel CPUs use lazy fault handling and continue transient execution with data retrieved by fau...


»100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans« Jatin Kataria, Ang Cui; Talk (25 minutes)

First commercially introduced in 2013, Cisco Trust Anchor module(TAm) is a proprietary hardware security module that is used in a wide range of Cisco products, including enterprise routers, switches and firewalls. TAm is the foundational root of trust that underpins all other Cisco security and t...


»NAT Pinning 2.0: bypassing routers & firewalls via web+NAT abuse« Samy Kamkar; Talk (25 minutes)

NAT Pinning is a combination of techniques to allow an attacker to remotely access any TCP/UDP services bound on a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website.


»Card cloning doesn't have to be hard.« David Bryan - Aka VideoMan; Talk (25 minutes)

I’ve created an open source web interface to the Proxmark3-rdv4 hardware that makes it easy for anyone to work with the tools. I do a quick overview of technologies, and a live demo of the tool.


»May the Cloud be with You: Red Teaming GCP (Google Cloud Platform)« Bryce Kunz (@TweekFawkes); Talk (25 minutes)

Red Teaming inside Google Cloud Platform (GCP): Breach into Targets, Expand Access within Kubernetes (K8s) environments, & Persist!


»Pen testing by asking questions: the Art of Elicitation« Bruce Potter; Talk (25 minutes)

Pen testing doesn't have to be all dropping exploits and launching shells. Learning to ask the right questions at the right time can lead to a better understanding of vulnerabilities on your targets than actually running tests.


»Using drivers for kernel operations during a Red Team operation« Caleb McGary; Talk (25 minutes)

During real world attacks and red team engagements using vulnerable drivers to read, write, and allocate is a powerful tool. This talk will cover how to a) load a vulnerable driver in Windows via code samples and b) use said vulnerable driver to perform some basic actions (read lsass, turn off a...


»PERCH: Adding a peripheral layer to Ghidra« Rick Housley; Talk (25 minutes)

PERCH is a tool that adds a new peripheral layer to Ghidra. The parsing of Trace32's .per files enables the augmentation of Ghidra projects with labeled MMIO mappings from thousands of different processors.


»TLSMy.net: Enabling HTTPS for home network devices« Karl Koscher; Talk (25 minutes)

This talk introduces TLSMy.net, a new DNS-based service that allows home network devices to automatically request certificates that can be used with non-routable or dynamic IP addresses.


»Blue Teaming for Human Rights« Megan DeBlois; Talk (25 minutes)

Let’s take inventory ... Money: 0 Staff dedicated to security: 0 IT staff: 0 Your adversary: Nation-state actors + Good luck!

Human rights organizations across the globe face an uphill battle trying to detect nation-state actors trying to compromise their systems. What can we do to support them...


»Down the sinkhole with Kubernetes« Alex Ivkin; Talk (25 minutes)

Dive into a typical Kubernetes cluster by messing with the popular sidecar containers and supporting infrastructure.


»Static code analysis should work for developers, not for you« Aravind Sreenivasa; Talk (25 minutes)

Most commercial static analysis tools today are generic and ineffective. They are not developer oriented as they are built for security professionals. In this presentation, we’ll discuss how we made the process developer friendly by building a code analysis platform that provides relevant finding...


»Don’t run with scissors: how to standardize the way your developers use dangerous aspects of your framework« Morgan Roman; Talk (25 minutes)

Developers often do not know what the common issues are with the framework they are using. At the same time, most common frameworks ship with easy ways to shoot your application’s security in the foot. In this world we live in, developer education will fail if even one mistake is made, which will...


»From private to public, working in local government.« Kos (Kyle Osborn); Talk (25 minutes)

Why do local governments constantly get compromised? What I've learned after leaving my glamorous pentesting job to join a local municipality.


»Lunch Break« Unnamed user; Placeholder (55 minutes)

Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot


»Lunch Break« Unnamed user; Placeholder (55 minutes)

Go grab a quick bite nearby in Mission Bay or Pacific Beach or at one of the food trucks we'll have available in the parking lot


»Purple Haze: The SpearPhishing Experience« Jesse (@bashexplode); Talk (25 minutes)

Someone great once said "pentesting doesn't have to be all dropping exploits and launching shells." I disagree. Not many people truly understand the grueling task of developing a new campaign, designing sick docs, building killer malware, or why the Red Team operates the way they do during a spea...


»Gone Calishing: A Red Team Approach to Weaponizing Google Calendar and How to Stop It.« Antonio Piazza; Talk (25 minutes)

On Halloween, October 31, 2018, 2 Black Hills Security Researchers, Beau Bullock and Michael Felch disclosed, step-by-step to Google how anyone with a gmail account could add an event, as "accepted" to any Google Calendar via the Google Calendar API. Google called it a feature. Why, a year late...


