Additional speakers to be announced soon. Speaker lineup is subject to change. 

  • 24 October
  • 25 October
default black


Purple Teaming: One year after going from full time breaker to part time fixer

A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.


Chris joined Facebook in April 2014 as an Offensive Security Engineer. Chris has extensive experience in redteaming, network and web application penetration testing as well as other Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams (regular pentesting teams too). Chris holds a BS in Computer Science and Geospatial Information Science from the United States Military Academy at West Point and holds his... redacted...no one cares anyway. In the past, he has spoken at the United States Military Academy, BlackHat, DefCon, Toorcon, Brucon, Troopers, SOURCE Boston, OWASP AppSec DC, DerbyCon, Hashdays, DevopsDays DC. Chris is also a cofounder of NoVAHackers. Blog: carnal0wnage.attackresearch.com  Twitter: @carnal0wnage



Spread Spectrum Satcom Hacking: Attacking the Globalstar Simplex Data Service

Recently, there have been several highly publicized talks about satellite hacking. However, most only touch on the theoretical rather than demonstrate actual vulnerabilities and real world attack scenarios. This talk will demystify some of the technologies behind satellite communications and do what no one has done before - take the audience step-by-step from reverse engineering to exploitation of the GlobalStar simplex satcom protocol and demonstrate a full blown signals intelligence collection and spoofing capability. I will also demonstrate how an attacker might simulate critical conditions in satellite connected SCADA systems.

In recent years, Globalstar has gained popularity with the introduction of its consumer focused SPOT asset-tracking solutions. During the session, I'll deconstruct the transmitters used in these (and commercial) solutions and reveal design and implementation flaws that result in the ability to intercept, spoof, falsify, and intelligently jam communications. Due to design tradeoffs these vulnerabilities are realistically unpatchable and put millions of devices, critical infrastructure, emergency services, and high value assets at risk.


Colby Moore is Synack's Manager of Special Activities. He works on the oddball and difficult problems that no one else knows how to tackle and strives to embrace the attacker mindset during all engagements. He is a former employee of VRL and has identified countless 0-day vulnerabilities in embedded systems and major applications. In his spare time you will find him focusing on that sweet spot where hardware and software meet, usually resulting in very interesting consequences.



Home network devices - The low hanging fruit of 201[5-9]


Name's Elvis. I've been a 'professional' security researcher for the past 2 years but have always had a thing for security ever since I was owned with the Sub7 Client/Server virus at the age of 13. Since that day I've been researching software security with a focus on memory corruption. Whenever I'm not staring at IDA, WinDBG, GDB...etc I like to create music with Reason 7.1

default black


The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election

In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found fundamental protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community. 


Vanessa Teague is a research fellow in the computing and information systems department at the University of Melbourne, Australia. She has worked on cryptographic protocols for electronic voting ever since finishing a CS PhD at Stanford on cryptographic protocols for economic games. Australia's unusual voting system constitutes a special challenge. She also spends a lot of time explaining to parliamentarians and electoral officials that requirements for transparency, privacy and verifiability apply to computerised voting too.



Practical Intel SMEP Bypass Techniques on Linux

The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities.

This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.


Vitaly is a security researcher specialising in malware analysis and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on Linux kernel exploitation techniques (SMEP/SMAP, ASLR bypasses) and the associated countermeasures. He currently works as a pentester and has performed countless penetration tests for large financial and governmental institutions.



Advanced SOHO Router Exploitation

In this talk we will look into how a series of 0-day vulnerabilities can be used to hack into tens of thousands of SOHO Routers. We will elaborate on the techniques that were used in this research to locate exploitable routers, discover 0day vulnerabilities and successfully exploit them on both the MIPS and ARM platforms. 

The talk will cover the following topics:

  • Dumping and analyzing router firmware from an ISP provided router
  • Tips and Tricks to discovering vulnerabilities on the router
  • Identification of vulnerabilities
  • Explanation of how to write ARM / MIPS exploits
  • ROP Gadgets used for writing ARM and MIPS Proof-Of-Concept
  • Post exploitation concepts – creative use of exploits


Lyon Yang is a senior security consultant at Vantage Point Security with a research focus on embedded systems hacking and exploitation. He is from sunny Singapore, the world’s first smart city.His regular discoveries of zero days in a variety of router models has earned him a reputation as the go-to guy for router hacking in Singapore, where he has been hired to do firmware source code reviews on popular router models. He is currently working on a comprehensive testing framework for ARM and MIPS based routers as well as shell code generation and post-exploitation techniques.



Why Attackers Toolsets Do What They Do




SDN Security

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.


