Friday

Registration desk times:
Tues: 7-10 pm | Weds: 7-10 am; 3-8 pm | Thurs: 4-10 pm | Fri: 7-11 am; 12-3 pm; 5-7 pm | Sat: 8-11 am

8:30 am
9:00 am
9:30 am
10:00 am
10:30 am
11:00 am
11:30 am
12:00 pm
12:30 pm
1:00 pm
1:30 pm
2:00 pm
2:30 pm
3:00 pm
3:30 pm
4:00 pm
4:30 pm
5:00 pm
5:30 pm
6:00 pm
6:30 pm
7:00 pm
7:30 pm
8:00 pm
Track 1 - Break Me
Track 1 - Break Me
Opening Ceremonies - DerbyCon Team
8:30 am - 8:55 am

8:30 - 8:55

Matt Graeber - Subverting Trust in Windows - A Case Study of the "How" and "Why" of Engaging in Security Research
9:00 am - 9:50 am

Since his first InfoSec talk given at DerbyCon 3, Matt has made a reputation for himself demonstrating how otherwise trusted software and technology can be abused by attackers – referred to as the "living off the land" methodology. As a former malware reverse engineer, Matt has seen the extent to which attackers succeed in executing code that has no business being trusted. As such, despite regularly finding bypasses, Matt is a zealous supporter of application whitelisting as a means of preventing a majority of attacks (both opportunistic and targeted), enabling defenders to focus their detections on more capable adversaries who manage to slip silently through the cracks. Matt is very much fascinated by the concept of trust, what it means to people, and how assumptions of trust can be subverted.

John Strand - I had my mom break into a prison, then we had pie.
10:00 am - 10:50 am

In this talk we will cover math, social engineering, breaking AV, open source software, Artificial Intelligence, not giving up and cancer.

Lunch
11:00 am - 11:50 am

Chris Hadnagy - So you want to be a Social Engineer
12:00 pm - 12:50 pm

One of the most asked questions we get at all of our Social-Engineer sites is "How can I become a social engineer?" This talk will walk through the path I took to become a professional social engineer and what anyone desiring to enter this field should do. I will blend it with stories of my failures and successes to round out expectations when trying to take this passion and make it a business.

Chris is known for asking about ~1000 questions about setting up his DerbyCon SE Village. He wants you to know that he loves the organizers and DerbyCon as much as his children

@humanhacker

Andy Robbins, Will Schroeder, Rohan Vazarkar - Here Be Dragons: The Unexplored Land of Active Directory ACLs
1:00 pm - 1:50 pm

"During internal penetration tests and red team assessments, Active Directory remains a key arena for gaining initial access, performing lateral movement, escalating rights, and accessing/exfiltrating sensitive data. Over the years, a completely untapped landscape has existed just below the surface in the form of Active Directory object control relationships. Organizational staff come and go, applications deploy and alter Access Control Entries (ACEs), eventually creating an entire ecosystem of policy exceptions and forgotten privileges. Historically, Access Control Lists (ACLs) have been notoriously difficult and frustrating to analyze both defensively and offensively, something we hope to change. In this talk, we will clearly define the Active Directory ACL attack taxonomy, demonstrate analysis using BloodHound, and explain how to abuse misconfigured ACEs with several new PowerView cmdlets. We will cover real world examples of ACL-only attack paths we have identified on real assessments, discuss opsec considerations associated with these attacks, and provide statistics regarding the immense number of attack paths that open up once you introduce object control relations in the BloodHound attack graph (spoiler alert: it's a LOT). We hope you will leave this talk inspired and ready to add ACL-based attacks to your arsenal, and to defensively audit ACLs at scale in your AD domain."

Andrew Robbins (@_wald0) is the Adversary Resilience lead at Specter Ops. Andy is an active Red Teamer and co-author of BloodHound, a tool designed to reveal the hidden and unintended permission relationships in Active Directory domains. He has performed numerous offensive engagements against banks, credit unions, health- care providers, defense companies, and other Fortune 500 companies across the world. He has presented at BlackHat, DEF CON, BSides Las Vegas, DerbyCon, ekoparty, and actively researches Active Directory security. He is also a veteran Black Hat trainer. Will Schroeder (@harmj0y) is an offensive engineer and red teamer for Specter Ops. He is a co-founder of Empire/Empyre, BloodHound, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has spoken at a number of security conferences including ShmooCon, DerbyCon, Troopers, DEF CON, BlueHat Israel, and more on topics ranging from domain trust abuse to advanced offensive tradecraft with PowerShell. Rohan Vazarkar (@CptJesus) is a senior operator and developer for Specter Ops. He has spoken at numerous security conferences including DEF CON, BlackHat, SANS Hackfest, and more. Rohan has lead and supported operations against Fortune 500 companies, federal agencies and clients in the financial, defense, and health-care sectors. He is the co-author of the BloodHound analysis platform and has contributed to other open source projects such as Empire and EyeWitness.

