Additional speakers to be announced soon. Speaker lineup is subject to change. 

  • 24 October
  • 25 October
default black


Purple Teaming: One year after going from full time breaker to part time fixer

A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.


Chris joined Facebook in April 2014 as an Offensive Security Engineer. Chris has extensive experience in redteaming, network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his... redacted...no one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, DerbyCon, Hashdays, DevopsDays DC. Chris is also a cofounder of NoVAHackers. Blog: carnal0wnage.attackresearch.com  Twitter: @carnal0wnage



Spread Spectrum Satcom Hacking: Attacking the Globalstar Simplex Data Service

Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.


Colby Moore is Synack's Manager of Special Activities. He works on the oddball and difficult problems that no one else knows how to tackle and strives to embrace the attacker mindset during all engagements. He is a former employee of VRL and has identified countless 0-day vulnerabilities in embedded systems and major applications. In his spare time you will find him focusing on that sweet spot where hardware and software meet, usually resulting in very interesting consequences.



Home network devices - The low hanging fruit of 201[5-9]


Name's Elvis. I've been a 'professional' security researcher for the past 2 years but have always had a thing for security ever since I was owned with the Sub7 Client/Server virus at the age of 13. Since that day I've been researching software security with a focus on memory corruption. Whenever I'm not staring at IDA, WinDBG, GDB...etc I like to create music with Reason 7.1

default black


The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found fundamental protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community. 


Vanessa Teague is a research fellow in the computing and information systems department at the University of Melbourne, Australia. She has worked on cryptographic protocols for electronic voting ever since finishing a CS PhD at Stanford on cryptographic protocols for economic games. Australia's unusual voting system constitutes a special challenge. She also spends a lot of time explaining to parliamentarians and electoral officials that requirements for transparency, privacy and verifiability apply to computerised voting too.



Practical Intel SMEP Bypass Techniques on Linux

The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities.

This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.


Vitaly is a security researcher specialising in malware analysis and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on Linux kernel exploitation techniques (SMEP/SMAP, ASLR bypasses) and the associated countermeasures. He currently works as a pentester and has performed countless penetration tests for large financial and governmental institutions.



Advanced SOHO Router Exploitation

In this talk we will look into how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. We will elaborate on the techniques that were used in this research to locate exploitable routers, discover 0day vulnerabilities and successfully exploit them on both the MIPS and ARM platforms. 

The talk will cover the following topics:

  • Dumping and analyzing router firmware from an ISP provided router
  • Tips and Tricks to discovering vulnerabilities on the router
  • Identification of vulnerabilities
  • Explanation of how to write ARM / MIPS exploits
  • ROP Gadgets used for writing ARM and MIPS Proof-Of-Concept
  • Post exploitation concepts – creative use of exploits


Lyon Yang is a senior security consultant at Vantage Point Security with a research focus on embedded systems hacking and exploitation. He is from sunny Singapore, the world’s first smart city.His regular discoveries of zero days in a variety of router models has earned him a reputation as the go-to guy for router hacking in Singapore, where he has been hired to do firmware source code reviews on popular router models. He is currently working on a comprehensive testing framework for ARM and MIPS based routers as well as shell code generation and post-exploitation techniques.



Why Attackers Toolsets Do What They Do




SDN Security

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.


David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea's nuclear program is "ready to rock". He is currently focusing on SDN security, and leads the OpenDaylight and ONOS security teams.



Winning the Online Banking War

Currently, most security products and financial institutions defending against banking malware rely on online banking page integrity check to detect the presence of financial malware. This technique works due to the inherent mechanics of financial malware injecting into the browser's DOM space. However, this purely web-based page integrity check can be subverted in many ways. This presentation will talk about evasion techniques such as replay attack, polymorphism, inject randomisation, and DOM stealth rootkit as well as countermeasures for those in clientless way.

The presentation also includes a novel method derived from Zero Knowledge Protocol that prevents banking malware from reverse engineering secrets transmitted between an online banking client and its server by eaves dropping HTTPS traffic.


Sean Park is a senior malware scientist at Trend Micro, researching various one-to-many detection methodologies such as autonomous malware campaign analysis system using machine learning. He previously worked for Kaspersky, FireEye, Symantec, and Sophos. He also created a critical security system for banking malware at one of the top Australian banks while battling with many core banking threats.



Window Driver Attack Surface: Some New Insights