Keynotes (50 Minute)
- Emmanuel Goldstein - "The Evolution of Hackers Over the Years"
- Bio: Emmanuel Goldstein directs the organization 2600 Enterprises, Inc., publishes a magazine called 2600: The Hacker Quarterly (which has associated monthly meet-ups around the world), and hosts the hacker convention Hackers on Planet Earth (HOPE). In 1993, he testified before the United States House of Representatives Subcommittee on Telecommunications. He was questioned in relation to the content of 2600 as part of discussions concerning the Digital Telephony Bill; also known as the Communications Assistance for Law Enforcement Act. He is the host of both the weekly radio programs Off the Hook on WBAI-FM and Off the Wall on WUSB-FM. While Off the Hook often includes a panel of guests and is frequently centered on technological topics, Off the Wall is usually narrated by himself and has covered a wide range of topics. Off the Hook has been on the air since 1988. He directed the 2001 film Freedom Downtime, a documentary about the incarcerations of Kevin Mitnick and Bernie S that also examines alleged distortions in mainstream media coverage of Mitnick's case.
- Abstract: The hacker world has changed a great deal since the early days, as has all of technology. But there are some things that remain constant, and that's why this community continues to flourish. Our spirit of inquisitiveness, mischief, and rebellion have never gone away - even as the world has changed so dramatically around us. But at the same time, the hacker community has matured in ways that probably would have shocked people "back in the day." While there still remains so much to be accomplished and improved upon, there is most definitely a direction we all seem to be heading in, a direction that values free speech, equal rights, and true justice for all. Emmanuel will share stories from both the early days and the present that demonstrate how hackers have always been society's conscience, as well as one of its greatest hopes for shaking things up and changing the rules.
- Katie Nickels - "Your Brain is Lying To You: Lessons from Intelligence to Change How You Think"
- Bio: Katie is the Director of Intelligence for Red Canary as well as a SANS Certified Instructor for FOR578: Cyber Threat Intelligence and a non-resident Senior Fellow for the Atlantic Council’s Cyber Statecraft Initiative. She has worked on cyber threat intelligence (CTI), network defense, and incident response for over a decade for the U.S. DoD, MITRE, Raytheon, and ManTech. Katie hails from a liberal arts background with degrees from Smith College and Georgetown University, embracing the power of applying liberal arts prowess to cybersecurity. Katie has shared her expertise with presentations, webcasts, podcasts, and blog posts, including a presentation at Black Hat as well as her personal blog, “Katie’s Five Cents." Katie has also served as a co-chair of the SANS CTI Summit and FIRST CTI Symposium. She was a 2020 recipient of the SANS Difference Maker Award and the 2018 recipient of the President's Award from the Women's Society of Cyberjutsu. She also serves as the Program Manager for the Cyberjutsu Girls Academy, which seeks to inspire young women to learn more about STEM. You can find Katie on Twitter @LiketheCoins.
- Abstract: Our brains trick us. It’s nothing to be ashamed of, it’s just part of being human. We all have cognitive biases and they can cause us a lot of problems, especially if we aren’t aware of what our brain is doing. Luckily, intelligence analysts have known about cognitive biases for a while and have figured out how to deal with them so they don’t screw up important decisions. Join Katie to hear more about how our brains lead us astray, whether we’re working in infosec or walking across the street. You’ll learn to detect problematic thinking as well as simple techniques to make sure cognitive biases don’t negatively affect your analysis at work—or your everyday life.
FULL Length (50 Minute)
- Valentina Palmiotti (@chompie1337) - "Reverse Engineering for Persistence - How APTs find new hidden ways to hide on your systems, forever."