Andy - @_wald0
Will - @harmj0y
Rohan - @CptJesus

John Cramb (ceyx) & Josh Schwartz (FuzzyNop) - TBD
2:00 pm - 2:50 pm

TBD

FuzzyNop and ceyx were both raised by computerized wolves with a penchant for fine art and rum based cocktails. While technically from different mothers and also sides of the world, they formed the first cyber wolf brothership shell-bent to ameliorate the state of targeted malware implants to support the ongoing war against the institutionalized mediocrity of the corporate shadow government. Working in tandem with dolphin researchers funded by the oligarch llamas they have found a way to synthesize powdered ethanol into mechanical pony fuel.

John Cramb - @ceyxiest
Josh Schwartz - @fuzzynop

Daniel Bohannon - Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niques') -Join'')
3:00 pm - 3:50 pm

"Attackers, administrators and many legitimate products rely on PowerShell for their core functionality. However, its power has made it increasingly attractive for attackers and commodity malware authors alike. How do you separate the good from the bad?

A/V signatures applied to command line arguments work sometimes. AMSI-based (Anti-malware Scan Interface) detection performs significantly better. But obfuscation and evasion techniques like Invoke-Obfuscation can and do bypass both approaches.

Revoke-Obfuscation is a framework that transforms evasion into a treacherous deceit. By applying a suite of unique statistical analysis techniques against PowerShell scripts and their structures, what was once a cloak of invisibility is now a spotlight. It works with .evtx files, command lines, scripts, ScriptBlock logs, Module logs, and is easy to extend.

Approaches for evading these detection techniques will be discussed and demonstrated.

Revoke-Obfuscation has been used in numerous Mandiant investigations to successfully identify obfuscated and non-obfuscated malicious PowerShell scripts and commands. It also detects all obfuscation techniques in Invoke-Obfuscation, including two new techniques being released with this presentation."

Daniel Bohannon is a Senior Incident Response Consultant at MANDIANT with over seven years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. He is the author of Invoke-Obfuscation, Invoke-CradleCrafter and Revoke-Obfuscation PowerShell frameworks.

@danielhbohannon

Ryan Cobb - PSAmsi - An offensive PowerShell module for interacting with the Anti-Malware Scan Interface in Windows 10
4:00 pm - 4:50 pm

"As use of ""fileless"" malware using PowerShell to stay in memory and evade traditional AV file scanning techniques has increased, Microsoft introduced the AMSI protocol in Windows 10 to allow AV vendors to scan scripts executing in memory and prevent execution.

With these newer in memory AV techniques, attackers need tools to help avoid AV detection of their scripts in memory. PSAmsi uses PowerShell reflection to load Windows AMSI functions into memory, allowing an attacker to interact directly with the interface.

We will discuss (and demo!) several use cases built into PSAmsi (offensive and defensive) for interacting with the AMSI, including using PSAmsi to automatically, minimally obfuscate scripts to simultaneously defeat both AMSI signatures and obfuscation detection techniques."

Ryan Cobb is a pentester and consultant at Protiviti. He actively develops open source security tools, including ObfuscatedEmpire and PSAmsi.

@cobbr_io

Lee Christensen, Matt Nelson, Will Schroeder - An ACE in the Hole: Stealthy Host Persistence via Security Descriptors
5:00 pm - 5:55 pm

"Attackers and information security professionals are increasingly looking at security descriptors and their ACLs, but most previous work has focused on escalation opportunities based on ACL implementation flaws and misconfigurations. However, the nefarious use of security descriptors as a persistence mechanism is rarely mentioned. Just like with Active Directory ACLs, it's often difficult to determine whether a specific security descriptor was set intentionally by an IT administrator, intentionally set by an attacker, or inadvertently set by an IT administrator via a third-party installation program. This uncertainty decreases the likelihood of attackers being discovered, granting attackers a great opportunity to persist on a host and in a network.

We’ll dive deep into ACLs/DACLs/SACLs/ACEs/Security Descriptors and more, giving you the background to grasp the capabilities we’re talking about. Then we’ll describe dive into several case studies that demonstrate how attackers can use securable object takeover primitives to maliciously backdoor host-based security descriptors for the purposes of persistence, including, “gold image” backdooring, subverting DCOM application permissions, and more. We’ll conclude with an exhaustive overview of the deployment and detections of host-based security descriptor backdoors. All along the way we’ll be releasing new tooling to enumerate, exploit, and analyze host-based security descriptors. "

Lee Christensen (@tifkin_) is a red team operator, threat hunter, and capability engineer for SpecterOps. Lee has performed red team and hunt engagements against Fortune 500 companies for 5 years, and has trained information security professionals about offensive/defensive tactics at events throughout the world, including Black Hat USA/Europe/Asia. Lee is the author of several offensive tools and techniques, including UnmanagedPowerShell (derivatives now incorporated into the Metasploit, Empire, and Cobalt Strike toolsets) and is a co-author of KeeThief. Matt Nelson (@enigma0x3) is a red teamer and security researcher for SpecterOps. Matt has a passion for offensive PowerShell, is an active developer on the PowerShell Empire project, and helps build offensive toolsets to facilitate red team engagements. He has published research on a number of novel UAC bypasses and holds CVEs for his Device Guard bypass research. Will Schroeder (@harmj0y) is an offensive engineer and red teamer for SpecterOps. He is a co-founder of Empire/Empyre, BloodHound, KeeThief, and the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a Microsoft PowerShell MVP. He has presented at a number of conferences, including DEF CON, Black Hat, DerbyCon, Troopers, BlueHat Israel, and various Security BSides.