»Mosaic Theory of Information Security« Margaret Fero; Talk (25 minutes)

In this talk, we discuss the relationship between information combined under mosaic theory in finance and unintentional disclosures faced by security teams. After the talk, you should be able to present concerns about potentially-risky information to business stakeholders using a framework they m...


»AI HACKER! Automatic vulnerability assessment & pen-testing of embedded & other systems« Ulrich Lang, PhD; Demo / Lightning Talk (10 minutes)

We present the results of our government-funded R&D to develop an intelligent automated “vulnerability assessor and penetration tester (VAPT), usable as a virtual appliance for use on enterprise networks or cyber ranges, and as a portable device for use on embedded systems. It consists of two...


»Challenges of X.509 certs« Mike; Demo / Lightning Talk (10 minutes)

The application of IoT security to medical devices fails from a clinical perspective. This session will explore the growing debate on whether the use of X.509 certificates is the right solution to securing medical devices.


»Navigating the Infosec Job Search« Kirsten Sireci Renner; Demo / Lightning Talk (10 minutes)

This is a discussion about closing the gap between the search for the right job in Infosec, and resolving the [perceived] shortage in available talent. We’ll discuss the challenges on both sides, for employers and candidates, touch on some points and truths that are constant, and identify some t...


»Mocking HTTP Services with Burp« Shea Polansky; Demo / Lightning Talk (10 minutes)

Burp Suite is the standard tool for manipulating HTTP traffic, but it focuses on manually manipulating requests and responses. This talk presents a Burp extensions that bridges the gap and allows you to automatically manipulate requests using external software, all within Burp.


»Ethercombing - Blockchain brute force cryptanalysis« Adrian Bednarek; Demo / Lightning Talk (10 minutes)

By performing brute force crypt-analysis on public keys to discover private keys we stumbled on someone doing the same thing, holding over 8 million USD worth of stolen cryptocurrency.


»You're probably a young professional and you should probably be investing. Here's how.« Mike Arnoult; Demo / Lightning Talk (10 minutes)

A 25 minute run-down of everything you need to know to understand why you should set up a retirement account in your 20s or 30s, how the different ones work (a 401k vs. Roth IRA vs. Traditional IRA) to pick what's best for you, how to get you started, and how to leverage index funds to get you in...


»Red Day Registration & Reception Begins« Unnamed user; Placeholder (55 minutes)

Registration opens for Red Day and Conference Reception Party starts. Reception talks start off with 2 Tools Talks, then Demo / Lightning Talks, and then Hacker Jeopardy.


»HACKER JEOPARDY: The Road to Vegas, Baby!« Geo... Mark? Hardly!!; Placeholder (55 minutes)

Hacker Jeopardy is back! Get a team together, test your brains, and win a place in Vegas at DefCon in 2020.


»Sea World« Kashish Mittal; Activity (3 hours)

Head on over to Sea World to see the amazing sea creatures and theme park attractions. This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH


»San Diego Zoo« Caleb McGary, Megan DeBlois; Activity (3 hours)

Check out the world famous San Diego Zoo! This activity has a fee to cover your entry ticket and transportation costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check in on the lawn in front of the point.


»Skydiving« Jesse (@bashexplode), Volodymyr Pikhur; Activity (3 hours)

Go skydiving with your fellow hackers! This activity has a fee to cover the skydiving costs. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-in with us inside the Tower Club next to the point: http://www....


»Micro Brewery Boat« Karl Koscher; Activity (3 hours)

We discovered that the conference venue has a Paddle Pub so we decided to switch this to a Microbrew Boat! We'll be stocking the boat with some of the best beer from Micro Breweries around San Diego and setting sail just in the afternoon. If you're interested in joining the boat, go see registrat...


»Escape Rooms« Kos (Kyle Osborn); Activity (3 hours)

Get trapped with Kos at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-...


»Escape Rooms« Samy Kamkar; Activity (3 hours)

Get trapped with Samy at Belmont Park's Escapology. Includes The C0d3 and Budapest Express rooms back to back. This activity has a fee for use of the rooms. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check...


»Sail Boat Racing« Michael Leibowitz, Principal Troublemaker and Topher Timzen, Principal Vulnerability Enthusiast; Activity (3 hours)

Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-In at the lawn in front of the MBSC


»Sail Boat Racing« Thomas Roth and Josh Datko; Activity (3 hours)

Learn to sail and then race your friends! This activity has a fee for the lesson and boat rental. Make sure to register before spots run out: https://www.universe.com/events/toorcon-twenty-one-san-diego-2019-tickets-san-diego-M6SPYH

Check-In at the lawn in front of the MBSC


»Scavenger Hunt« Aravind Sreenivasa; Activity (3 hours)

Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.


