Brad Swanson

Brad Swanson

Explore Wisconsin Hacker History

In his talk, Brad will be discussing where we have come from as a hacker culture, and how the past dictates the present. He will touch on some of the famous and infamous hackers in Wisconsin’s history, going back to the 1800s. He will then discuss some of the technology that has come out of Wisconsin that has allowed us to practice and perfect our craft. Wisconsin is home to more than just beer and cheese, and he plans to take the listener on a journey through our history, touching on people and events that are not well known, in addition to the history that we may have forgotten about. This talk will touch on people, places, and things important to not only the Cyphercon 2.0 attendees, but to our future generations. It is up to us to pass that torch!


Jonathan Lampe

Jonathan Lampe

Democrats and Republicans Agree: Our Cybersecurity Stinks

Every two years almost seventy major candidates vie for Senate seats across the United States. Many of the candidates have or will soon have a major impact on policy and spending, and their campaign web sites are visited by millions of voters and other interested parties. 2016 has been the year of the political cyberattack, with hacked emails, phishing, insecure servers and even whispers of foreign penetration in the news.

Despite this backdrop, the cybersecurity of US Senate senatorial campaigns leaves much to be desired. On the eve of the 2016 election, Cybertical employed a new tool to scan the sites of 67 major candidates and found unpatched vulnerabilities, administrative usernames and public entry points on many of them. To help communicate which candidates’ sites were better or worse than others, every site scanned was awarded a “grade point average” (GPA) and a letter grade from A to F.

This presentation demonstrates the newly released tool, how it was used to get these results, and how the scoring process worked (and could be repeated across time to track improvement).  Several Wisconsin and Milwaukee-area political sites will also be scanned and graded live.


Phillip Rogaway

Phillip Rogaway

Can Cryptography Frustrate Fascism?

The Internet and the telephone, once imagined to be profoundly democratizing, have evolved in ways that breathe new life into unchecked consumerism and authoritarian nationalism. A hope going back to the early cypherpunks is that cryptography might help — that its artful use might protect, restore, or expand democratic values threatened by technologies of surveillance and control.  Is this hope remotely realistic?  I offer no definitive answer, but will share my thoughts in this connection.


Adam Everspaugh

Adam Everspaugh

Protecting Passwords with Oblivious Cryptography

Current schemes to protect user passwords like bcrypt, scrypt, and iterative hashing are insufficient to resist attacks when password digests are stolen. We present a modern cloud service, called Pythia, which protects passwords using a cryptographically keyed pseudorandom function (PRF). Unlike existing schemes like HMAC, Pythia permits key updates as a response to compromises. Key updates nullify stolen password digests, enable digests to be updated to the new key, and don’t require users to change their passwords. The keystone of Pythia is a new cryptographic construction called a partially-oblivious PRF that provides these new features.


Dan Loosen

Dan Loosen

KEYNOTE: The History of Video Game Console Hacking

Dan will discuss the history of hacking video game consoles from the Atari 2600 to today, including some of the landmark legal cases that helped to develop a consensus on what was legal. This presentation will also include the positives and negatives of working with older hardware to develop new games, both from the developers and from the publishers perspective!


Dave Roebke

Dave Roebke

Espionage & Soviet MiGs

TBA


Zapp

Zapp

From zero to Bender in 12 months, how a software guy turned hardware

In this talk Zapp will walk you through how he went from barely knowing how to solder to building 175 electronic badges for DEF CON. He will detail the steps he took including projects he used to learn just enough to design, code, and produce the badges as well as share many of the screw-ups along the way. Finally, he will share a preview of the group’s DEF CON 25 badge.


Shannon Fritz

Shannon Fritz

Naked and Vulnerable: A Cybersecurity Starter Kit

An Introductory Guide for business that want to “improve security”, but don’t really know where to begin. This session will outline a strategy to get your company motivated to invest in security improvements.  We’ll also explore the TOP FOUR attacks being used today, and what you can do right now to protect against them and dramatically improve your security profile.


Ed Abrams (zeroaltitude)

Ed Abrams (zeroaltitude) Demetrius Comes (cmdc0de)

Demetrius Comes (cmdc0de)

A Look Behind the Scenes of DEFCON DarkNet

cmdc0de and zeroaltitude will present an overview of the DEFCON DarkNet challenge, currently getting ready for its fifth year.  This presentation will also give an inside look at the DarkNet hardware, software, badges, and quests done over the years.