Lee - @tifkin_
Matt - @enigma0x3
Will - @harmj0y

Dr. Jared DeMott - War Stories on Embedded Security: Pentesting, IoT, Building Managers, and how to do Better
6:00 pm - 6:55 pm

If security were easy, we’d have solved it 20 years ago. Unfortunately for complex networks and systems, we need the basics and more: developer training, correct implementation, cross-training, proper deployment, event monitoring, secure updates, and response planning. It’s a tall order. But with the right partners, it’s possible. Come be entertained and encouraged by Dr. DeMott as he shows some epic fails - that could have been wins.

Dr. DeMott is former NSA and Microsoft BlueHat Prize winner. He’s frequently quoted in media, and invited to speak. He’s the founder of Vulnerability Discovery & Analysis (VDA) Labs. You'll find fingerprints of VDA across the InfoSec community: fuzzing, code auditing, exploitation, incident response, malware analysis, pentests, threat intelligence, and security training. When DeMott isn’t leading a project, or bypassing a security control, he’s enjoying time with his family outdoors.

@jareddemott

Waylon Grange - Digital Vengeance: Exploiting the Most Notorious C&C Toolkits
7:00 pm - 7:55 pm

"Every year thousands of organizations are compromised by targeted attacks. In many cases the attacks are labeled as advanced and persistent which suggests a high level of sophistication in the attack and tools used. Many times, this title is leveraged as an excuse that the events were inevitable or irresistible, as if the assailants’ skill set is well beyond what defenders are capable of. To the contrary, often these assailants are not as untouchable as many would believe.
If one looks at the many APT reports that have been released over the years some clear patterns start to emerge. A small number of Remote Administration Tools are preferred by actors and reused across multiple campaigns. Frequently sited tools include Gh0st RAT, Plug-X, and XtremeRAT among others. Upon examination, the command and control components of these notorious RATs are riddled with vulnerabilities. Vulnerabilities that can be exploited to turn the tables from hunter to hunted.
The presentation will present several exploits that could allow remote execution or remote information disclosure on computers running these well-known C&C components. It should serve as a warning to those actors who utilize such toolsets. That is to say, such actors live in glass houses and should stop throwing stones."

Waylon Grange is an experienced reverse engineer, developer, and digital forensics examiner. He holds a graduate degree in Information Security from Johns Hopkins University, and has worked numerous computer incident investigations spanning the globe. He currently works as a Senior Threat Researcher for Symantec and previously worked for the Department of Defense performing vulnerability research, software development, and Computer Network Operations.

@professor__plum

Open
7:00 pm - 7:55 pm

Track 2 - Fix Me
Track 2 - Fix Me
Opening Ceremonies - DerbyCon Team
8:30 am - 8:55 am

8:30 - 8:55

Matt Graeber - Subverting Trust in Windows - A Case Study of the "How" and "Why" of Engaging in Security Research
9:00 am - 9:50 am

Since his first InfoSec talk given at DerbyCon 3, Matt has made a reputation for himself demonstrating how otherwise trusted software and technology can be abused by attackers – referred to as the "living off the land" methodology. As a former malware reverse engineer, Matt has seen the extent to which attackers succeed in executing code that has no business being trusted. As such, despite regularly finding bypasses, Matt is a zealous supporter of application whitelisting as a means of preventing a majority of attacks (both opportunistic and targeted), enabling defenders to focus their detections on more capable adversaries who manage to slip silently through the cracks. Matt is very much fascinated by the concept of trust, what it means to people, and how assumptions of trust can be subverted.

John Strand - I had my mom break into a prison, then we had pie.
10:00 am - 10:50 am

In this talk we will cover math, social engineering, breaking AV, open source software, Artificial Intelligence, not giving up and cancer.

Lunch
11:00 am - 11:50 am

Ed Skoudis - Further Adventures in Smart Home Automation: Honey, Please Don’t Burn Down Your Office
12:00 pm - 12:50 pm

In the last 12 months, Ed Skoudis has been on a tear adding new automation features to his office. Some are practical, others are whimsical and weird. All of them provided valuable learning opportunities that Ed would love to share. This talk will describe some of the new technologies he’s been experimenting with and the lessons he’s learned, including: - Alexa versus Siri: Development tips for each environment and how to make them work together - Amazon Voice Services: High-quality, real-time, cloud-based voice synthesis for free - The Raspberry Pi Zero as a development platform - The Intel NUC as a development platform - Integrating animatronic toys into your ecosystem: How creepy is too creepy? - Do’s and don’ts of home Tesla coils, Geissler tubes, and other high-voltage apparatus - Tips for keeping your mind fresh with new dev projects - Security implications of all of this stuff - Where is this all headed? When does Skynet reveal its big plan? This lively talk will cover a lot of ground, but also include specific, practical advice for keeping your technical skills sharp while having fun. Bio: Ed Skoudis is the founder of Counter Hack, an innovative organization that designs, builds, and operates popular infosec challenges and simulations including CyberCity, NetWars, Cyber Quests, and Cyber Foundations. As director of the CyberCity project, Ed oversees the development of missions which help train cyber warriors in how to defend the kinetic assets of a physical, miniaturized city. Ed's expertise includes hacker attacks and defenses, incident response, and malware analysis, with over fifteen years of experience in information security. Ed authored and regularly teaches the SANS courses on network penetration testing (Security 560) and incident response (Security 504), helping over three thousand information security professionals each year improve their skills and abilities to defend their networks. He has performed numerous security assessments; conducted exhaustive anti-virus, anti-spyware, Virtual Machine, and IPS research; and responded to computer attacks for clients in government, military, financial, high technology, healthcare, and other industries. Previously, Ed served as a security consultant with InGuardians, International Network Services (INS), Global Integrity, Predictive Systems, SAIC, and Bell Communications Research (Bellcore). Ed also blogs about command line tips and penetration testing.