David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat's security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea's nuclear program is "ready to rock". He is currently focusing on SDN security, and leads the OpenDaylight and ONOS security teams.



Window Driver Attack Surface: Some New Insights

In this presentation I intent to cover a rapid fire set of issues that commonly occur in windows drivers.  From the trivial (ioctl, probing) to the obscure and subtle. The presentation will discuss these issues, illustrate them with examples, and offer developer guidance on how to avoid and mitigate these issues.

Whether you're a security researcher, a developer looking for some security guidance when writing these drivers, or just generally curious about driver internals, there's something here for all.


Ilja van Sprundel is experienced in exploit development and network and application testing. As IOActive's Director of Penetration Testing, he performs primarily gray-box penetration testing engagements on mobile (specializing in iOS) and runtime (specializing in Windows kernel) applications that require customized fuzzing and source code review, identifying system vulnerabilities, and designing custom security solutions for clients in technology development telecommunications, and financial services. van Sprundel specializes in the assessment of low-level kernel code and architecture/infrastructure design, having security reviewed literally hundreds of thousands of lines of code. However, as a Director, he also functions in a managerial capacity by overseeing penetration testing engagements, providing oversight regarding technical accuracy, serving as the point of contact between technical consultants and technical stakeholders, and ensuring that engagements are delivered on time and in alignment with customer's expectations. van Sprundel also is responsible to mentor and guide Associate-level consultants as they grow both their penetration testing and general consulting skillsets. He is the driver behind the team's implementation of cutting-edge techniques and tools, guided by both research and successful exploits performed during client engagements.



High Performance Fuzzing

Security conference talks related to fuzzing tend to focus on distributed frameworks or new proof-of-concept engines. This talk will take a look at how to get the most performance out of your engine designs and fuzzing cluster for long term deployments. We will discuss topics like fork servers, static binary rewriting, patching Windows kernel to bypass memory limits and more tricks that have yet to be included in fuzzing talks. We have successfully applied these techniques to create a high performance port of AFL that targets binaries as well as speed up previous work on concolic execution and automated test generation. We will also compare effectiveness of various black box fuzzing approaches including model inference and directed fuzzing engines against a new benchmark composed of real-world vulnerabilities.
Highlights include:
  • Highest performance program tracing options for coverage and dataflow
  • Using bootkits to bypass software memory limits in Windows
  • RAM disk options on Windows
  • Harnessing copy-on-write on Windows
  • High speed automatic test generation
  • Benchmark set of real vulnerabilities for testing fuzzers
  • Performance of best-in-class fuzzers against benchmarks
  • Demo of port of AFL for targeting binaries
  • Demo of fast concolic testing


Richard Johnson is a computer security specialist in the area of software vulnerability analysis. Currently the Manager of Vulnerability Development for Cisco Talos, Richard offers 12 years of expertise and leadership in the software security industry. Current responsibilities include research and development of advanced fuzzing and crash analysis technologies facilitating the automation of the vulnerability triage and discovery process. Richard has presented annually at top-tier industry conferences worldwide for over a decade and was co-founder of the Uninformed Journal.


Abusing Adobe Reader¹s JavaScript APIs

Adobe Reader¹s JavaScript APIs offer a rich set of functionality for document authors. These APIs allow for processing forms, controlling multimedia events, and communicating with databases, all of which provide end-users the ability to create complex documents. This complexity provides a perfect avenue for attackers to take advantage of weaknesses that exist in Reader¹s JavaScript APIs.

In this talk, we will provide insight into both the documented and undocumented APIs available in Adobe Reader. Several code auditing techniques will be shared to aid in vulnerability discovery, along with numerous proofs-of-concept which highlight real-world examples. We¹ll detail out how to chain several unique issues to obtain execution in a privileged context. Finally, we¹ll describe how to construct an exploit that achieves remote code execution without the need for memory corruption.


Jasiel Spelman

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

Twitter: @wanderingglitch

Matt Molinyawe

Matt Molinyawe is a security researcher with Hewlett-Packard Security Research (HPSR). In this role, Molinyawe analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program, which represents the world¹s largest vendor-agnostic bug bounty program. His focus includes analyzing and  performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including DEF CON, RuxCon, Power of Community, and PacSec.

Prior to joining HP, Matt worked as a reverse engineer for General Dynamics and a software engineer for both USAA and L3 Communications. In 2014, Matt played a key role on the HP team that exploited Internet Explorer 11 on Windows 8.1 x64 during the Pwn4Fun event at CanSecWest, which helped raise over $80K for charity.