 

DEFCON DarkNet has created a Daemon who controls the DarkNet; and players interact with it through the website at dcdark.net . The Daemon keeps track of player quests and their DarkNet inventory.  DarkNet badges, once assembled as a learning quest, act as a valuable tool to identify your role as a player and to help you with certain quests.  Physical puzzle items such as lockpick stations and phonebooths, as well as interactions with DarkNet Operatives, provide further avenues to engage players in their quests and learning experiences.

 

Cmdc0de and zeroaltitude will be presenting two ciphers at the end of their talk, and discussing a little bit of how they think about ciphers.  They will then invite people to join them in the cipher village after their talk to work on these.

 

Experiences within the DarkNet will take you to the limit of your existing knowledge… and beyond. If you join us, we will send you on quests to improve your technical abilities. You will meet others like you and you will learn from each other and grow stronger. As you proceed within the DarkNet, you’ll discover hidden messages you would never have noticed and you’ll accomplish goals you never would have achieved alone. To succeed, you have to find your way through the quests and if you make it to the end, you will have proven yourself worthy to join us in our stand against those who seek to control us.

 

DarkNet’s mission is to secure a safe, independent and self-sustaining community free from intrusion and infiltration by those who would enslave us to their own ends. Our opponents are many and they grow ever more modern — spying on us through our information streams and controlling us through messages that we see wherever we go. We must resist.


Eric Escobar

Eric Escobar

Wireless Hacking & Capture The Flag

Eric Escobar will be presenting on wireless hacking concepts and will go into details on the CypherCon 2.0 wireless capture the flag!


Robert Reif

Robert Reif

Cluster Cracking Passwords & MDXfind

Password auditing is more important than ever before. We take a deep dive into some password cracking tools you probably have never seen.  Implementing a unified cluster interface allows you to complete password audits faster and gives collaborative teams access to information in real time. What about cracking unknown and obscure hashes? MDXfind covers a very wide array of hash algorithms and iterative hash types which can all be ran simultaneously. Come see how these tools work and how they can make your next password audit or penetration test a step above the rest.


John Jacoby

John Jacoby

WordPress polyfills for PHP

WordPress comes bundled with several polyfills for PHP random number generation. I’ll explain why we need them, how we maintain them, and share a horror story or two. I’ll cover activation keys, nonces, password generation, single & multisite, and other related things. Friendly & fun for all experience levels, ages, and professions. Q&A strongly encouraged.


Rick Ramgattie

Rick Ramgattie

IoT Security Privacy Weaknesses & Ransomware

Ransomware on the refrigerator, back-doors in the tea kettle, and vacuums that know when you are home may seem like jokes, but with Internet of Things devices expanding into our lives this will be the reality without better security. Through vulnerability and attack demonstrations in common scenarios, I demonstrate how security weaknesses in IoT devices put user privacy at risk from external and internal threat actors. Manufacturers and security professionals must work together to improve the security of IoT so that these devices are truly worthy of being exposed to the hostile Internet. By combining improved built-in security and increased user awareness for managing IoT security, these devices can continue to provide innovative functionality without sacrificing security and privacy.


John Platais

John Platais

Predictive Analytics and Machine Learning: “Real” Use Cases for IT/Security Professionals

We have all heard the phrase, “Hindsight is 20/20.”  Usually this resonates as we stand across from our employer admitting some level of guilt for a recent disaster.  What if we could predict the future with some degree of acceptable accuracy?  What if we knew ahead of time which employee candidate would introduce risk to our organization? What if we were able to pinpoint which of the thousands of current, cyber security threats would have the greatest impact on our unique technology footprint and prioritize those in real time for remediation?  What if we had the ability harvest and incorporate the limitless data available both privately and publicly into our decision making processes without investing millions?

This session will answer those questions and more as we explore the data mining and machine learning options available to all of us using only the technology resources we have at our disposal.   We will be looking at security specific use cases for predictive analytics that will appeal to all security professionals.  We will look at insights and opportunities that can be realized from public data repositories and social media sites where even the most private of us reveal more than we know.

Every participant will leave with the knowledge and direction to begin incorporating machine learning and “AI” into their regular deliverables.  They will learn what tools are available, what value each of those tools can provide, and what data can yield the greatest results in the shortest amount of time.