Josh Rickard - Securing Windows with Group Policy
1:00 pm - 1:50 pm

"Group Policy exists in almost every modern business environment. Many organizations either do not use it or do not use it as extensively as they should. We all face problems with securing our environment, but most do not realize they have the perfect tool to lock down and protect their organization.

Do you understand Group Policy processing? Did you know you can manage both Active Directory groups and user rights? What about Logging, running Scheduled Tasks? Lastly, why do all your Administrative accounts have extra permissions like Debug Programs?

Remember, Group Policy is basically a larger Enterprise scale registry editor."

Josh's primary focus is in Windows security and PowerShell automation. He is a GIAC Certified Windows Security Administrator (GCWN) and GIAC Certified Forensic Analyst (GCFA)

@MS_dministrator

Lee Holmes - Defending against PowerShell Attacks
2:00 pm - 2:50 pm

"The security industry is ablaze with news about how PowerShell is being used by both commodity malware and attackers alike. Surely there’s got to be a way to defend yourself against these attacks!

In this presentation, we’ll dive deep into exactly how: from JEA-based operational controls, to the crazy advanced logging, auditing, and post-processing capabilities possible with PowerShell.

Come learn why the smart red teams are beginning to abandon PowerShell as an attack platform."

Lee Holmes is the lead security architect of Microsoft's Azure Management group, covering Azure Stack, System Center, and Operations Management Suite. He is author of the Windows PowerShell Cookbook, and an original member of the PowerShell development team.

@Lee_Holmes

Beau Bullock, Brian Fehrman, Derek Banks - CredDefense Toolkit
3:00 pm - 3:50 pm

Pentesting organizations as your day-to-day job quickly reveals commonalities among environments. Although each test is a bit unique, there a typical paths to "winning" that present themselves over and over. Expensive, difficult to configure, and cumbersome to maintain tools exist to help prevent and alert on some of these attacks. Wouldn't it be great if there was a open-source solution available that was just the opposite of that? Well here it is! A defense and alerting toolkit from the perspective of pentesters.

Beau, Brian, and Derek are all Security Analysts and Researchers for Black Hills Information Security. Among other duties, the three provide pentesting for organizations that span the spectrum of retail, financial, and government. When not pentesting, the group works together to create open-source tools to give back to the community.

beau - @dafthack
brian - @fullmetalcache
derek - @0xderuke

Christopher Payne - Steel Sharpens Steel: Using Red Teams to improve Blue Teams
4:00 pm - 4:50 pm

Understanding, anticipating, and identifying the wide array of evolving threats facing organizations today requires well-developed skills, experience, and analytical prowess. Table top exercises and expensive training courses can only get you so far. There is no better training method than creating real world quality adversarial sparring within the control of your own enterprise. Current Incident Response programs can integrate Red team exercises to simulate an adversary’s mindset and tactics, techniques, and procedures (TTPs) to mature processes, validate system protections and enhance the skills of staff. Adaptive red team exercises create a cycle of rapid improvement in both detection and response within today’s Blue Team programs. We will discuss real world examples to find deficiencies in staff skills, processes, and technologies. Along with the metrics and data to back it up.

Christopher Payne is a Senior Director of Cyber Security at Target. In his role, Chris has responsibility for Incident Response, Compliance Monitoring, Adversary Simulation, and Cyber Hunting across the Target enterprise. In addition, Chris founded the annual cyber security conferences GrrCON & BrrCon. Chris is an international speaker on information security topics and has been featured by multiple television, radio, internet and print organizations.

@EggDropX

Eric Conrad - Introducing DeepBlueCLI v2, now available in PowerShell and Python
5:00 pm - 5:55 pm

"Recent malware attacks leverage PowerShell for post exploitation. Why? No EXE for antivirus or HIPS to squash, nothing saved to the filesystem, sites that use application whitelisting allow PowerShell, and little to no default logging.

Event logs continue to be the best source to centrally hunt malice in a Windows environment. Virtually all malware may be detected (including the latest PowerShell-fueled post exploitation) via event logs, after making small tweaks the logging configuration. DeepBlueCLI will go toe-to-toe with the latest attacks: this talk will explore the evidence malware leaves behind, leveraging Windows command line auditing (now natively available in Windows 7+) and PowerShell logging.