Twitter: @djmanilaice

HP¹s Zero Day Initiative, Twitter: @thezdi

default black


High-Def Fuzzing: Exploring Vulnerabilities in HDMI-CEC

The HDMI (High Definition Multimedia Interface) standard has gained extensive market penetration. Nearly every piece of modern home theater equipment has HDMI support and most modern mobile devices actually have HDMI-capable outputs, though it may not be obvious. Lurking inside most modern HDMI-compatible devices is something called HDMI-CEC, or Consumer Electronics Control. This is the functionality that allows a media device to, for example, turn on your TV and change the TV’s input. That doesn’t sound interesting, but as we'll see in this presentation, there are some very surprising things an attacker can do by exploiting CEC software implementations. Then there's something called HEC or HDMI Ethernet Connection, which allows devices to establish an Ethernet connection of up to 100Mbit/s over their HDMI connections (newer HDMI standards raise the speed to 1Gbit/s).

Don't think your mobile phone implements CEC? You might be wrong. Most modern Android-based phones and tablets have a Slimport(r) connection that supports HDMI-CEC. Ever heard of MHL (Mobile High-Definition Link)? Think Samsung and HTC (among other) mobile devices, and many JVC, Kenwood, Panasonic, and Sony car stereos – as many as 750 million devices in the world so far. Guess what? MHL supports HDMI-CEC as well. Let's explore, and own, this attack space.


Kernelsmith is senior vulnerability researcher with Hewlett-Packard Security Research (HPSR). In this role, he analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero-Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Joshua is also a developer for the Metasploit Framework and has spoken at a few conferences and holds a few certifications.

Prior to joining HP, Smith served in the U.S. Air Force in various roles including as an Intercontinental Ballistic Missile (ICBM) Crew Commander and Instructor, but more relevantly as a penetration tester for the 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the John Hopkins University Applied Physics Lab, where he began contributing to the Metasploit Framework. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests. Smith received a B.S. in Aeronautical Engineering from Rensselaer Polytechnic Institute and an M.A. in Management of Information Systems from the University of Great Falls.

Smith was drawn to ZDI for the chance to work with a world-wide network of security researchers while continuing his own vulnerability research. When not researching software vulnerabilities, Josh enjoys raising his two young hackers-to-be and watching sci-fi since he can't play sports anymore (there's no tread left on his knees).

Twitter: @kernelsmith

HP’s Zero Day Initiative Twitter: @thezdi

andy davis


Broadcasting Your Attack: Security Testing DAB Radio In Cars

Digital Audio Broadcasting (DAB) radio receivers can be found in many new cars and are in most cases integrated into an IVI (In-Vehicle Infotainment) system, which is connected to other vehicle modules via the CAN bus. Therefore, any vulnerabilities discovered in the DAB radio stack code could potentially result in an attacker exploiting the IVI system and pivoting their attacks toward more cyber-physical modules such as those concerned with steering or braking. This talk will discuss the complex protocol capabilities of DAB and DAB+ and describe the potential areas where security vulnerabilities in different implementations may exist. I will discuss the use of Software Defined Radio in conjunction with open source DAB transmission software to develop our security testing tool (DABble). Finally I will talk about some of our findings, the implications of exploiting DAB-based vulnerabilities via a broadcast radio medium and what this could mean for the automotive world.


Andy has worked in the Information Security industry for over 20 years, performing a range of security functions throughout his career. Prior to joining NCC Group, Andy held the positions of Head of Security Research at KPMG, UK and Chief Research Officer at IRM Plc. Before working in the private sector he worked for ten years performing various roles in Government. Recently, Andy has been leading security research projects into technologies such as embedded systems and hardware interface technologies and developing new techniques for software vulnerability discovery.



VoIP Wars: Destroying Jar Jar Lync

Enterprise companies are to use Microsoft Lync 2010/2013 (a.k.a Skype for Business 2015) services as call centre, internal communication, cloud communication and video conference services. It is based on the VoIP and instant messaging protocols, and supports multiple client types such as Microsoft Office 365, Microsoft Lync, Skype for Business, IP phones and teleconference devices. Also the official clients are available for mobile devices (e.g. Windows phone, Android and iOS), desktops (Mac, Linux and Windows) and web applications developed with .NET framework.

Although the Microsoft Lync platform developed with the new technologies, it still suffers the old VoIP, teleconference and platform issues. Modern VoIP attacks can be used to attack Microsoft Lync environments to obtain unauthorised access to the infrastructure. Open MS Lync frontend and edge servers, insecure federation security design, lack of encryption, insufficient defence for VoIP attacks and insecure compatibility options may allow attackers to hijack the enterprise communication. The enterprise users and employees are also the next generation targets for these attackers. They can attack the client soft phones and handsets using the broken communication, invalid protocol options and malicious messaging content to compromise sensitive business assets. These attacks may lead privacy violations, legal issues, call/toll fraud and intelligence collection.

