Home
Search results “Cryptography defcon everybody dies”
DEF CON 23 - Eijah - Crypto for Hackers
 
55:52
Hacking is hard. It takes passion, dedication, and an unwavering attention to detail. Hacking requires a breadth of knowledge spread across many domains. We need to have experience with different platforms, operating systems, software packages, tools, programming languages, and technology trends. Being overly deficient in any one of these areas can add hours to our hack, or even worse, bring us total failure. And while all of these things are important for a well-rounded hacker, one of the key areas that is often overlooked is cryptography. In an era dominated by security breaches, an understanding of encryption and hashing algorithms provides a tremendous advantage. We can better hone our attack vectors, especially when looking for security holes. A few years ago I released the first Blu-Ray device key, AA856A1BA814AB99FFDEBA6AEFBE1C04, by exploiting a vulnerability in an implementation of the AACS protocol. As hacks go, it was a simple one. But it was the knowledge of crypto that made it all possible. This presentation is an overview of the most common crypto routines helpful to hackers. We'll review the strengths and weaknesses of each algorithm, which ones to embrace, and which ones to avoid. You'll get C++ code examples, high-level wrapper classes, and an open-source library that implements all the algorithms. We'll even talk about creative ways to merge algorithms to further increase entropy and key strength. If you've ever wanted to learn how crypto can give you an advantage as a hacker, then this talk is for you. With this information you'll be able to maximize your hacks and better protect your personal data. Speaker Bio: Eijah is the founder of demonsaw, a secure and anonymous content sharing platform, and a Senior Programmer at a world-renowned game development studio. He has over 15 years of software development and IT Security experience. His career has covered a broad range of Internet and mid-range technologies, core security, and system architecture. Eijah has been a faculty member at multiple colleges, has spoken about security and development at conferences, and holds a master’s degree in Computer Science. Eijah is an active member of the hacking community and is an avid proponent of Internet freedom.
Views: 48455 DEFCONConference
DEFCON 17: Making Fun of Your Malware
 
42:26
Speakers: Michael Ligh Malicious Code Analyst, iDefense Matthew Richard Malicious Code Operations Lead, Raytheon Corporation Would you laugh if you saw a bank robber accidentally put his mask on backwards and fall into a man hole during the getaway, because he couldn't tell where he was going? Criminals do ridiculous things so often, its impossible to capture them all on video. Rest assured, when the criminals are malware authors, we can still make fun of them through evidence found in pictures, binary disassemblies, packet captures, and log files. This talk evenly distributes technical knowledge and humor to present the funniest discoveries related to malware authors and the fight against their code. For more information visit: http://bit.ly/defcon17_information To download the video visit: http://bit.ly/defcon17_videos
Views: 224727 Christiaan008
DEF CON 22 - Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse
 
01:00:17
Elevator Hacking - From the Pit to the Penthouse Deviant Ollam The CORE Group Howard Payne The CORE Group Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don't do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it's easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work... allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned! While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th. Twitter: @deviantollam, @TCGsec Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he's not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode. Twitter: @SgtHowardPayne
Views: 419544 DEFCONConference
Defcon 21 - Torturing Open Government Systems for Fun, Profit and Time Travel
 
31:53
Tom Keenan August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
Views: 36484 HackersOnBoard
DEF CON 24 - Zack Fasel, Erin Jacobs - Attacks Against Top Consumer Products
 
43:19
This is not just another "I found a problem in a single IOT device" talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It's time to Fight for the Users. END OF LINE. Zack Fasel and Erin Jacobs are Partners at Urbane Security, a solutions-focused vendor-neutral information security services firm focusing on providing innovative defense, sophisticated offense and refined compliance services. Heading up Urbane's Research and Security Services divisions, Zack brings his years of diverse internal and external experience to drive Urbane's technical solutions to organizations top pain points. His previous research and presentations at conferences have spread across numerous domains including Windows authentication flaws, femtocells, open source defensive security solutions, cloud security, and unique network and application attack vectors. When not selling out, he can be found lost in the untz unce wubs, dabbling in instagram food photography, or eating scotch and drinking gummy bears (that's right, right?). More information on Zack can be found by searching for "zfasel" and on Urbane Security at UrbaneSecurity.com. Leading the charge of Urbane’s Compliance and Enterprise Risk Management divisions, Erin brings her years of executive level experience coupled with deep and diverse technical knowledge to help organizations accurate prioritize and address the security and compliance risks they face. Her prior talks and research have spread across numerous domains, including technical solutions for compliance requirements, OSX reversing, diversity in tech, and IOT. More information on Erin can be found by following @SecBarbie on twitter. Twitter: @UrbaneSec @zfasel @SecBarbie
Views: 43501 DEFCONConference
Elevator Hacking: From the Pit to the Penthouse
 
01:55:54
Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don't do that, please!) to the work of modern pen testers who use elevators to bypass building security systems (it's easier than you think!) these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevators work... allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned! While paying the bills as a security auditor and penetration testing consultant with his company, The CORE Group, Deviant Ollam is also member of the Board of Directors of the US division of TOOOL, The Open Organisation Of Lockpickers. Deviant runs the Lockpicking Village with TOOOL at HOPE, DEFCON, ShmooCon, etc, and he has conducted physical security training sessions for Black Hat, DeepSec, ToorCon, HackCon, ShakaCon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the United States Military Academy at West Point, and the United States Naval Academy at Annapolis. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th. Howard Payne is an elevator consultant from New York specializing in code compliance and accident investigations. He has logged over 9,000 hours examining car-tops, motor rooms, and hoistways in cases ranging from minor injuries to highly-publicized fatalities, and has contributed to forensic investigations that have been recognized by local, State, and Federal courts. Howard has appeared on national broadcast television making elevators do things they never should. When he's not riding up and down high-rise hoistways, he moonlights as a drum and bass DJ and semi-professional gambler. His favorite direction is Up and his favorite elevator feature is riot mode.
Views: 246695 DeviantOllam
DEF CON 23 - Chris Rock - I Will Kill You
 
31:28
Have you ever wanted to kill someone? Do you want to get rid of your partner, your boss or your arch nemesis? Perhaps you want to enjoy your life insurance payout whilst you’re still alive. Do you have rich elderly parents that just won’t die quick enough? Or do you want a “Do Over” new identity. Then, this presentation is for you! I’ll provide you with the insight and techniques on how to “kill” someone and obtain a real death certificate and shutdown their lives. It focuses on the lack of security controls that allow any of us to virtually kill off anyone or any number of people. Forget the Dexter way of killing someone, I’ll show you how to avoid the messy clean up and focusing in on the digital aspects. You could be dead right now and not even know it. The presentation will explain the death process and will highlight the vulnerabilities and its implications world-wide. You will learn: How to fill in a doctor’s medical cause of death certificate anonymously. How to become a funeral director and dispose of the body. How to obtain a Death Certificate. Once you’ve wrapped your mind around that concept, I will also show you how to “birth” Virtual identities that obtain real birth certificates. You will learn the birth registration process and the security vulnerabilities associated with this as well. The third and final step of the presentation is “The baby harvest”, a concept that I’ve developed, which involves creating and raising virtual identities. This technique is similar to a shelf company. Virtuals will be “born”, registered with the government complete with birth certificates and social security numbers. They can open up bank accounts, get a virtual job to launder money, pay taxes, obtain home loans and obtain life insurance policies. They can be married to anyone (virtual or not) and be directors of companies…. the list is endless and to complete the circle of life, they can be killed off when they are ready for “harvest” for their life insurance payouts or sold as permanent I.D.’s. With no victim, this is taking identity theft to the next level. Chris Rock has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 9 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies.
Views: 149114 DEFCONConference
Get Rich or Die Trying - Making Money on the Web the black hat way
 