DeepBlueCLI is an open source framework that automatically parses Windows event logs, either on Windows (PowerShell version) or now on ELK (Elasticsearch, Logstash and Kibana) running on Linux/Unix (Python version). ELK has revolutionized SIEMs, offering an open source alternative to expensive commercial solutions, and scaling to sizes many commercial SIEMs cannot reach."

Eric's career began in 1991 as a UNIX systems administrator for a small oceanographic communications company. He gained information security experience in a variety of industries, including research, education, power, Internet, and health care. He is now CTO of Backshore Communications, a company focusing on hunt teaming, intrusion detection, incident handling, and penetration testing. He is the lead author of the CISSP Study Guide. Eric is a graduate of the SANS Technology Institute with a master of science degree in information security engineering. In addition to the CISSP, he holds the prestigious GIAC Security Expert (GSE) certification as well as many other GIAC certifications. Eric also blogs about information security at www.ericconrad.com.

@eric_conrad

Justin Leapline, Rockie Brockway - Run your security program like a boss / practical governance advice
6:00 pm - 6:55 pm

"Let’s face it; it’s not easy to run a security governance program. With the continuing pressure of keeping our information secure and breach-free while management doesn’t see the need of increasing budget if there isn’t an incident occurring or compliance need. So how does someone in the trenches measure, monitor, and communicate this to ensure that you get the buy-in needed - or at least get the acceptance from management on the risk. It’s something that everyone in a security leadership position struggles with.

Through this talk, we will be discussing some of the key points in implementing, managing, and creating oversight to communicate both internally to the security team and externally with the company. And don’t worry, the points we will be discussing will be applicable across the board - from small businesses to Fortune 100s.

Also, we will be releasing some helpful tools in aiding your quest to the nirvana of a simple security governance program. You don't want to miss it!"

Justin Leapline has over twenty years of experience involving system administration, software development, and information security. His core skills include regulatory and contractual compliance within the information security realm, security program management, and general governance practices and frameworks. Before joining TrustedSec, Justin consulted with numerous Fortune 1000 companies in the areas of information systems, audit, governance and information security. He has also led the governance and security practices for leading eCommerce and large financial services companies. Rockie Brockway serves TrustedSec as the Practice Lead of the Office of the CSO. With over two decades of experience designing, building and managing systems and networks; auditing and enforcing network security and policy; incident response; pen-testing; adversarial simulation; assessing vulnerabilities and threats; and analyzing business impact and risk, Rockie teams with organizations to understand the value and location of business critical data in an effort to further enable organizational innovation, achieve business outcomes and to protect the brand.

Justin - @jmleapline Rockie - @rockiebrockway

Concert Setup
7:00 pm - 7:55 pm

Track 3 - Teach Me
Track 3 - Teach Me
Opening Ceremonies - DerbyCon Team
8:30 am - 8:55 am

8:30 - 8:55

Matt Graeber - Subverting Trust in Windows - A Case Study of the "How" and "Why" of Engaging in Security Research
9:00 am - 9:50 am

Since his first InfoSec talk given at DerbyCon 3, Matt has made a reputation for himself demonstrating how otherwise trusted software and technology can be abused by attackers – referred to as the "living off the land" methodology. As a former malware reverse engineer, Matt has seen the extent to which attackers succeed in executing code that has no business being trusted. As such, despite regularly finding bypasses, Matt is a zealous supporter of application whitelisting as a means of preventing a majority of attacks (both opportunistic and targeted), enabling defenders to focus their detections on more capable adversaries who manage to slip silently through the cracks. Matt is very much fascinated by the concept of trust, what it means to people, and how assumptions of trust can be subverted.

John Strand - I had my mom break into a prison, then we had pie.
10:00 am - 10:50 am

In this talk we will cover math, social engineering, breaking AV, open source software, Artificial Intelligence, not giving up and cancer.

Lunch
11:00 am - 11:50 am

Bruce Potter - When to Test, and How to Test It
12:00 pm - 12:50 pm

“I think we need a penetration test". This is one of the most misunderstood phrases in the security community. It can mean anything from “Someone should run a vulnerability scan against a box” to “I’d like nation-state capable actors to tell me everything that wrong with my enterprise” and everything in between. Security testing is a complex subject and it can be hard to understand what the best type of testing is for a given situation. This talk will examine the breadth of software security testing. From early phase unit and abuse testing to late phase penetration testing, this talk will provide details on the different tests that can be performed, what to expect from the testing, and how to select the right tests for your situation. Test coverage, work effort, attack simulation, and reporting results will be discussed. Also, this talk will provide a process for detailed product assessments, i.e.: if you’ve got a specific product you’re trying to break, how do you approach assessing the product in a way that maximizes your chance of breaking in as well as maximizing the coverage you will get from your testing activity.

Winn Schwartau - How to Measure Your Security: Holding Security Vendors Accountable
12:00 pm - 12:50 pm

"How to Measure Your Security: Holding Security Vendors Accountable"

Security Guy since 1983. Cyberwar. Modelling.