- Abstract: Persistence is a technique used by threat actors to keep access to systems across reboots, credential changes, and other miscellaneous disruptions. Establishing persistence on a target system is a key goal for any APT group looking to conduct long term operations. It’s also a key goal for smaller stakes malware creators who target average users. When you suspect you are infected with malware, the first step is to find where it first gains execution when your system starts up. How can we make sure something unknown or malicious isn’t running every time our computer or device turns on? Can modern Antivirus or Endpoint Detection Software save us? In short, when it comes to APTs, probably not. This talk will discuss the approach APT groups take to find new hidden ways to silently persist on a system. It will discuss how popular endpoint persistence scanners fall short and how APTs evade them. I will walk through an example, tasking myself with finding a novel persistence technique on a machine running Windows. This will include demonstrating reverse engineering on a system binary to discover the technique. This talk is targeted at those interested in reverse engineering and operating systems. It's intended to give a big picture discussion on how to identify specific OS components for binary analysis and have success in finding something interesting.
- Bio: The Lead Security Researcher st Grapl Security, former Vulnerability Researcher at Point3 Security. "Hacker" hobbyist, for research purposes only.
- Jaku & Friends - "A Very Special Puppet Show"
- Abstract: This is a very special puppet show presented live at THOTCON 0xB. Viewer discretion is advised. If you are affraid of puppets or are a small child, please visit the bar during this talk.
- Bio: Jaku & Friends are [wrong answers only].
- Patrick Sayler- "Jackpot! Attacking Arcade Machines"
- Abstract: Imagine walking into your favorite bar arcade chain. Lights flashing, tickets flying, source code leaking... wait what? High scores aren't the only thing you can win from games. It's easy to forget that these siloed pieces of equipment are developed and managed just like any other system. To put it plainly, modern arcade machines are just desktop computers in an oversized wooden cabinet. This means that they can be inspected and attacked using the same methodologies one would use in a host-based penetration test. In fact, many of these games are unhardened and connected to networks that are readily available to anyone in the building. Using open-source tools, and a little bit of searching, you can uncover a wealth of sensitive data in the unlikeliest of places - ranging from angry command histories, to customer PII, and more. No quarters necessary!
- Bio: Patrick Sayler is a Principal Security Consultant at NetSPI, where he leads their social engineering services.
- Anxious Rabbit - "./senua -v | The SWIFTly Sneaky Reddit Command and Control"
- Abstract: Command and control is an essential part of system compromise. The traditional methods are cool but let's change it up! Why not use Reddit for your command and control like other APTs? And why not pair that with a custom Mac Swift application to challenge the thought of "Macs are more secure"? This talk will show a deep dive into the Swift coding language and how the Senua application uses Swift and API calls to its advantage. This includes code examples and methods used to minimize artifacts to further hide the true intentions of the application.
- Bio: Zach is a fan of modern coding languages and is a hobbiest researcher who likes granulated sugar on pancakes.
- Daniel "unicornFurnace" Crowley - "A Roadmap For Safer Cryptographic Code"
- Abstract: The world keeps making the same decades-old cryptographic mistakes over and over again, from small one-person dev teams to software giants. While developers have mostly learned not to invent their own encryption algorithms, most of the mistakes being made have nothing to do with the choice of algorithm. By now, shouldn't we have figured out how to eliminate these problems? Why is it so hard to get it right? There's a series of problems that make it hard for developers (even security-conscious ones) to avoid even basic, well-known mistakes when writing cryptographic code. It's currently so hard that cryptographers' main advice to developers is to avoid touching cryptography at all. However, sometimes developers really do need to handle cryptography and when they do, they need more substantial guidance than "Just Say No To Cryptography". In this talk I will discuss a number of factors that make it hard for developers to write strong cryptographic code today and give a number of suggestions for what academics, educators, security practitioners, and library maintainers can do to make things better for the future.
- Bio: Daniel directs research at X-Force Red, has been working in infosec since 2004, makes his own beer, and is a baron in Sealand.
- Lodrina Cherne - "Stalkerware capabilities in the real world"
- Abstract: Can using technology risk your personal safety? Tracking information can be shared with attackers and facilitate cyberstalking in multiple ways including key logging and screen sharing. Exploration of recent court cases and investigations will be shared and attendees will learn what resources can help individuals experiencing digital abuse at the hands of a technical adversary.