Jason Lang

Jason Lang

Modern Evasion Techniques

*THIS PRESENTATION WILL NOT BE RECORDED*

As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. This talk will not be recorded. Defenders: might want to come to this one. 🙂


Cody Florek

Cody Florek

The Upside Down: Going from NetSec to AppSec

When I took on the world of AppSec, I thought many of my life lessons in network security operations would carry over. I found out that it didnt work that way. As I progressed in AppSec, I soon discovered many other folks were like me but had no idea what to do or where to start.

From a security operations world looking glass, I want to give a presentation on how to think, what terms to use, what tools to use, and where to go to learn. If you are a seasoned AppSec pen tester, this presentation isn’t for you. If you’ve been doing Sec Ops, this is probably for you.


Anna Genz

Anna Genz

Brian Genz

Keep Calm And Hack All The Things (Hak4Kidz)

This talk is about the lessons learned by an 8th grade student, Anna Genz, who attended a web application penetration testing class at DerbyCon in 2016.  In addition to being the only kid in a room full of adults at a hacker conference studying challenging material, she was going to be an hour late after getting stuck in traffic. There was a moment of truth where she had to decide whether to walk into the class an hour late, or to give up and not go in.  This talk will highlight the decision she made, what she learned about hacking, and what she learned about taking risks.


David

David "Heal" Schwartzberg

KEYNOTE: STEHM is the new STEM

Kids are wired to learn. Internet security threats continue to rise. By the year 2020, there will be 1 million vacant Information Security positions. Combining kids’ natural curiosities to explore along with their relationship with mobile technology, the industry has an opportunity to fill the vacancies. This keynote explores STEM’s success but the importance to include ‘Hacking’ into the acronym as a means to introduce a wider audience of future potential security practitioners to address the workforce shortage. A combination of use cases, hacking success stories, and lessons learned, we discuss the benefits of introducing younger students to ethical hacking and information security.

We will future explore various programs which introduce basic skills through to advanced techniques used in the penetration testing field. Given the future of Internet security’s reliance upon a fresh crop of graduating students, the session will describe how breaking the mold of traditional education systems are already embracing STEHM without understanding how to define rubrics. Now is the time to make STEHM the new STEM.


Caleb Madrigal

Caleb Madrigal

Tracking/Monitoring WiFi devices without being connected to any network

A surprising amount of information can be intercepted by listening to raw WiFi signals. WiFi devices are continuously broadcasting information that can be use to track people’s movements and even to infer things like when security cameras have detected motion. And this data can be intercepted from blocks away, without even being connected to any WiFi network.

Come learn about some of the techniques that are almost certainly already being used by governments and corporations to track us all, and what can be done to help prevent it.


Dr. Alexander Rasin

Dr. Alexander Rasin

Forensic Deconstruction of Databases through Direct Storage Carving

The increasing use of databases in the storage of critical and sensitive information in many organizations has lead to an increase in the rate at which databases are the target of computer crimes. While there are some techniques and tools available for database forensics, they typically assume apriori preparation (e.g., detailed logging) and rely on built-in database features working properly (e.g., no hacking). Investigators, alternatively, need forensic techniques that make no such assumptions and tools that can be applied to a damaged or an already-compromised database system.
In this talk we present DBCarver, a tool for reconstructing database content from database storage (disk, RAM, etc.) without relying on any metadata from the database, or needing metadata from the OS/file system. The tool uses database page carving to reconstruct both query-able data and non-query-able data (deleted and auxiliary data). We describe how the two kinds of data can be combined to enable a variety of forensic analysis questions hitherto unavailable to forensic investigators, including finding evidence of database tampering. We conclude with a brief demo of DBCarver.

Zapp & Toymakers

Zapp & Toymakers Mr. Blinky Bling  (Charles Lehman & Ben Hibben)

Mr. Blinky Bling (Charles Lehman & Ben Hibben)

Hackable Electronic Badge Panel

Hacker Conference Electronic Badge Panelists


M4n_in_Bl4ck

M4n_in_Bl4ck

Threat Intelligence 101: Basics without Buzzwords

Everyone from experts to vendors to talking heads espouse the benefits of threat intelligence. It’s spoken of as a nebulous panacea that only a select few can dole out like ambrosia, and it is beyond the mere ken of the average security professional. This talk is going to cover the basics: what is threat intelligence, how to discern wheat from chaff, where you can find it, how you can use it, and where you can learn more about it.