@winnschwartau

James Cook, Tom Steele - A New Take at Payload Generation: Empty-Nest
1:00 pm - 1:50 pm

As the evolution of endpoint, egress, and network security controls continues, adversaries and pentesters are finding it increasingly more difficult to execute malicious payloads within properly-hardened enterprise networks. Although tools currently exist to aid in circumventing these controls, the current state fails to properly account for some of newest techniques used by these controls. Enter Empty-Nest, a command-and-control (C2) toolset created with circumvention in mind. Empty-Nest was designed to provide a flexible payload-generation mechanism and pluggable interface to enable adversaries to easily customize payloads for targeted security control bypass. Our talk discusses the Empty-Nest toolset, demonstrating how to leverage the pluggable interface to create keyed payloads capable of bypassing new-age, cloud-based binary analysis, unloading endpoint software DLLs from running processes, customizing C2 transports, and more.

James Cook - James has over four years’ experience executing penetration tests for a variety of companies across several industries, including Medical, Retail and Financial. James has conducted security assessments that include components such as internal/perimeter network and application penetration testing, social engineering, wireless assessment and vulnerability assessments. James has contributed to the open source community including Metasploit, smbexec, and Veil. Tom Steele - Tom Steele, reigning from Idaho, harnesses his diverse professional software development background to build great tools for Optiv. It doesn't just stop with Optiv, though, Tom has contributed immensely to the open source development community by providing core packages, libraries, security assessment tools, and frameworks. Tom is also an accomplished presenter among a variety of security and development industry conferences such as BlackHat, DefCon, BSidesLV, Schmoocon, just to name a few. Further, he has provided training on a wide range of development and security topics covering offensive execution tactics, assessment tools, mitigation strategies and defensive measures. Tom is the creator and developer behind the LAIR Penetration Testing collaboration framework and is also the co-author to the upcoming No Starch Press book; BlackHat Go.

James Cook - @_jbcook
Tom Steele - @_tomsteele

Jasiel Spelman, Joshua Smith - VMware Escapology: How to Houdini The Hypervisor
2:00 pm - 2:50 pm

"Over the past year, attacks targeting VMware desktop hypervisors (Workstation, Fusion etc) have been on the rise. Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. VMs also remain important tools for pentesters. Conversely, customer virtualization can lead to dead ends during a pentest. This limitation could lead to situations where enterprises fail to understand the true risk to their virtualized environments. This presentation provides pentesters the information and Metasploit modules to weaken or escape the isolation imposed by VMware hypervisors.

Pwn2Own 2017 featured two full guest-to-host escapes, one of which also affects VMware ESXi. While a guest-to-host escape is the most eye-catching way to abuse a hypervisor, there are other, more subtle abuses as well. This presentation examines VMware guest-to-host communications, which occur through the self-titled Backdoor channel. We will also explore some of the functionalities exposed through the RPC Interface within Backdoor such as the Drag-n-Drop (DnD) and CopyPaste mechanisms. We demonstrate how to take advantage of these mechanisms – without VMware tools installed – to disclose sensitive information from the host. We’ll also take a look at the Host-To-Guest file system and demonstrate how it can be exploited to execute code in the context of the host. Last, we will analyze a Use-After-Free vulnerability that affects DnD and we’ll show the exploitation process used to achieve code execution on the host, from the guest."

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

Joshua Smith is a senior vulnerability researcher and "FuzzOps" manager with Trend Micro’s Zero Day Initiative (ZDI) program. He analyzes and performs root-cause analysis on vulnerabilities submitted to the ZDI bug bounty program. However, his current focus is managing the infrastructure and tool development used to maintain the program and enable increased internal vulnerability discoveries. Joshua was also an external developer for the Metasploit Framework. Prior to joining ZDI, Smith served in the U.S. Air Force in various roles including as a nuclear Intercontinental Ballistic Missile (ICBM) Crew Commander and Instructor, but more relevantly as a penetration tester for the former 92d Information Warfare Aggressor Squadron. Post-military, he became a security engineer at the John Hopkins University Applied Physics Laboratory, where he began contributing to the Metasploit Framework. Smith performed research into weapons systems vulnerabilities as well as evasion and obfuscation techniques to add depth and realism to security device tests.

Jasiel Spelman - @WanderingGlitch
Josh - @kernelsmith

David "thelightcosine" Maloney, Spencer "ZeroSteiner" McIntyre, Brent Cook, James "Egyp7" Lee - 3rd Annual Metasploit Townhall
3:00 pm - 3:50 pm

This will be the third year of the Metasploit Townhall at DerbyCon. This will be an open forum style panel where we offer ourselves up to our community. We will answer questions, take feedback, and talk a little bit about what we've got going on and where we see things going. This is your chance to come an interact with us face to face in a setting where we can't get away!

We are some, but not all, of the people who keep Metasploit going. Brent, Egyp7, and theLightCosine all work at Rapid7 where they somehow manage to get paid for doing this. ZeroSteiner is one of the core community contributors who does this for free.