- Bio: Lodrina Cherne is on the security team at Cybereason + a DFIR instructor at SANS. Ask her how to fight for people wrongly impacted by tech.
- Joshua Jay Herman - "Making fake tweets with Transformers"
- Abstract: Here we will go over how to make fake tweets using the transformers library created by Huggingface. It has a set of existing GPT-2 models that have been refined on twitter accounts. We will also compare the results to other systems like GPTJ, blenderbot and Dialogpt. We will also discuss making sock puppet accounts by using unrefined versions that can be used on twitter and other microblogging websites.
- Bio: By day I am a Python Developer working on currency trading infrastructure with Bank of America. By night I work on an open source visual novel that is open ended and procedurally generated using various deep learning systems. I have experience in distributed and private ledger technologies, recommender systems for cryptocurrencies and social network analysis.
- Ben Sadeghipour - "Owning the Cloud Through SSRF and PDF Generators"
- Abstract: With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we'll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.
- Bio: Ben is the Head of Hacker Education at HackerOne by day, and a hacker by night.
TURBO Talks (25 Minute)
- David Hetu - "Pricing and Mapping The Underground Economy: An Analysis of Contracts On The Biggest Online Hacking Forum"
- Abstract: Hackforums is known as the script kiddie forum of hacking where most up and coming hackers drift to. Past investigations have shown however that many established hackers are still very much active on the platform and use it to transact illicit goods and services. This presentation builds on the contract section of the forum that has archives going back over 1 year. This contract section provides detailed information on the transactions that hackers have negotiated over Hackforums. Using tens of thousands of contracts scraped from Hackforums, we provide an analysis of the true cost of hacking tools and services, not those advertised publicly on the forum. We moreover conduct social network analysis of the actors involved in the transaction of illicit goods and services to identify key players and map the structure of the social organization of the illicit trades facilitated by Hackforums. This presentation will provide security professionals with new and solid evidence of the inner workings of the underground illicit economy as well as provide a new methodology to identify key players in hacker networks based on the best practices of the social network analysis field.
- Bio: David Hetu has a Ph.D. in criminology. He has spent the last 10 years researching online crime and offenders and their social organization.
- Joshua Miller - "TA456's Multipronged Approach to Intelligence Gathering"
- Abstract: The Iranian aligned APT TA456 (Tortoiseshell) used a two-pronged approach to intelligence gathering for their cyber operations targeting aerospace defense contractors throughout 2021. One method observed in threat campaigns demonstrated extensive time and effort to develop social media personas to build relationships with their targets. These personas used well-known psychology principles to gain the users' trust so they could eventually deploy customized malware, dubbed LEMPO, to conduct further reconnaissance on the target’s host machine and exfiltrate sensitive information. In other campaigns, TA456 conducted reconnaissance by masquerading as news organizations while using customized links and tracking pixels. These phishing emails attempted to blend in with spam while using actor-controlled infrastructure to gather intelligence. While looking at TA456’s operations and differences in intelligence gathering methodologies, we’ll discuss adversary emulation possibilities, identify detection opportunities, and further explain our attribution for one of the most determined Iranian aligned APTs we track.
- Bio: Joshua is a Senior Threat Researcher for Proofpoint where he tracks targeted threats, with a focus on Iranian aligned threats. Former internal CTI for a health care company & FBI Intelligence
- Jack Cable - "The Year of the Vulnerability Disclosure Policy"
- Abstract: It's an exciting time for vulnerability disclosure. Over 800 companies now offer vulnerability disclosure policies (VDPs), and that number is increasing every day. With such policies, not only are hackers better protected in disclosing vulnerabilities, but the public can stay better informed about security practices across organizations. 2020 is proving to be a breakout year for vulnerability disclosure policies, which will soon to be present across every U.S. federal agency, the elections industry, and more. Yet with these advances comes an increased need to ensure such policies are effective and protect both organizations and hackers. As evidenced by past legal disputes, the process of building and abiding by a VDP is nontrivial. In this talk, learn about the history of the VDP, ongoing legal troubles, and best practices moving forward to ensure the efficacy of VDPs. Case studies of action by the United States and Netherlands governments demonstrate that VDPs can be implemented as a standard in order to increase public security. By structuring VDPs in the right way, such policies can be implemented to offer transparency critical to increasing public trust around security.