Attack vectors and practical threats against the Microsoft Lync ecosystem will be presented with newly published vulnerabilities and Microsoft Lync testing modules of the Viproy VoIP kit developed by the speaker. This will be accompanied by live demonstrations against a test environment.  A brief introduction to Microsoft Lync ecosystem  Security requirements, design vulnerabilities and priorities  Modern threats against commercial Microsoft Lync services  Demonstration of new attack vectors against target test platform

  • A brief introduction to Microsoft Lync ecosystem

  • Security requirements, design vulnerabilities and priorities

  • Modern threats against commercial Microsoft Lync services

  • Demonstration of new attack vectors against target test platform 


Fatih Ozavci is a Security Researcher and a Principal Security Consultant with Sense of Security, and the author of the Viproy VoIP Penetration Testing Kit. Fatih has discovered several previously unknown security vulnerabilities and design flaws in IMS, Unified Communications, Embedded Devices, MDM, Mobility and SAP integrated environments for his customers. He has completed several unique penetration testing services during his career over than 15 years. His current research is based on securing IMS/UC services, IPTV systems, attacking mobile VoIP clients, VoIP service level vulnerabilities, SaaS, mobility security testing, hardware hacking and MDM analysis. Fatih has presented his VoIP and mobile researches at BlackHat USA’14, DefCon 23, 22 and 21, Troopers’15, Cluecon 2013 and Ruxcon 2013. Also he has provided VoIP and Mobility Security Testing trainings at AustCert’14, Kiwicon’15 and Troopers’15 events.



DNS as a Defense Vector

DNS enables everything else on the Internet -- both good and bad. By watching what bad guys do with their DNS configurations and offering them differentiated (that is to say, poor) service, defenders can re-level the playing field in our favour. In this one-hour talk, Dr. Paul Vixie, CEO of Farsight Security, will explain what DNSSEC and TSIG (Secure DNS and Transaction Signatures) are and why you might want them, explain what RRL and RPZ (Response Rate Limiting and Response Policy Zones) do and why you absolutely do want them, then demonstrate SIE (the Security Information Exchange) which collects data from cooperating sensors all over the Internet and shares this telemetry with qualified non-profit and for-profit researchers. If there's enough time there will also be a demonstration of DNSDB, a passive DNS database. (Otherwise that demo will occur in the hotel bar area later on.)


Vixie has been contributing to Internet protocols and UNIX systems as a protocol designer and software architect since 1980. He wrote Cron (for BSD and Linux), and is considered the primary author and technical architect of BIND 4.9 and BIND 8, and he hired many of the people who wrote BIND 9. He has authored or co-authored a dozen or so RFCs, mostly on DNS and related topics, and of Sendmail: Theory and Practice (Digital Press, 1994). His technical contributions include DNS Response Rate Limiting (RRL), DNS Response Policy Zones (RPZ), and Network Telemetry Capture (NCAP). He earned his Ph.D. from Keio University for work related to DNS and DNSSEC, and was named to the Internet Hall of Fame in 2014.

mark gray 150x190




Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at a fortune 500 company, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Assessment," and has spoken at several industry-recognized conferences.

geffner 150x195



Sit back and listen to the fascinating journey of this year’s VENOM vulnerability discovery. Learn how hypervisors work and where researchers should look for critical vulnerabilities. Find out how the VENOM vulnerability was found and why it went unnoticed for so many years. Hear all about the challenges of a coordinated vendor disclosure process. And take in the lessons we learned from the media exposure VENOM received.


Jason Geffner is a world-renowned industry thought-leader in the fields of computer security and reverse engineering. He has been interviewed by Forbes, Fortune, CBS, AP, CSO Magazine, c|net, PCWorld, Dark Reading, and Threatpost, and has been featured on Slashdot, The Register, SC Magazine, ZDNet and Computerworld. Geffner holds several patents, is the discoverer of VENOM, and the inventor of Tortilla. He has been invited to present numerous times at Black Hat, RSA Conference, CanSecWest, OWASP, REcon, ISOI, Lockdown, and other industry conferences, in addition to delivering training to the United States Air Force, Japan’s National Police Agency, and private industry.



Design, Implementation and Bypass of the Chain-of-trust Model of iOS

The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.  We will also analyze a code signing bypass vulnerability that enables untethered jailbreak against iOS 8.2, and explain how it was stealthily fixed by Apple in iOS 8.3.


The Pangu Team is a team of senior security researchers focusing on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014, becoming the first team in China to independently develop untethered jailbreaks and the first team in the world to jailbreak iOS 8.