David - @thelightcosine
Spencer - @zeroSteiner
Brent - @busterbcook
James - @egyp7

Jared Atkinson and Robby Winchester - Purpose Driven Hunt: What do I do with all this data?
4:00 pm - 4:50 pm

Does your organization want to start Threat Hunting, but you’re not sure how to begin? Most people start with collecting ALL THE DATA, but data means nothing if you’re not able to analyze it properly. This talk focuses on the often overlooked first step of hunt hypothesis generation which can help guide targeted collection and analysis of forensic artifacts. We will demonstrate how to use the MITRE ATTACK Framework and our five-phase Hypothesis Generation Process to develop actionable hunt processes, narrowing the scope of your Hunt operation and avoiding “analysis paralysis.” We will then walk through a case study of Golden Ticket detection from concept to technical execution by way of the Hypothesis Generation Process. Along the way, we will detail some of the most common Golden Ticket indicators and will release a new PowerShell script for extracting Kerberos ticket information without any dependencies on external binaries.

Jared Atkinson (@jaredcatkinson) is the Defensive Services Technical Director at Specter Ops who specializes in Digital Forensics and Incident Response. Jared spent two years at Veris Group’s Adaptive Threat Division (ATD) leading the technical buildout of Veris Group’s Hunt capability. Before Veris Group, Jared spent four years leading incident response missions for the U.S. Air Force Hunt Team, detecting and removing Advanced Persistent Threats on Air Force and DoD networks. Passionate about PowerShell and the open source community, Jared is the lead developer of the PowerForensics project, an open source forensics framework for PowerShell, Uproot, a WMI-based IDS, and maintains a DFIR focused blog at www.invoke-ir.com. Robby Winchester is an experienced threat hunter and penetration tester with six years of experience in information security. Over the course of Robby’s career, he has developed and supervised penetration testing, physical security, and breach assessments for Fortune 100 clients. Robby worked two years for the U.S. Air Force Information Aggressors, providing full-scope network and physical red team operational assessments to the Department of Defense. Prior to that, Robby developed and integrated information security operations with traditional military operations for the U.S. Air Force’s RED FLAG exercise. Robby has a BS in Computer Science from the U.S. Air Force Academy and an MS in Information Security and Assurance from Western Governor’s University. Robby holds CISSP, GIAC Penetration Tester (GPEN), and several other information security certifications.

Jared - @jaredcatkinson
Robby - @Robby - @robwinchester3

Francisco Donoso - DanderSpritz: How the Equation Group's 2013 tools pwn in 2017
5:00 pm - 5:55 pm

"Everyone has focused on the Equation Group's ""weapons grade"" exploits but no one has focused on their extremely effective post exploitation capabilities.

In this talk I will cover the tools, methods, and capabilities built into the DanderSpritz post exploitation framework. We will review how the Equation Group gained and maintained persistence, bypassed auditing and AV, scan, sampled, subdued, and successfully dominated an entire organization ninja-style.

We'll dig into the technical details of how the framework gains persistence, performs key logging, captures traffic and screenshots, steals credentials, gathers target information, owns AV and WSUS servers, exfiltrates secrets, and causes general mayhem. "

Francisco has knee-deep in many facets of security. From Network Security Analysis and Engineering, to security consulting for some of the world's most valuable companies, bringing along a marriage of DevOps and Security along the way. Francisco is now focused on leading a team developing Managed Security Services at a Swiss based security organization.

@Francisckrs

Matt Swann - Defending the Cloud: Lessons from Intrusion Detection in SharePoint Online
6:00 pm - 6:55 pm

Over the past four years we've tried, failed, and now begun to succeed at defending the SharePoint Online service. In my talk, I describe the approaches we tried (focusing on our existing telemetry; focusing on anomalies; focusing on adversaries) and how we put into practice an adversary-focused approach that works. Finally, I describe what we're doing next - using graph analytics to cluster related activity and building incident response capabilities that allow us to locate and track an adversary in real-time. I close with a "hierarchy of needs" that defenders can follow to build defensive capabilities in their own organization.

Matt is a Principal Engineering Manager in the OneDrive and SharePoint team at Microsoft. He drove the security development process for SharePoint 2010 and 2013, then built a team focused on cloud security for SharePoint Online. Matt is passionate about intrusion detection, incident response and catching adversaries. When he’s not catching bad guys, you can find him at home with his kids or hiking in Washington's beautiful Cascades.

@MSwannMSFT

Open
7:00 pm - 7:55 pm

Track 4 - Three Way
Track 4 - Three Way
Lunch
11:00 am - 11:50 am

Winn Schwartau - How to Measure Your Security: Holding Security Vendors Accountable
12:00 pm - 12:50 pm

"How to Measure Your Security: Holding Security Vendors Accountable"

Security Guy since 1983. Cyberwar. Modelling.

@winnschwartau

Adam Compton & Bill Harshbarger - How we accidentally created our own RAT/C2/Distributed Computing Network
1:00 pm - 1:50 pm

Rat/C2/Botnet/Distributed Computing… Sure there are differences, but they all share common attributes and functionality. In an effort to create a new distributed computing tool for pentesting, we created a fairly functional generic tool that comprises the most common functions of all of these. What to see what it is and how we developed it? We will be covering everything, in general terms, from the basics of Master/Slave processing and communication to coding up a final solution in Python. If you are interested, please stop by.