- Bio: Jack Cable is a top bug bounty hunter, a student at Stanford, and a Security Architect at Krebs Stamos Group.
- Siddharth Coontoor - "Where's my dough?! A look at web skimming attacks on e-commerce websites"
- Abstract: We've all heard of credit card skimmers installed at ATMs and gas stations that steal credit cards from oblivious customers but what happens when attackers target online commerce websites? In this talk, we shall explore an always persistent threat to e-commerce websites known as web skimming. More and more e-commerce websites (British Airways, Newegg, Macy's, etc) have been compromised by web skimming attacks which resulted in attackers successfully stealing millions of credit cards by leveraging a variety of innovative attack vectors from phishing campaigns to injecting scripts through compromised domains. We shall take a look at several such attacks and web skimmer tools like Magecart's Inter and Pipka, and discuss security best practices for hardening e-com sites and protecting your shoppers and your reputation.
- Bio: An application security enthusiast that thrives in the "clouds". A clumsy coder by nature who loves securing softwares.
- Xena Olsen - "Adversary Detection Pipelines: Finally Making Your Threat Intel Useful"
- Abstract: I plan on discussing the pain points to threat intel and sharing that this presentation is not for the Microsofts and Targets of the world but instead for the orgs that want to get more value out of their small CTI team. I'll discuss why true attribution is a bad idea for most organizations with real world examples. Then, I will provide real world examples of how TTPs can help an organization better by knowing the What and How (TTPs) versus the Who and Why (true attribution). I'll show examples of how an org can build out an adversary detection pipeline starting with the attack data in their mail and expanding out to the WAF attack data and tickets with the SOC/DFIR. A discussion of mapping MITRE ATT&CK ttps and how to find the specific procedures. Next, there will be real world examples of adversary detection pipelines and how purple team exercises can be run from threat intel specific to the org's attack data. Finally, a discussion of reporting for management/department that is possible as a result of the adversary detection pipelines. Main takeaways: Squeeze more value out of the data you are already collecting, Showing how any organization can leverage threat intel through adversary detection pipelines, regardless of internal skill sets or experience, Heatmaps for threat actor campaign volume, multiple year tracking, delivery rate, click rate, and more used to prioritize Hunt, Red Team, and Blue Team actions with respect to Threat Actor Activity, Intelligence driven hypothesis creation for threat hunting, How to operationalize adversary detection pipelines to enhance red team & purple team activities, particularly to improve adversary emulation/simulation, RELEVANT red team ops, Higher fidelity alerts for the SOC with less false positives.
- Bio: SANS Women's Academy graduate, 6 GIAC certifications, MBA IT Management, and D.Sc. Cybersecurity student at Marymount University.
- EvilMog - "From Print Spooler to Silver Ticket"
- Abstract: Traditionally machine account NTLM challenge responses were considered useless, learn how pentesters leverage machine accounts to take over your environment. Print Spoolers, Exchange Servers, NTLMv1 Reversing and other techniques are reviewed to level up your pentest game. As a defender learn how to defend against these devastating attacks.