Doug Rogahn

Doug Rogahn

Let’s Get Physical

Heath care devices, Automotive, even Internet of Things, all of these technologies have recently begun to made progress in their relationship with the hacker community. While there are a handful of lock and physical security companies embrace a few trusted security professionals, the vast majority hide their heads in the sand until it is too late.

I will discuss a few examples where physical security companies failed to embrace the community and paid a hefty price. I’ll also lay out some of the lessons that other industries have learned and how the can be applied to the physical security industry.


Jeff Man

Jeff Man

Does DoD Level Security Work in the Real World?

After spending nearly 13 years working for the Department of Defense, I ventured out into the private sector to consult and advise on matters of information security. On many occasions, after explaining some basic security concept to a customer and outlining what they need to do to be secure,I often heard the retort, “yeah, but we don’t need DoD level security.” Well, after twenty years in the private sector, and especially over the past 2-3 years with the proliferation of data breaches against major companies, I find myself wanting to reply, “yeah, you really DO need DoD level security!”

What does this mean? Probably not what you are thinking. This talk will start with an overview of the foundation nature of data security, highlight the major tenets or goals of data security, introduce the risk equation, discuss how and why so many companies so often fail at implementing the basics of data security, and explore some ways that a DoD-centric approach to data security might be implemented in the private sector. Brainstorming, discussion, dissension all welcome.


Kat Traxler

Kat Traxler

JavasCrypto: How we are using browsers as Cryptographic Engines

In order to achieve end-to-end encryption, build zero-knowledge systems, and provide users with the convenience they are accustomed to, Web 2.0 is pushing cryptography to your browser. From secure e-mail to credit card transactions, our security is increasingly dependent on the integrity of client side javascript.
The opportunities for exploit are many but with every new vulnerability has come a potential mitigation, all in an attempt to strong arm these sensitive operations into the browser, limit an applications liability, and keep us users happy.
In my presentation, we will look at the fundamental nature of javascript, web browsers, and conclude what level of protection, in the best of circumstances, JavasCrypto affords the end user.


Richard Thieme

Richard Thieme

Beyond the Fringe: Anomalies of Consciousness, Experience, and Scientific Research

New truths emerge on the edges of our thinking, the Oort Belt of scientific paradigms. As Richard Feynman said, the critical fact that is both a fact and an anomaly can become the cornerstone of a new way thinking about things. But we have to walk a blade as well, staying imaginative but also reasonably sane in what we entertain and explore.

All new ideas sound crazy at first, suggested Robert Galvin of Motorola, and they come from a lone voice. But over time, we all agree that we always thought so from the beginning.

Richard Thieme has spent years on the edges, watching “unthinkable thoughts” move quickly to become the cores of new paradigms. The edge is becoming the center at a faster and faster rate and only collaborative efforts with serious accountability built in can ensure real breakthroughs. This talk provides a framework for doing just that.


Melanie Segado

Melanie Segado Sydney Swaine-Simon

Sydney Swaine-Simon

Brain Based Authentication

Brain based authentication is an emerging field that seeks to use brain signals as a form of biometric authentication. Due to the increased availability and decreased cost of portable electroencephalography (EEG) devices, which can record brain activity from the scalp surface, this technique has gained popularity in research and in the media. In this talk we will explain the science underlying brain based authentication, the advantages and limitations of this technique, and give a live demo of a brain based authentication prototype.


Amit Riswadkar (FeMaven)

Amit Riswadkar (FeMaven)

Wasn’t DLP supposed to fix this?

Data exfiltration and insider threats are constant worry at most organizations, which has lead to companies implementing DLP but about half of employees have admitted to taking data from a former employer according to a recent survey.  So why does this still happen? The problems with DLP have multiple causes from poor stakeholder engagement (not knowing what data to protect), being put in to fulfill regulatory requirements (for just the checkbox to pass an audit), generates wayyyyyy too many alerts, or not being put in as part of a larger strategy.   During my talk, I’ll describe about how to tie all these issues together so you can get your arms them so you can start fixing it. And no, it’s not (just) using UBA.