55:19
Forget Cross-Site Scripting. Forget SQL Injection. If you want to make some serious cash on the Web silently and surreptitiously, you dont need them. You also dont need noisy scanners, sophisticated proxies, 0-days, or ninja level reverse engineering skills -- all you need is a Web browser, a clue on what to look for, and a few black hat tricks. Generating affiliate advertising revenue from the Website traffic of others, trade stock using corporation information passively gleaned, inhibit the online purchase of sought after items creating artificial scarcity, and so much more. Activities not technically illegal, only violating terms of service. You may have heard these referred to as business logic flaws, but that name really doesnt do them justice. It sounds so academic and benign in that context when the truth is anything but. These are not the same ol Web hacker attack techniques everyone is familiar with, but the one staring you in the face and missed because gaming a system and making money this way couldnt be that simple. Plus IDS cant detect them and Web application firewalls cant black them. If fact, these types of attacks are so hard to detect (if anyone is actually trying) we arent even sure how widespread their use actually is. Time to pull back the cover and expose whats possible. Jeremiah Grossman Jeremiah Grossman is the founder and CTO of WhiteHat Security, considered a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and named to InfoWorld's Top 25 CTOs for 2007. Mr. Grossman is a frequent speaker at major industry events around the globe, a Black Hat veteran, and has been invited to present at a number of large universities. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques; and is a co-author of XSS Attacks. Mr. Grossman is frequently quoted in major media publications such as InfoWorld, USA Today, PCWorld, Dark Reading, SC Magazine, SecurityFocus, Cnet, SC Magazine, CSO, and InformationWeek. Prior to WhiteHat he was an information security officer at Yahoo! Trey Ford Trey Ford is the Director of Solutions Architecture at WhiteHat Security providing vision to customers, partners, and prospects on website security initiatives. Mr. Ford also spearheads WhiteHats participation in the PCI Standards Council and assists customers in navigating regulatory bodies. With a consulting background in risk assessment and regulatory compliance, Mr. Ford is a frequent speaker at industry events, and is often quoted in media publications. Prior to WhiteHat, Trey served as compliance practice lead at FishNet Security.
Views: 378399 Jeremiah Grossman
Defcon 21 - Forensic Fails - Shift + Delete Won't Help You Here
 
47:10
Eric Robi & Michael Perklin August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
Views: 471437 HackersOnBoard
DEF CON 26 BLUE TEAM VILLAGE - rainbow tables - Automating DFIR The Counter Future
 
28:22
Automation has been the forefront of almost every tool or talk in the recent years. The DFIR industry has been moving rapidly towards automating everything! With some great work being done in the area of integrating workflows and various toolsets to make things easier for analysts, automation has really taken off. While that sounds like a worthwhile solution to help SOC analysts weed out the run of the mill adware/PUPs or phishing expeditions, can we really automate a response to the more sophisticated or targeted attack on our company’s crown jewels? The current argument being made, is that -- rather than building in house Incident Response teams, we should utilize automation to substitute analysts and use third party retainers for skilled analysis. Large investments in automation technologies, rather than resource development reflect this strategy. What does this mean for career progression for budding DFIR analysts? With security engineering taking the forefront, is analysis as a career in DFIR a dying star? Is automation moving us towards click forensics rather than intelligent analysis? I’d like to challenge groupthink, and debate where automation will lead the industry trends. Additionally, I will share some of my experiences in the changing face of DFIR.
Views: 1182 DEFCONConference
Defcon 21 - Stalking a City for Fun and Frivolity
 
45:20
Brendan O'Connor August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
Views: 165607 HackersOnBoard
I am a legend: Hacking Hearthstone with machine learning - Defcon 22
 
43:32
Recording of my Defcon 2014 talk on hacking hearthstone More info: https://www.elie.net/hs Slides: http://bit.ly/2ccotSX
Views: 149195 Elie Bursztein
DEF CON 23 - Charlie Miller & Chris Valasek - Remote Exploitation of an Unaltered Passenger Vehicle
 
46:22
Although the hacking of automobiles is a topic often discussed, details regarding successful attacks, if ever made public, are non-comprehensive at best. The ambiguous nature of automotive security leads to narratives that are polar opposites: either we’re all going to die or our cars are perfectly safe. In this talk, we will show the reality of car hacking by demonstrating exactly how a remote attack works against an unaltered, factory vehicle. Starting with remote exploitation, we will show how to pivot through different pieces of the vehicle’s hardware in order to be able to send messages on the CAN bus to critical electronic control units. We will conclude by showing several CAN messages that affect physical systems of the vehicle. By chaining these elements together, we will demonstrate the reality and limitations of remote car attacks. Charlie Miller is a security engineer at Twitter, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as "It's complicated". Twitter: @0xcharlie Christopher Valasek is the Director of Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. Valasek specializes in offensive research methodologies with a focus in reverse engineering and exploitation. Valasek is known for his extensive research in the automotive field and his exploitation and reverse engineering of Windows. Valasek is also the Chairman of SummerCon, the nation's oldest hacker conference. He holds a B.S. in Computer Science from the University of Pittsburgh. Twitter: @nudehaberdasher
Views: 100458 DEFCONConference
DEFCON 20: DEF CON Comedy Jam V, V for Vendetta
 
01:50:15
Panel: DAVID MORTMAN CHIEF SECURITY ARCHITECT, ENSTRATUS RICH MOGULL SECUROSIS, @RMOGULL CHRIS HOFF RATIONAL SECURITY, @BEAKER DAVE MAYNOR ERRATA, @DONICER LARRY PESCE PAULDOTCOM.COM, @HAXORTHEMATRIX JAMES ARLEN LIQUID MATRIX, @MYRCURIAL ROBERT DAVID GRAHAM ERRATA SECURITY, @ERRATAROB You know you can't stay away! The most talked about panel at DEF CON! Nearly two hours of non-stop FAIL. Come hear some of the loudest mouths in the industry talk about the epic security failures of the last year. So much fail, you'll need the food cooked on stage to survive. Nothing is sacred not even each other. This years fail includes cloud, mobile and apt to name just a few topics. If that's not enough, we'll also be making crepes on stage. Over the last two years, we've raised over $1,500 for the EFF, let's see how much we can do this year.... For more information visit: http://bit.ly/defcon20_information To download the video visit: http://bit.ly/defcon20_videos Playlist DEFCON 20: http://bit.ly/defcon20_playlist
Views: 30257 Christiaan008
DEF CON 22 - Chris Littlebury - Home Alone with localhost: Automating Home Defense
 