»Scavenger Hunt« Antonio Piazza; Activity (3 hours)

Join us for a crazy hacker scavenger hunt around Mission Bay and Pacific Beach! Just meet at the fun day patio next to the event venue.


»Hot Tub Island« Rick Housley; Activity (3 hours)

Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.


»Hot Tub Island« Jatin Kataria, Ang Cui; Activity (3 hours)

Take a boat out to Hot Tub Island! Just meet at the dock next to the event venue to catch a ride out.


»Jet Skiing« Alex Ivkin; Activity (3 hours)

Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.

Check-In at the lawn in front of the MBSC


»Jet Skiing« Daniel Moghimi; Activity (3 hours)

Rent a Jet Ski to zip around the bay on! Just meet at the dock next to the event venue. Includes an hour of usage and training with the sports center staff.

Check-In at the lawn in front of the MBSC


»Food and Chill« Unnamed user; Placeholder (55 minutes)

We'll have food available between 10:00 and 13:00 and other activities all day!


»Bike Ride« Bruce Potter; Activity (3 hours)

Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively sl...


»Bike Ride« David Bryan - Aka VideoMan; Activity (3 hours)

Make sure to show up on time with your bike! There are numerous bike rental shops nearby as well as dockless bikes in the area that you can book with a phone app (Lime, Mobike, Ofo, Spin, Bird, etc) in case you don't mind how fancy your bike is. We're setting up this bike ride to be relatively sl...


»Real Life Devsecops« John (@0xpookie); Talk (25 minutes)

The healthcare industry is traditionally viewed as slow to adopt new technologies, with precious few examples to the contrary! This talk is about unfettering the modern (security) engineer, even in an environment as restrictive as healthcare, and without breaking (all the) things.


»Blue Team Set Us Up The SBOM« Beau Woods; Demo / Lightning Talk (10 minutes)

What if spotting vulnerabilities in your VPN, was as easy as checking for allergens in your applesauce? A Software Bill of Materials (SBOM) brings proven supply chain principles to modern software systems.


»API's are not just the 21st century developers mullet, they're also how you are getting PWND« Tony Lauro; Talk (25 minutes)

A look at all the ways API's are used in the attack process, from ATO (account takeover) and credential abuse automation, to BOT operations for inventory sniping and checkout procedures. This can all be automated and abused thanks to the speed, ease of use, and extensibility of API's.


»Kiosk Red Pills« Marcus Richerson; Demo / Lightning Talk (10 minutes)

This talk will focus on the security and attacks against kiosk systems.


»Beach Bonfire Luau & Fireside Closing Remarks« Unnamed user; Activity (3 hours)

Come join us for a bonfire luau on the beach next to the event venue to watch the sunset.


»Mock Interview Resume Review Workshop« Kirsten Sireci Renner; Activity (3 hours)

I'll be available to help you spiff up your resume and do practice interviews. Come find me on the patio (Patio Track) to discuss.


»Party @ The Hard Rock« Unnamed user; Activity (3 hours)

Head on down to the Gaslamp to party with DJ Keith Myers and James Ford at the Hard Rock hotel! They'll be rocking the dance floor until 2am.


»Registration« Unnamed user; Talk (25 minutes)

Come early to get registered and hang out with us while we get ready for the event!


»Registration« Unnamed user; Talk (25 minutes)

Come early to get registered and hang out with us while we get ready for the event!


»Opening Remarks« Unnamed user; Talk (25 minutes)

Listen to some of our announcements for the day at the opening remarks!


»Opening Remarks« Unnamed user; Talk (25 minutes)

Listen to some of our announcements for the day at the opening remarks!


»Exploratory Penetration« John (@0xpookie); Demo / Lightning Talk (10 minutes)

Humans are prone to fail, and fails can happen anywhere. This is a whimsical adventure in severe fails that Pookie has personally encountered within the past year. We'll describe real "accidental" scenarios where escalation from partial trust to full systems compromise is possible. (no shodan nee...


»Token Up: Keeping Hands out of the Cookie Jar« Erin Browning; Demo / Lightning Talk (10 minutes)

Even in these modern times, we still trade credentials for authentication or session tokens. In typical applications, session tokens received on the client side are stored in either the browser's local storage or as cookies. As an attacker, I want to steal a user's auth token, hijack their sessio...