Social Network For Security Executives: Help Make Right Cyber Security Decisions
DEFCON 2018, 26th Def-Con Hacking Conference is much awaited event on Computer, Information Technology, Cyber Security, Software, Hacking topics.
Our editorial team has handpicked the best of the best talks at DEF CON 26 -is one of the world's largest hacker conventions, held annually in Las Vegas, Nevada. Following is the list of top talks on Hacking at DEF CON 26.
DEFCON 2018, 26th Def-Con Hacking Conference is among one of the most main event on Computer, Information Technology, Cyber Security, Software, Hacking and Hack topics.
(Source: DEF CON 26)
Douglas McKee, Senior Security Researcher for the McAfee Advanced Threat Research team
This presentation will include a technical dissection of the security issues inherent in this relatively unknown protocol. It will describe real-world attack scenarios and demonstrate the ability to modify the communications in-transit to directly influence the receiving devices. We will also explore the general lack of security mitigations in the medical devices field, the risks they pose, and techniques to address them. The talk will conclude with a demonstration using actual medical device hardware and a live modification of a patient's critical data.
Eric Sesterhenn, Principal Security Consultant at X41, D-Sec GmbH
Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.
ldionmarcil, Pentester at GoSecure
Martin Vigo, Hacker
In this talk I will cover voicemail systems, it's security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process.
Nafeez, Security Researcher
Compression oracle attacks are not limited to just TLS protected data. In this talk, we try these attacks on browser requests and responses which usually tunnel their HTTP traffic through VPNs. We also show a case study with a well-known VPN server and their plethora of clients. We then go into practical defenses and how mitigations in HTTP/2's HPACK and other mitigation techniques are the way forward rather than claiming 'Thou shall not compress traffic at all.' One of the things that we would like to showcase is how impedance mismatches in these different layers of technologies affect security and how they don't play well together.
Sanat Sharma, Hacker
Since this a 20 mins talk, attendees should be aware of basic heap exploitation techniques, like fastbin attacks and unsorted bin attacks, and have a general idea of how the ptmalloc2 algorithm works. As a bonus, I also discuss how to land a fastbin chunk in memory regions with no size alignment (like __free_hook ).
This presentation shows how a S9 interface in 4G networks, which is used for charging related user information exchange between operators can be exploited to perform fraud attacks. A demonstration with technical details will be given and guidance on practical countermeasures.
singe, CTO @ SensePost
After years of using mana in many security assessments, we've realised rogue AP'ing and MitM'ing is no simple affair. This extended talk will provide an overview of mana, the new capabilities and features, and walk attendees through three scenarios and their nuances:
Intercepting corporate credentials at association (PEAP/EAP-GTC), Targeting one or more devices for MitM & collecting credentials "Snoopy" style geolocation & randomised MAC deanonymization. As a bonus, you'll be able to download a training environment to practise all of this without requiring any wifi hardware (or breaking any laws).
The Tarquin, Senior Security Engineer, Amazon.com
This talk discusses the use of homographs to attack machine learning systems, to submit malicious software patches, and to craft cryptographic canary traps and leak repudiation mechanisms. It then introduces a generalized defense strategy that should work against homograph attacks in any context.
Thiago Alves, Ph.D. Student and Graduate Research Assistant at the University of Alabama in Huntsville
During this presentation I will talk about the architecture of a PLC and how it can be p0wned. There will be some live demonstration attacks against 3 different brands of PLCs (if the demo demons allow it, if not I will just show a video). Additionally, I will demonstrate two vulnerabilities I recently discovered, affecting the Rockwell MicroLogix 1400 series and the Schneider Modicon M221 controllers.
Vincent Tan, Senior Security Consultant, MWR InfoSecurity
This talk will explore the ever growing ride sharing economy and look at how the BLE "Smart" locks on shared bicycles work. The entire solution will be deconstructed and examined, from the mobile application to its supporting web services and finally communications with the lock. We will look at how to go about analysing communications between a mobile device and the lock, what works, what doesn't.
In this talk, we will review the results from our ongoing large scale quantitative analysis over past and current domains and certificates. We'll explore the massive scale of the problem, what we can do about it, how you can protect yourself, and a proposed process change to make this less of a problem going forwards.
We end by introducing BygoneSSL, a new tool and dashboard that shows an up to date view of affected domains and certificates using publicly available DNS data and Certificate Transparency logs. BygoneSSL will demonstrate how widespread the issue is, let domain owners determine if they could be affected, and can be used to track the number of affected domains over time.
In this talk, we discuss about how could we have impersonated hundreds of people by breaking their PGP keys, mimicked thousands of servers thanks to their factored SSH keys and performed MitM attacks on over 200k websites relying on vulnerable X509 certificates.
In the end, we were able to do this in an entirely passive way. Going further is possible, but it would lead us to the dark side. Would big brother hesitate to go there?
Orange Tsai, Security Researcher from DEVCORE
Get your FREE Guide on Top Talks @ DEF CON 26 . Our editorial team has gone through all the talks and handpicked the best of the best talks at DEF CON into a single guide. Get your Free copy today.