46:10
Slides here: https://www.defcon.org/images/defcon-22/dc-22-presentations/Littlebury/DEFCON-22-Chris-Littlebury-Home-Alone-with-localhost.pdf Home Alone with localhost: Automating Home Defense Chris Littlebury SENIOR PENETRATION TESTER, KNOWLEDGE CONSULTING GROUP, INC. Home automation is everywhere, and so are their exploits. This presentation will go over a brief history of home automation techniques, cover modern technologies used today, detail some of the current exploits used against modern automation and security systems, and give examples on how to defend against them. You’ll be provided with the knowledge necessary to build your own home-Skynet system- complete with passive and active defenses against physical and wireless attacks. If you like Raspberry Pis, RF hacks, dirty soldering jobs, and even dirtier code, then this is your talk. Chris Littlebury is a Senior Penetration Tester with Knowledge Consulting Group (KCG). He enjoys hardware hacking, turning wrenches, and opportunities to combine the two. He also claims to have created the first Raspberry Pi-powered, wireless BBQ smoker.
Views: 28123 DEFCONConference
DEF CON 26 SE VILLAGE - Ryan MacDougall -  From Introvert to SE The Journey
 
39:23
In 20 years I learned how to step outside my introverted personality to explore the world in a more successful way, but not without bumps and bruises which taught me valuable lessons. This is my story of that journey which I hope to convey to those listening that being a deep introvert should not prevent them from trying and achieving goals in life up to and including being a professional social engineer and beyond. I wrap up with the specific lessons I learned over the course of that time, so others can reap the benefits of those lessons in a much shorter time frame.
Views: 2387 DEFCONConference
DEF CON 22 - Dan Kaminsky - Secure Random by Default
 
01:38:53
Secure Random By Default Dan Kaminsky Chief Scientist, White Ops As a general rule in security, we have learned that the best way to achieve security is to enable it by default. However, across operating systems and languages, random number generation is always exposed via two separate and most assuredly unequal APIs -- insecure and default, and secure but obscure. Why not fix this? Why not make JavaScript and PHP and Java and Python and even libc rand() return strong entropy? What are the issues stopping us? Should we just shell back to /dev/urandom, or is there merit to userspace entropy gathering? How does fork() and virtualization impact the question? What of performance, and memory consumption, and headless machines? Turns out the above questions are not actually rhetorical. Just because a change might be a good idea doesn't mean it's a simple one. This will be a deep dive, but one that I believe will actually yield a fix for the repeated *real world* failures of random number generation systems. Dan Kaminsky has been a noted security researcher for over a decade, and has spent his career advising Fortune 500 companies such as Cisco, Avaya, and Microsoft.Dan spent three years working with Microsoft on their Vista, Server 2008, and Windows 7 releases. Dan is best known for his work finding a critical flaw in the Internet’s Domain Name System (DNS), and for leading what became the largest synchronized fix to the Internet’s infrastructure of all time. Of the seven Recovery Key Shareholders who possess the ability to restore the DNS root keys, Dan is the American representative. Dan is presently developing systems to reduce the cost and complexity of securing critical infrastructure.
Views: 51418 DEFCONConference
DEF CON 23 - Priest - Impromptu Spot the Fed
 
14:30
A talk was cancelled and Priest takes to the stage to do an impromtu "Spot the Fed". What is Spot the Fed you ask? Well it's a game we've played at DEF CON forever now...Here's a description from Priest: "Like a paranoid version of pin the tail on the donkey, the favorite sport at this gathering of computer hackers and phone phreaks seems to be hunting down real and imagined telephone security and Federal and local law enforcement authorities who the attendees are certain are tracking their every move... Of course, they may be right." - John Markhoff, NYT Basically the contest goes like this: If you see some shady MIB (Men in Black) earphone penny loafer sunglass wearing Clint Eastwood to live and die in LA type lurking about, point him out. Just get my attention and claim out loud you think you have spotted a fed. The people around at the time will then (I bet) start to discuss the possibility of whether or not a real fed has been spotted. Once enough people have decided that a fed has been spotted, and the Identified Fed (I.F.) has had a say, and informal vote takes place, and if enough people think it's a true fed, or fed wanna-be, or other nefarious style character, you win a "I spotted the fed!" shirt, and the I.F. gets an "I am the fed!" shirt. NOTE TO THE FEDS: This is all in good fun, and if you survive unmolested and undetected, but would still secretly like an "I am the fed!" shirt to wear around the office or when booting in doors, please contact me when no one is looking and I will take your order(s). Just think of all the looks of awe you'll generate at work wearing this shirt while you file away all the paperwork you'll have to produce over this convention. I won't turn in any feds who contact me, they have to be spotted by others.
Views: 10829 DEFCONConference
Bruce Schneier: "Click Here to Kill Everybody" | Talks at Google
 
52:52
Computer security professional, privacy specialist and writer Bruce Schneier discusses "Click Here to Kill Everybody", his latest book exploring the risks and security implications of our new, hyper-connected era. Bruce lays out common-sense policies that will allow us to enjoy the benefits of this omnipotent age without falling prey to the consequences of its insecurity. Get the book here: https://goo.gl/YDaVUX
Views: 20654 Talks at Google
DEFCON 17: Binary Obfuscation from the Top-Down: Obfuscating Executables Without Writing Assembly
 
43:10
Speaker: Sean "Frank^2" Taylor Security Engineer, Rapid7 Binary obfuscation is commonly applied in malware and by software vendors in order to frustrate the efforts of reverse engineers to understand the underlying code. A common misconception is one must be a master of assembly in order to properly obfuscate a binary. However, with knowledge of compiler optimizations and certain keywords, one can frustratingly obfuscate their binary simply by writing specifically crafted high-level code. This talk will attempt to teach an array of methods that can be employed to obfuscate a binary as it is compiled rather than afterward. Knowledge of C/C++ is the only prerequisite for this talk. For more information visit: http://bit.ly/defcon17_information To download the video visit: http://bit.ly/defcon17_videos
Views: 11348 Christiaan008
DEF CON 19 - Jason Scott - Archive Team: A Distributed Preservation of Service Attack
 
44:19
Jason Scott - Archive Team: A Distributed Preservation of Service Attack For the last few years, historian and archivist Jason Scott has been involved with a loose, rogue band of data preservation activists called The Archive Team. As major sites with brand recognition and the work of millions announce short-notice shutdowns of their entire services, including Geocities, Friendster, and Yahoo Video, Archive Team arrives on the scene to duplicate as much as they possibly can for history before all the data is wiped forever. To do this, they have been rude, crude and far outside the spectrum of polite requests to save digital history, and have used a variety of techniques to retrieve and extract data that might have otherwise been unreachable. Come for the rough-and-tumble extraction techniques and teamwork methods, stay for the humor and ranting. Jason Scott is a computer historian, archivist, documentary filmmaker and essayist dedicated to saving digital history and having a blast doing it. Between his sites TEXTFILES.COM, ARCHIVETEAM.ORG and a propensity for saying a lot of stuff to a lot of people, he's done his best to ensure entire lengths of computer and hacker history have been preserved and not forgotten. This will be his 198th DEFCON.
Views: 857 DEFCONConference
DEF CON 23 - Brent White - Hacking Web Apps
 