- Bio: EvilMog is a Bishop Of the Church of Wifi, Member of Team Hashcat, Multiple Black Badge Holder and General Shenanigator for X-Force Red
- Steve O'Reilly - "From Zero to Near-Hero: How I conquered 1980's Nintendo technology to capture a THOTCON Gold Badge"
- Abstract: In 2017, THOTCON 0x8 held a Tool Assisted Speedrun (TAS) contest. Entrants submitted a video of a Nintendo Entertainment System (NES) game edited with the FCEUX application, an open-source NES and Family Computer Disk System emulator. FCEUX's TAS Editor enables the execution of a game's button presses with extreme precision. This allows a player to optimize the game sprite's speed, action and timing with a goal of completing the game as quickly as possible. In essence, a TAS video is animation with a console game as the medium. The TAS contest presented an opportunity to learn the FCEUX application and then demonstrate creativity in producing a video that would be judged on style and performance as opposed to speed. Prior to entering, I had never heard of TAS videos and my gaming experience was limited to casual play at best. I also had no experience in editing Read Only Memory (ROM) of NES games. But my passion for learning how things work and getting stuff for free compelled me to take up the challenge. This turbo talk will summarize how I approached the contest's scope and then created the winning entry (https://www.youtube.com/watch?v=GXmfqpXwkeY). I will also present the various applications and resources used in customizing the THOTCON themed ROM.
- Bio: Offensive Security, LLC., freelance bug bounty researcher, former FBI Special Agent, SWAT operator, and Marine infantry officer.
- Jesson Soto - "Abusing WebViews to steal all the files"
- Abstract: Let's explore the world of Android WebViews through two popular applications - an Android email client and an advertising platform. Through these case studies, we will learn how insecure WebViews provided remote attackers and advertisers access to user's external storage.
- Bio: Jesson just likes to hack things. If it collects data, has lights, or does something cool there's a good chance Jesson has considered hacking on it to figure out how it works and making it do something else. Currently, Jesson applies all the skills he's learned from various junk hacking projects at Carve Systems, LLC as senior information security consultant.
- Videoman - "Hardware Hacking"
- Abstract: I have done a number of projects with hardware hacking the last year, and want to share some of the fun things that I was able to accomplish, including buffer over flows on serial, MDNS overflows in embedded systems, and other fun topics in embedded hardware. I’ll also do a quick intro on some of the basic tools that help a lot to debug, and great embedded devices.
- Bio: David M. N. Bryan is a penetration tester with X-Force Red, IBM’s elite security testing team. Responsibilities include establishing standardized tools and processes for our consultants and working with clients on penetration testing projects. David has well over a decade of experience. From being a defender of security at a top ten banks, to securing the DEF CON network. David has been a participant in the information security community for over two decades. David has been the attacker in many scenarios as a penetration tester covering: ATMs, embedded devices, network, wireless, web applications, and physical security. David has presented at many security conferences including: BlackHat, DEF CON, ToorCon, LayerOne, ToorCamp, BSides Events, AppSecUSA, Etc.
- DNS Princess - "Photo vault apps for your private pictures don't work."
- Abstract: Vault apps claim to protect your private photos from spying eyes and hackers. These apps will remove photos from your phone's gallery and store them in a secure place with optional features such as using passcodes or obfuscated fake apps. This talk breaks down where and how those pictures are stored as well as security concerns these apps present.
- Bio: alissa = ["PhD student", "Anti-Fraud SOC Manager", "Dog Mom", "Researcher", "Boilermaker", "Forensics Instructor", "Teaching Assistant"]
- Nick Roy - "OSINT and the Hermit Kingdom. Leveraging online sources to learn more about the worlds most secret nation"
- Abstract: OSINT tools provide security analysts with a powerful set of tools and data that can be leveraged to discover accounts, infrastructure, and long forgotten services that are still running. Using these sources we can research specific companies or users, find easy targets for bug bounties, and begin reconnaissance efforts against our own systems. Learn more about different techniques to gather information while examining North Korea’s public facing infrastructure and their state sponsored operating system.
- Bio: Nick Roy currently works for a global security vendor creating training content and researching new attacker patterns and techniques.
Track X - Mini Workshops (120 Minute)
- Jay Margalus && Rudy Ristich - "Hacking the Thotcon 0xB Badge"
- Abstract: In this workshop, attendees will learn the ins and outs of the THOTCON 0xA board. We'll cover the board's layout, components, and (some of the) code on the badge. We'll also teach you how to hack the badge to make a small toy. There will be no badge puzzle spoilers revealed in this workshop, though you may learn some interesting skills to help you overcome challenges. Bring your own laptops, cables, badges, etc.