38:19
Assessing the security posture of a web application is a common project for a penetration tester and a good skill for developers to know. In this talk, I'll go over the different stages of a web application pen test, from start to finish. We'll start with the discovery phase to utilize OSINT sources such as search engines, sub-domain brute-forcing and other methods to help you get a good idea of targets "footprint", all the way to fuzzing parameters to find potential SQL injection vulnerabilities. I'll also discuss several of the tools and some techniques that I use to conduct a full application penetration assessment. After this talk, you should have a good understanding of what is needed as well as where to start on your journey to hacking web apps. Speaker Bio: Brent is an Offensive Security Consultant at Solutionary NTT Group Security Company and has spoken at numerous security conferences, including DEF CON 22‹SE Village. He has held the role of Web/Project Manager and IT Security Director at the headquarters of a global franchise company. His experience includes Internal and External Penetration Assessments, Social Engineering and Physical Security Assessments, Wireless and Application Vulnerability Assessments and more. Twitter: @BrentWDesign
Views: 27403 DEFCONConference
DEF CON 22 - Panel - PropLANE: Kind of keeping the NSA from watching you pee
 
48:57
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Bathurst-Rogers-Carey-Clarke/DEFCON-22-Bathurst-Rogers-Carey-Clarke-PROPLANE.pdf PropLANE: Kind of keeping the NSA from watching you pee Rob Bathurst (EVILROB) Russ Rogers (RUSSR) Mark Carey (PHORKUS) Ryan Clarke (L0STBOY) No one likes to be watched, especially on the Internet. Your Internet…habits are only for you to know, not ISPs, hotels, government agencies, your neighbor, that creepy guy down the street with the cantenna, or anyone else. With your privacy in mind; we’ve combined two things every good hacker should have, a Propeller powered DEF CON badge (DC XX in our case) and a somewhat sober brain to turn the DC badge (with some modifications) into an inline network encryption device. This modified badge, loving called the PropLANE, will allow you to keep your peer-to-peer network traffic away from the prying eyes of the aforementioned creepy guy down the street and impress all the cool hacker peoples of the gender you prefer. Evilrob is a Security Engineer with over 13 years of experience with large network architecture and security engineering. His current focus is on network security architecture, tool development, and high-assurance encryption devices. He spends his waking moments contemplating new and terrible ways to make and break things as the Overlord of Engineering at Peak Security. Phorkus is the starry eyed Chief Scientist of Peak Security, and a long time goon at DEF CON. He bends bits to his will, and dismays audiences with his whimsical narrations of physics, organic nutrition, and what it means to be god. He will amaze and astound. He's also very likely to confuse. Russr is a security expert with over 20 years of experience, and has been an active member of the DEF CON community and staff for the past 17 years. He's the CEO and co-founder of Peak Security. LosTboY is the puzzle master and badge lord for DEF CON. He's a coder, a hacker, and a fancy dresser. LosT is well known for his exploits, including the popular Mystery Box Challenge, and the amazing DEF CON badges. site: www.peaksec.com FB: https://www.facebook.com/pages/Peak-Security-Inc/195202587160074 Twitter: @PeakSec
Views: 4275 DEFCONConference
DEF CON 22 - Cesar Cerrudo - Hacking US (and UK, Australia, France, etc.) traffic control systems
 
47:38
Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/Cerrudo/DEFCON-22-Cesar-Cerrudo-Hacking-Traffic-Control-Systems-UPDATED.pdf Hacking US (and UK, Australia, France, etc.) traffic control systems Cesar Cerrudo CTO, IOACTIVE LABS Probably many of us have seen that scene from "Live Free or Die Hard" (Die Hard 4) were the "terrorist hackers" manipulate traffic signals by just hitting Enter key or typing a few keys, I wanted to do that! so I started to look around and of course I couldn't get to do the same, that's too Hollywood style! but I got pretty close. I found some interesting devices used by traffic control systems on important cities such as Washington DC, Seattle, New York, San Francisco, Los Angeles, etc. and I could hack them :) I also found that these devices are also used in cities from UK, France, Australia, China, etc. making them even more interesting. This presentation will tell the whole story from how the devices were acquired, the research, on site testing demos (at Seattle, New York and Washington DC), vulnerabilities found and how they can be exploited, and finally some possible NSA style attacks (or should I say cyberwar style attacks?) Oh, I almost forgot, after this presentation anyone will be able to hack these devices and mess traffic control systems since there is no patch available (sorry didn't want to say 0day ;)) I hope that after this I still be allowed to enter (or leave?) the US Cesar Cerrudo is CTO at IOActive Labs where he leads the team in producing ongoing cutting edge research in the areas of SCADA, mobile device, application security and more. Formerly the founder and CEO of Argeniss Consulting, acquired by IOActive, Cesar is a world renown security researcher and specialist in application security. Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, Yahoo! Messenger, etc. In addition, Cesar has authored several white papers on database, application security, attacks and exploitation techniques and he has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Defcon, Infiltrate, etc. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals. Twitter: @cesarcer
Views: 15905 DEFCONConference
DEFCON - FULL MATCH VS AI
 
49:41
DEFCON FULL MATCH! GOING TO BE USING A LOT OF THIS GAMEPLAY FOR SOME OTHER VIDEOS I'LL BE MAKING BUT FIGURED I'D POST THIS IN ITS ENTIRETY FOR FUN. HOPE YOU ENJOY.
Views: 25 Randall Kristoffer
DEF CON 23 - DT and 1057 - Welcome to DEF CON
 
40:28
opening ceremonies at DEF CON 23
Views: 1298 DEFCONConference
DEF CON 24 - Chris Rock - How to Overthrow a Government
 
42:20
Direct from the mind of the guy who bought you the "I will kill you" presentation at DEF CON 23, is another mind bending, entertaining talk. This time it’s bigger and badder than before. Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself. Find out how over the last 60 years, governments and resource companies have been directly involved in architecting regime changes around world using clandestine mercenaries to ensure deniability. This has been achieved by destabilizing the ruling government, providing military equipment, assassinations, financing, training rebel groups and using government agencies like the CIA, Mossad and MI-5 or using foreign private mercenaries such as Executive Order and Sandline. Working with Simon Mann an elite ex SAS soldier turned coup architect who overthrew governments in Africa, Chris Rock will show you how mercenary coup tactics directly applied to digital mercenaries to cause regime changes as the next generation of "Cyber Dogs of War". Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt. This will include taking ownership of all facets of government including finance, telecommunications, transportation, commercial companies and critical infrastructure such a power, water and oil. You will learn: • Traditional military mercenary coup tactics used by the infamous 32 Battalion in Africa, Executive Order and Sandline that can be directly applied to a cyber mercenary regime change. • How to architect a cyber coup using advisor’s, hackers and the general populace, using misinformation, professional agitators, false information and financing. • How to gather intelligence to analyze a government’s systemic weaknesses on financial, societal values and political climates that is leader or country specific to structure your attack. • How to identify and prioritize government resources, infrastructure and commercial companies and how to use these compromised assets to stage the coup. • Combine physical and digital techniques and have the best of both worlds to own a countries infrastructure. • Hot to manipulate the media using propaganda targeting journalists flawed multiple "source" rules for a story. • The Grand finale of a cyber regime change on a real country from beginning to end using the above techniques with operational footage. Come to this talk and find out how you too can be your own dictator, benevolent or merciless that part is up to you. Chris Rock presented "I will kill you" at DEF CON 23 has been active in the security industry for the last 20 years and is the founder and CEO of Kustodian, a specialized security company that specializes in Security Operations Centres, Penetration testing and independent research. Kustodian is an Australian, Middle East and Hong Kong registered company that has been operational for over 10 years. Chris has also spent 12 years in the banking sector and provides security services around the world for small, medium and large companies. Chris Rock also created SIEMonster, an open source, scalable, free Security Incident and Event Management (SIEM) as a commercial alternative to Splunk, ArcSight and AlienVault. SIEMonster can be run on Amazon AWS or Virtual machines and details can be found on www.siemonster.com Twitter: @_kustodian_
Views: 197353 DEFCONConference
DEF CON 23  -  Panel - DEF CON Comedy Inception
 
01:39:25
This year at DEF CON a former FAIL PANEL panelist attempts to keep the spirit alive by playing moderator. Less poetry, more roasting. A new cast of characters, more lulz, and no rules. Nothing is sacred, not the industry, not the audience, not even each other. Our cast of characters will bring you all sorts of technical fail, ROFLCOPTER to back it up. No waffles, but we have other tricks up our sleeve to punish, er, um, show love to our audience, all while raising money of the EFF and HFC. The FAIL PANEL may be dead, but the “giving” goes on. Speaker Bios: Larry Pesce is a Senior Security Analyst with InGuardians. His recent experience includes providing penetration assessment, architecture review, hardware security assessment, wireless/radio analysis, and policy and procedure development for a wide range of industries including those in the financial, retail, and healthcare verticals. Larry is an accomplished speaker, having presented numerous times at industry conferences as well as the co-host of the long running multi-award winning Security Podcast, Paul's Security Weekly. and is a certified instructor with the SANS Institute. Larry is a graduate of Roger Williams University. In his spare time he likes to tinker with all things electronic and wireless. Larry is an amateur radio operator holding his Extra class license and is regularly involved in emergency communications activities. In 1972 a crack commando unit was sent to prison by a military court for a crime they didn't commit. These men promptly escaped from a maximum security stockade.... making the decision to leave Amanda behind. Ms. Berlin is now rumored to have illegitimate children by Saudi Oil barons hidden all over the world in at least 27 countries but this can neither be confirmed nor denied. Amanda Berlin is a Network Security Engineer at Hurricane Labs. She is most well known for being a breaker of hearts, knees, and SJW's. Bringing "Jack of All Trades" back to being sexy, she has worked her fingers to the bone securing ISPs, Healthcare facilities, Artificial Insemination factories, and brothels. Amanda managed the internal phishing campaign at a medium size healthcare facility to promote user education about phishing and hacking through an awards based reporting program. She is a lead organizer for CircleCityCon, volunteers at many other conferences, and enjoys writing and teaching others. Twitter: @InfoSystir Chris Blow is a Senior Technical Advisor with Rook Security. His most recent experience includes: penetration testing, social engineering, red team exercises, policy and procedure guidance focused on HIPAA and PCI DSS, developing security awareness programs, performing HIPAA assessments and serving as a Qualified Security Assessor for the Payment Card Industry. @b10w In reality, his primary duties are to be told by various clients that “security is hard” and to just “accept the risk.” He’s also well-versed in being told to keep vulnerable assets and people “out of scope.” Chris is a graduate of Purdue University in West Lafayette, IN. Besides trying to keep up with all-things-InfoSec, Chris enjoys playing guitar, singing, and DJing. Twitter: @b10w illwill is a rogue blackhat as fuck subcontractor for top secret global governments. He spends his off time enjoying bubble baths, recovering from a debilitating injury as infosystir's former bean fluffer and hand carves realistic thrones made from discarded dildos found dumpster diving behind a porn store in Los Angeles. Dan Tentler likes to break things. He's also an expert on failure. Ask him about it. But ask with scotch. Twitter: @viss @chrissistrunk
Views: 17686 DEFCONConference
Defcon 21 - Prowling Peer-to-Peer Botnets After Dark
 
41:28
Tillmann Werner August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
Views: 22910 HackersOnBoard
DEF CON 24 - Joe Grand and Zoz - BSODomizer HD: A mischievous FPGA HDMI platform
 
45:49
At DEF CON 16 in 2008, we released the original BSODomizer (www.bsodomizer.com), an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pertest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We’ll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way! Bio: Joe Grand, also known as Kingpin, is a computer engineer, hardware hacker, former DEF CON badge designer, runner, daddy, honorary doctor, TV host, member of L0pht Heavy Industries, and the proprietor of Grand Idea Studio. Zoe is a robotics engineer, prankster, and renaissance hacker. Other than BSODs, things he enjoys faking include meteorite impacts, crop circles, and alien crash landings.
Views: 21121 DEFCONConference
DEF CON 20 - Alberto Garcia Illera - How to Hack All the Transport Networks of a Country
 
01:22:20
How to Hack All the Transport Networks of a Country Alberto García Illera The presentation is about a real black hacking act against the transport network of a country. It can be extrapolated to any other country. We will show how to get full access to the entire transport network. Manipulating parameters to get free tickets, getting control of the ticket machines, getting clients CC dumps, hooking internal processes to get the client info, pivoting between machines, encapsulating all the traffic to bypass the firewalls, etcetera. We will show a lot of photos, videos, source code and presentations of the real environment and the skills used to obtain all the information. We will show how combining social engineering and technical skills can be used as a deadly weapon. Alberto García Illera is a 24 year old passionate about hacking and especially for social engineering. He studied mathematics and computer systems in Spain. He has worked several years as a professional pentester. He has spoken in several seminars teaching hacking techniques to help big companies like Microsoft, the Spanish government or the Spanish Police's Cyberterrorism department. He is currently making a study about cryptographic hash functions applied to IT security.
Views: 2043 DEFCONConference
The Cryptographers’ Panel 2018
 
41:14
Moderator: Zulfikar Ramzan, Chief Technology Officer, RSA Ron Rivest, Institute Professor, MIT Adi Shamir, Professor, Computer Science Department, Weizmann Institute of Science, Israel Whitfield Diffie, Cryptographer and Security Expert, Cryptomathic Paul Kocher, Independent Researcher Moxie Marlinspike, Founder, Signal Despite how sophisticated information security has become, it is still a relatively young discipline. The founders of our field continue to be actively engaged in research and innovation. Join us to hear these luminaries engage in an enlightening discussion on the past, present and future of our industry. https://www.rsaconference.com/events/us18/agenda/sessions/11490-The-Cryptographers%E2%80%99-Panel
Views: 6553 RSA Conference
DEFCON 2011/02/05 First impact
 