- Bio0: Jay is the Faculty Director of DePaul University's makerspace network. He is an industrial-game designer.
- Bio1: Rudy is the Vice President at Workshop 88
- Eric Poynton - "Aye Aye IoT: Wrangling and Defending Against the Risks of Unmanaged Devices"
- Abstract: By 2020 it's estimated the number of unmanaged devices will bypass the number of managed devices within a typical organization. These unmanaged devices don't have typical policies or endpoint controls which makes it extremely difficult to understand how they communicate with the network. This lack of visibility makes it virtually impossible to understand what an organization's true threat landscape is. This workshop is the culmination of more than a year of research into identifying unmanaged devices using behavioral cues fundamental to how IoT devices function. This method can be used to understand risks associated with unmanaged IoT devices, including: Has this device provided an entry point into your organization that either completely or partially bypasses your defenses? Do they connect/talk to official resources? Are they trying to? Are these systems participating in any attacks that could affect the reputation of your organization? Ahead of Black Hat 2019, Microsoft released a report on Russia's APT28 using IoT devices as gateways into the network, which highlights that not all environments are segmented the way you'd expect. This workshop will include a demo of an instance from Awake's third-party testing efforts that model this scenario (and more) perfectly.
- Bio: Eric Poynton is Lead Threat Hunter at Awake Security. He successfully discovers and investigates compromised devices in enterprise networks.
- Dr. Amit Elazari - "Security Policy and Regulation Trends for Security Researchers"
- Abstract: Security is one of the most evolving and impactful landscapes in the regulatory sphere. Proposed initiatives in the areas of Internet of Things Security and Coordinated Vulnerability Disclosure (CVD) and more are among the most active and developing areas of security regulation around the world. This talk would introduce the audience to the variety and influx of legal and regulatory concepts and proposals shaping the future of security focusing on recent trends. Highlights will include coordinated vulnerability disclosure, frameworks for secure development, supply chain transparency, researchers' collaboration, IoT Security, anti-hacking laws, and more. We will also talk about bug bounties and vulnerability disclosure, industry best practices in this area and recent trends, and how they may impact the security research ecosystem as a key stakeholder in this environment.
- Bio: Dr. Amit Elazari is Director, Global Security Policy at Intel Corporation and a Lecturer at UC Berkeley's School of Information Master in Information and Cybersecurity. She holds a Doctoral Law Degree (JSD) from UC Berkeley School of Law, a world leading institution for law and technology, and graduated summa cum laude three prior degrees. Her research in information security law and policy has appeared in leading technology law journals, presented at conferences such as Black Hat, RSA, USENIX Enigma, USENIX Security, BsidesLV, BsidesSF and DEF CON, and featured at leading news sites such as The Wall Street Journal, The Washington Post and the New York Times. In 2018, she received a Center for Long Term Cybersecurity grant for her work on private ordering regulating information security, exploring legal safe harbors for security researchers. She practiced law in Israel.
- John Bambenek - "The War Over Your DNS Queries and What to Do About It"
- Abstract: Recently, with the advent of DNS-over-HTTPS, tech companies like Google and Cloudflare have been locked in a battle with ISPs like Comcast and others about who should be able to see DNS queries and monitor user behavior. The reality is, the fight isn’t about privacy but about which set of big companies get to be the sole recipient of your private information. The solution isn't to let one side or the other have your data, it's to run your own resolver. This talk will discuss DNS and why For-Profit Intelligence Agencies (like Google and Comcast) can get with your information. Additionally, how to run your own DNS resolver will be discussed with a focus of how to do that at home and in small organizations without budgets. Lastly, discussion of how to secure DNS queries from malicious activity with a Pi-Hole and Response Policy Zones will be demonstrated so not only consumers take control of their DNS usage, but they can also use DNS to block phishing, ad tracking, and other malicious activity directed at themselves, their families, and their organizations.
- Bio: John Bambenek is VP of Security Research and Intelligence at ThreatSTOP, President of Bambenek Consulting LTD.
|