58:29
Everybody Dies - 6 Players - Result - Russia "111" Asia "96" North America "25" South America "20" Africa "16" Europe "-55"
Views: 188 MISO-SHIRU-MG42
DEF CON 22 - Kenneth White and Matthew Green - The Open Crypto Audit Project
 
51:16
Slides here: https://defcon.org/images/defcon-22/dc-22-presentations/White-Green/DEFCON-22-Kenneth-White-and-Matthew-Green-The-Open-Crypto-Audit-Project-Updated.pdf The Open Crypto Audit Project Kenneth White CO-FOUNDER, OPEN CRYPTO AUDIT PROJECT Matthew Green RESEARCH PROFESSOR, JOHNS HOPKINS UNIVERSITY Join us for the story of the origins and history of the Open Crypto Audit Project (OCAP). OCAP is a community-driven global initiative which grew out of the first comprehensive public audit and cryptanalysis of the widely used encryption software TrueCrypt®. Our charter is to provide technical assistance to free and open source software projects in the public interest. We serve primarily as a coordinator for volunteers and as a funding mechanism for technical experts in security, software engineering, and cryptography. We conduct analysis and research on FOSS and other widely software, and provide highly specialized technical assistance, analysis and research on free and open source software. This talk will present how we audited TrueCrypt, detailing both the Phase I security assessment, and the Phase II cryptanalysis. Looking forward, in light of GotoFail and HeartBleed, we will discuss future plans for our next audit projects of other open source critical infrastructure. Kenneth White is a co-founder of the CBX Group, and formerly principal scientist and senior security R&D engineer at Social & Scientific Systems. His work focuses on cloud security, machine learning, and distributed database architecture. At SSS, White led the Biomedical Informatics team that designed and runs the operations center for the largest clinical trial network in the world, with research centers in over 100 countries. Together with Matthew Green, White co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. White holds a MEd from Harvard and is a PhD candidate in neuroscience and cognitive science, with research focusing on expert systems, real-time classification and machine learning. He is a technical reviewer for the Software Engineering Institute, and publishes and speaks frequently on computational neuroscience, signal processing, and security engineering. Twitter: @kennwhite Matthew D. Green, PhD is a professor of computer science at Johns Hopkins University. He teaches applied cryptography and builds secure systems. Green trained under Susan Hohenberger and Avi Rubin, and his research includes techniques for privacy-enhanced information storage, anonymous payment systems, and bilinear map-based cryptography. Green formerly served as a senior research staff member at AT&T Labs. Together with Kenneth White, he co-founded the TrueCrypt audit project, a community-driven initiative to conduct the first comprehensive cryptanalysis and public security audit of the widely used TrueCrypt encryption software. He blogs at Cryptography Engineering, and talks about cryptography and privacy. Twitter: @matthew_d_green Web: https://opencryptoaudit.org/people
Views: 3432 DEFCONConference
DEFCON: gameplay as South America, or how I nuked the world!
 
34:34
In this video I play a pretty fun and addicting game called DEFCON, which is basically a nuclear war simulator where the aim of the game is to cause as much destruction to the enemy as possible. I ended up having to cut out parts of the video since it wound up being something like an hour long, but I hope you all enjoy this video! Link to the DECON website: http://www.introversion.co.uk/defcon/
Views: 355 Toreno
DEFCON 19: Hacking Victims Over Power Lines
 
30:21
Invest in IT Startups with as little as 10$ (or bitcoin) and watch your money grow every second! Withdraw instantly every $1 or 0.01BTC! http://bit.ly/1bQdMOQ
Views: 4313 HackersSecurity
Is DEFCON  1 Coming?
 
06:51
Lt.General Calls for DEFCON One ISIS 9/11 Threat. Here is the latest update ,for the Atlantic Tropical Cyclone Activity. Cristobal and another tropical Wave behind it. http://www.nhc.noaa.gov/ My UNIVERSE Page on Facebook https://www.facebook.com/groups/434702526656542/ If you would like to donate for my work the link is below. thank You For Your Blessings...J https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=NKSD2EZ2JSNQJ Facebook Group UFO'S & Aliens: https://www.facebook.com/groups/399076126872878/ http://www.redstate.com/2014/08/24/lt-general-calls-defcon-1-isis-911-threat/
Views: 1505 J7409
DEF CON 22 - Robert Rowley - Detecting and Defending Against a Surveillance State
 
43:08
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Rowley/DEFCON-22-Robert-Rowley-Detecting-Defending-Against-Surveillance-State.pdf Detecting and Defending Against a Surveillance State Robert RowleySECURITY RESEARCHER, TRUSTWAVE SPIDERLABS This talk is based on semi-recent reported leaks that detail how state-actors could be engaging in surveillance against people they deem as 'threats'. I will cover the basics on what was leaked, and focus the talk on how to detect hardware bugs, implanted radio transceivers, firmware injections, cellular network monitoring, etc... No need to bring your tin-foil hats though, the discussion here is a pragmatical approach to how to detect such threats and identify if you have been targeted. No blind faith approaches, or attempts to sell any privacy snake oil will be found here. Robert is a Security Researcher for Trustwave Spiderlabs as has been an active member of the Southern California hacking scene for over the last 10+ years. Co-Founding Irvine underground and recently presenting on many topics including Juice Jacking, Web Application Security and more… I am presenting on a personal passion this time, Privacy.
Views: 24037 DEFCONConference
Defcon 21 - Home Invasion 2.0 - Attacking Network-Controlled Consumer Devices
 
42:52
Daniel "UnicornFurnace" Crowley, Jennifer "SavageJen" Savage, & David "Videoman" Bryan August 1st--4th, 2013 Rio Hotel & Casino • Las Vegas, Nevada
Views: 15792 HackersOnBoard
DEF CON 23 - Marc Rogers and Kevin Mahaffey - How to Hack a Tesla Model S
 
49:49
The Tesla Model S is the most connected car in the world. It might surprise you to hear that it is also one of the most secure. In this talk we will walk you through the architecture of a Tesla Model S noting things that Tesla got right as well as identifying those that they got wrong. From this talk you will get an intimate understanding of how the many interconnected systems in a Tesla model S work and most importantly how they can be hacked. You will also get a good understanding of the data that this connected car collects and what Tesla does with this telemetry. We will also be releasing a tool that will enable Tesla Model S owners to view and analyse that telemetry in real time. Finally we will also be releasing several 0day vulnerabilities that will allow you to hack a Tesla Model S yourself - both locally and remotely. Note - only one of the 6 vulnerabilities we will discuss and release has been fixed. Disclaimer: With great access comes great responsibility - In other words we are not responsible for any Tesla Model S bricked by over enthusiastic attendees of this talk :) Speaker Bios: Marc Rogers aka Cyberjunky has been a prominent member of the hacking scene since the 80’s. Some of his most notable achievements are co-founding the notorious British hacker group, “The Agents of a Hostile Power” and his role in creating and appearing in the award winning BBC TV series “The Real Hustle”. Marc’s professional career spans more than twenty years, including a decade managing security for the UK operator Vodafone. Marc is currently the principal security researcher for web optimization and security company “CloudFlare. As well as his work in the infosec and telecoms industries, Marc has also been a CISO in South Korea and co-founder of a disruptive Bay Area start-up. Some of Marc’s notable recent hacks include Google Glass, Apple TouchID and most recently the Tesla Model S. Kevin is an entrepreneur and technologist with a background in mobile and web technology, security, and privacy. He is the CTO of Lookout, a company dedicated making the world a safer place as it becomes more connected, starting with smartphones and tablets. He co-founded Lookout in 2007 and is responsible for driving Lookout’s technology to protect people from current and future threats while keeping the product simple and easy to use. He started building software when he was 8 years old and it has been a love affair ever since. Kevin is a frequent speaker on security, privacy, mobile, and other topics.
Views: 62913 DEFCONConference
Defcon 10 - Wolves Among Us (1 of 7)
 
10:00
GOBBLES Security members will be giving a presentation called "Wolves Among Us", which will discuss the evil motivations of certain members and organizations of the security industry, the big companies that are underqualified for security and yet reap such incredible revenue for their services, the way the media is uninformed and further intentionally writes incorrect information concerning hackers, and more. Concrete examples will be cited, and then discussion on the greater ramifications of those examples will be held. GOBBLES Security -- currently the largest active nonprofit security group in existance (that favors full disclosure). GOBBLES Security consists of 17+ members, ranging from the age of 15 to 28. Unlike some groups that make this claim, GOBBLES actually publishes advisories for the sake of security, and not as an opportunity to get some political vendeta aired -- and also publish advisories at a rate greater than one every three years. Defcon 10 was August 2-4, 2002 in Las Vegas, Nevada
Views: 6283 GBPPR2
DefCon Day 1 Video - DefCon Badge with LED
 
00:13
The 2012 DefCon Badge
Views: 790 Infosec
DEF CON 23 - Bruce Potter - A Hacker's Guide to Risk
 
53:30
When the latest and greatest vulnerability is announced, the media and PR frenzy can be dizzying. However, when the dust settles, how do we actually measure the risk represented by a given vulnerability. When pen testers find holes in an organization, is it really “ZOMG, you’re SO 0WNED!” or is it something more manageable and controlled? When you’re attempting to convince the boss of the necessity of the latest security technology, how do really rank the importance of the technology against the threats facing the organization. Understanding risk can be tricky, especially in an industry that often works on gut feelings and values quantity over quality. But risk and risk management doesn’t need to be complicated. With a few basic formulas and access to some simple models, understanding risk can be a straightforward process. This talk will discuss risk, why its important, and the poor job the hacker community has done when it comes to properly assessing risk. It will also touch on some existing risk assessment and management systems, as well as provide worked examples of real world vulnerabilities and systems and the risks they pose. Finally, this talk will examine some practical guidance on how you, as hackers, security researchers, and security practitioners can better measure risk in your day to day life Speaker bio: Bruce Potter is the founder of The Shmoo Group, one of the organizers of ShmooCon, and a director at KEYW Corporation. Bruce's lack of degrees and certifications hasn't stopped him from discussing infosec in numerous articles, books, and presentations. Bruce has been in the computer security field for nearly 2 decades which means he is getting old and increasingly jaded. His primary focus areas are trusted computing, cyber security risk management (yikes!), and large scale vulnerability analysis. Bruce believes that while attackers have the upper hand, we can still do better with the tools we have than most people realize. Bruce also believes in using fake names when ordering coffee but occasionally uses his real name to throw people off his scent. Twitter: @gdead
Views: 20575 DEFCONConference
DEFCON 16: Satan is on my Friends list: Attacking Social Networks
 
49:44
Speakers: Nathan Hamiel, Senior Consultant, Idea Information Security Shawn Moyer, CTO, Agura Digital Security Social Networking is shaping up to be the perfect storm... An implicit trust of those in one's network or social circle, a willingness to share information, little or no validation of identity, the ability to run arbitrary code (in the case of user-created apps) with minimal review, and a tag soup of client-side user-generated HTML (Hello? MySpace? 1998 called. It wants its markup vulns back). Yikes. But enough about pwning the kid from homeroom who copied your calc homework. With the rise of business social networking sites, there are now thousands of public profiles with real names and titles of people working for major banks, the defense and aerospace industry, federal agencies, the US Senate... A target-rich and trusting environment for custom-tailored, laser-focused attacks. Our talk will show the results of a series of public experiments aimed at pointing out the security and privacy ramifications of everyone's increasingly open, increasingly connected online personae and the interesting new attack vectors they've created. Plus, we get to have some fun violating scads of EULAs, AUPs, and Terms of Service along the way. K. THX FOR THE ADD!!1! YOU RAWK. For more information visit: http://bit.ly/defcon16_information To download the video visit: http://bit.ly/defcon16_videos
Views: 2060 Christiaan008
NSA Whistle-Blower Tells All: The Program | Op-Docs | The New York Times
 
08:28
The filmmaker Laura Poitras profiles William Binney, a 32-year veteran of the National Security Agency who helped design a top-secret program he says is broadly collecting Americans' personal data. Subscribe to the Times Video newsletter for free and get a handpicked selection of the best videos from The New York Times every week: http://bit.ly/timesvideonewsletter Subscribe on YouTube: http://bit.ly/U8Ys7n Watch more videos at: http://nytimes.com/video --------------------------------------------------------------- Want more from The New York Times? Twitter: https://twitter.com/nytvideo Facebook: https://www.facebook.com/nytimes Google+: https://plus.google.com/+nytimes/ Whether it's reporting on conflicts abroad and political divisions at home, or covering the latest style trends and scientific developments, New York Times video journalists provide a revealing and unforgettable view of the world. It's all the news that's fit to watch. On YouTube. NSA Whistle-Blower Tells All: The Program | Op-Docs | The New York Times http://www.youtube.com/user/TheNewYorkTimes
Views: 221660 The New York Times
DEF CON 21 - Mudge - Unexpected Stories From a Hacker Inside the Government
 
52:09
Unexpected Stories From a Hacker Who Made it Inside the Government by Peiter Mudge Zatko Having had the opportunity to see things from within the hacker community and from a senior position in the DoD, Mudge has some enlightening stories to share, and is picking some of his favorites. He'll discuss Julian's story to him about US government involvement in the origins of Wikileaks, how the DoD accidentally caused Anonymous to target government systems, some of the ways in which the defense industrial base's poor security works financially in its favor, and cases where the government missed opportunities for positive outreach and understanding with this community. You'll probably recognize parts of these stories from the news, but there are origins and back stories that are lesser known, and that should make for a good story time.
Views: 50642 DEFCONConference
DEFCON 20 Documentary Sub Esp
 
01:50:59
DEFCON is the world's largest hacking conference, held in Las Vegas, Nevada. In 2012 it was held for the 20th time. The conference has strict no-filming policies, but for DEFCON 20, a documentary crew was allowed full access to the event. The film follows the four days of the conference, the events and people (attendees and staff), and covers history and philosophy behind DEFCON's success and unique experience.
Views: 10403 m10
[DEFCON 20] Owning Bad Guys {And Mafia} With Javascript Botnets
 
39:36
Owning Bad Guys {And Mafia} With Javascript Botnets Chema Alonso - Security Researcher, Informatica64 Manu "The Sur" - Penetration Tester, Informatica64 Man in the middle attacks are still one of the most powerful techniques for owning machines. In this talk MITM schemas in anonymous services are going to be discussed. Then attendees will see how easily a botnet using javascript can be created to analyze that kind of connections and some of the actions people behind those services are doing... in real. It promises to be funny. Chema Alonso is a Security researcher with Informatica64, a Madrid-based security firm. Chema holds respective Computer Science and System Engineering degrees from Rey Juan Carlos University and Universidad Politècnica de Madrid. During his more than eight years as a security professional, he has consistently been recognized as a Microsoft Most Valuable Professional (MVP). Chema is a frequent speaker at industry events (Microsoft Technet / Security Tour, AseguraIT) and has been invited to present at information security conferences worldwide including Yahoo! Security Week, Black Hat Briefings, ShmooCON, DeepSec, HackCON, Ekoparty and RootedCon - He is a frequent contributor on several technical magazines in Spain, where he is involved with state-of-the-art attack and defense mechanisms, web security, general ethical hacking techniques and FOCA. Twitter: @chemaalonso http://www.elladodelmal.com www.informatica64.com Manu has been working in all security areas since he got into Informatica64. He is a security pentester, a developer coding in projects like FOCA and a very good security research in areas such as Connection String Parameter Pollution Attacks or malware. He has the honor of being the man behind some of the most powerful "C# spaghetti lines" of FOCA.
Views: 1001 TalksDump
Panel - DEF CON Comedy Jam Part VII, Is This The One With The Whales?
 
01:48:07
Slides Here: https://defcon.org/images/defcon-22/dc-22-presentations/Mortman/DEFCON-22-Fail-Panel-Defcon-Comedy-Jam-VII.pdf DEF CON Comedy Jam Part VII, Is This The One With The Whales? David Mortman @MORTMAN Rich Mogull @RMOGULL Chris Hoff @BEAKER Dave Maynor @ERRATADAVE Larry Pesce @HAXORTHEMATRIX James Arlen @MYRCURIAL Rob Graham @ERRATAROB Alex Rothman Shostack @ARS_INFOSECTICA Weeeeeeeeee're baaaaaack. Bring out your FAIL. It's the most talked about panel at DEF CON! A standing room only event with a wait list at the door. Nothing is sacred, not the industry, not the audience, not even each other. Last year we raised over $2000 for the EFF and over $5000 over the last 5 years, let's see how much we can raise this year.... David Mortman is the Chief Security Architect and Distinguished Engineer at Dell Enstratius and is a Contributing Analyst at Securosis. Before enStratus, he ran operations and security for C3. Formerly the Chief Information Security Officer for Siebel Systems, Inc., Previously, Mr. Mortman was Manager of IT Security at Network Associates. Mr. Mortman has also been a regular panelist and speaker at RSA, Blackhat, DEF CON and BruCon as well. Mr.Mortman sits on a variety of advisoryboards including Qualys, Lookout and Virtuosi. He holds a BS in Chemistry from the University of Chicago. David writes for Securosis, Emergent Chaos and the New School blogs. James Arlen, CISA, is a senior consultant at Leviathan Security Group providing security consulting services to the utility, healthcare and financial verticals. He has been involved with implementing a practical level of information security in Fortune 500, TSE 100, and major public-sector corporations for over 20 years. James is also a contributing analyst with Securosis, faculty at IANS and a contributor to the Liquidmatrix Security Digest. Best described as: "Infosec geek, hacker, social activist, author, speaker, and parent." His areas of interest include organizational change, social engineering, blinky lights and shiny things. Larry is a Senior Security Analyst with InGuardians performing penetration testing, wireless assessments, and hardware hacking. He also diverts a significant portion of his attention co-hosting the Paul's Security Weekly podcast and likes to tinker with all things electronic and wireless, much to the disappointment of his family, friends, warranties, and his second Leatherman Multi-tool. Larry is an Extra Class Amateur Radio operator (KB1TNF) and enjoys developing hardware and real-world challenges for the Mid-Atlantic Collegiate Cyber Defense Challenge.
Views: 17210 DEFCONConference
Blockchain World Conference - Largest Crypto Event of the Year
 
02:46
The Blockchain World Conference, which will be the largest and most anticipated Blockchain and Crypto Conference EVER HELD... is coming to Atlantic City this July 11-13, and here’s why you won’t want to miss it! The Blockchain World Conference will be setting the stage for all future crypto events by pulling out ALL the stops and will be leaving no coin unturned. We will be setting the bar extremely high for all future BlockChain gatherings. Absolutely EVERYONE who is ANYONE in BlockChain is going to be there! Never before has a major conference been held in a premier venue like Harrahs Casino Resort and Spa in Atlantic City, NJ. The BWC will feature keynote speakers Dr. Patrick Byrne, John McAfee & Neil Patel. More than 8000 attendees, the majority of which are accredited investors will be there! The BWC will be Live Streamed to 25,000 Global Live Stream Viewers! The 120,000 Square Foot, State of the art convention center is connected directly to Harrah’s Hotel. With more than 200 Speakers, 150 exhibitors and 180 ICO’s and Coins represented, this event will absolutely Change The Game!. All aspects of this event will held under ONE roof allowing for intense networking. The BWC is brought to you by the same management team that has been producing DEFCON for nearly 20 years. The SEC will host a Town Hall Meeting to address compliance concerns. The BWC will feature the first EVER BlockChain Industry Achievement Awards Gala, hosted by Adrien Ashley and Crypto Party. The BWC will feature World Class VIP parties and Themes Suite Parties. Over 150 Exhibitors will Showcase the Best in the Business. Premier nightlife at Harrahs Pool after dark featuring multiple DJ Performances and special celebrity guests with top shelf open bar for VIP’s. First Annual Discounted Crypto Golf Outing at the famous Atlantic City Country Club. The BWC will bring more Crypto Influencers and Millionaires under one roof Dining at the same 5-star restaurants, going to the same spa, gambling at the same poker tables, and sharing cocktails in the same nightclubs than ever before. For the first time in history, every attendee will be given an Ether Wallet and shown how to purchase cryptocurrency. One lucky attendee will receive more than $50,000 worth of Crypto! Don’t Miss This Once In a Lifetime opportunity! The BWC WILL Bring Legitimacy to Blockchain. This WILL Unite the Broken Links of Blockchain. Act now and save BIG! This event WILL be completely sold out soon.