Adam Compton has been a programmer, researcher, professional pentester, father, husband, and farmer. Adam has over 2 decades of programming, network security, incident response, security assessment, and penetration testing experience. Throughout Adam's career, he has worked for both federal and international government agencies as well as within various aspects of the private sector. Bill Harshbarger has worked in information security for a decade, starting in incident response and forensics, and is now a pentester who has worked with clients ranging from 20 person co-ops to fortune 100 headquarters.

@tatanus

Grid (aka Scott M) - Active Defense for web apps
2:00 pm - 2:50 pm

Attackers can ruin your day...are you ready to turn the tables on them? Of course you are! Come to my talk to hear about active defense for web applications. This is usable & practical stuff that you can do without a big investment of time or money. Disclaimer: hacking back can get you in trouble, so I don't advocate that!!

Grid (Scott M) has been in IT a long time...decades now! He has been a help desk staffer, programmer, database admin, and system/server admin, before transitioning to security. Grid now works as an info security analyst.

Deral Heiland - IoT Security – Executing an Effective Security Testing Process
3:00 pm - 3:50 pm

With IoT expected to top 20 billion connected devices by the end of the decade. A focused effort is critical if we plan to be successfully securing our new IoT driven world. One of the primary necessities to meet this goal is to develop sound methods for identification, and mitigation of security vulnerabilities within IoT products. As an IoT security researcher and consultant, I regularly conduct IoT security testing. Within my testing methodologies I leverage a holistic approach that focuses on the entire ecosystem of an IoT solution, including: hardware, mobile, and cloud environments allowing for a more through evaluation of a solutions security issues. During this presentation attendees will learn about the ecosystem structure of IoT and security implication of the interconnected components as I guide the audience through several research projects focused on security testing of an IoT technology. Using live demonstration I will show real-world security vulnerability examples identified within each segment of an IoT ecosystem

Deral Heiland CISSP, serves as a Research Lead (IoT) for Rapid7. Deral has over 20 years of experience in the Information Technology field. Over the last 10+ years Deral’s career has focused on security research, security assessments, penetration testing, and consulting for corporations and government agencies. Deral also has conducted security research on a numerous technical subjects, releasing white papers, security advisories, and has presented the information at numerous national and international security conferences including Blackhat, Defcon, Shmoocon, DerbyCon, RSAC, Hack In Paris. Deral has been interviewed by and quoted by several media outlets and publications including ABC World News Tonight, BBC, Consumer Reports, MIT Technical Review, SC Magazine, Threat Post and The Register.

@percent_x

Edmund Brumaghin, Colin Grady - Fileless Malware - The New “Cyber”
4:00 pm - 4:50 pm

Buzzwords are the bane of the infosec community. Whether it’s “cyber” or “APT”, these terms are often used as nothing more than a way to generate clicks or by marketing teams to push more blinky lights to customers. “Fileless malware” is the latest example of this. Attacks leveraging malware that have been dubbed “fileless malware attacks” have been generating significant media coverage recently leading many to wonder what impact these attacks may have on their organizations or whether they are adequately protected against them. In many cases these attacks are not truly fileless and result in various artifacts being written to targeted systems. In this presentation we will provide a brief history of fileless malware as well as walk through some specific examples of malware that makes use of this approach to infecting systems. We will also cover why most malware is not actually “fileless”, along with specific examples of threats that make use of interesting persistence mechanisms that do not resemble what many have grown accustomed to seeing from malware.

Edmund Brumaghin is a threat researcher with Cisco Talos. He has spent the past several years protecting environments across a number of different industries including nuclear energy, financial services, etc. He currently spends his days hunting malware and analyzing various threats as they emerge and continue to evolve. In his time with Talos he has researched ransomware, banking trojans and other threats being distributed using various attack vectors. He has also worked to expose large scale malware campaigns and raise awareness of security threats observed across the threat landscape. Colin Grady is also a threat researcher with Cisco Talos. He started his infosec career as a SOC analyst and has worked his way through a variety of roles including engineering, architecture, and incident response. He joined Talos from his prior role with Cisco’s incident response team (CSIRS) to have a more direct and proactive role in protecting customers. He spends his days looking at interesting malware and finding ways to identify and process the samples and activities for convictions across the Cisco product line.

Mauricio Velazco - Hunting Lateral Movement for Fun and Profit
5:00 pm - 5:55 pm

After obtaining an initial foothold on an environment, attackers are forced to embark in lateral movement techniques in order to be successful in identifying and exfiltrating sensitive information. To stay ahead of the bad guys, the Blue team needs to have a clear understanding of these techniques as well as the forensic artifacts these techniques leave behind on the victim hosts. Armed with this knowledge, we can proactively hunt for lateral movement in the environment before exfiltration can occur.

This presentation will analyze Lateral Movement from both a Red and Blue team perspective and introduce Oriana, a lateral movement hunting tool that can assist the Blue team in catching the adversary.

Mauricio Velazco (@mvelazco) is a Peruvian, Infosec Geek who started as a pentester and currently leads the Blue team at a financial services company in New York.

@mvelazco

Schuyler Dorsey - (Mostly) Free Defenses Against the Phishing Kill Chain
6:00 pm - 6:55 pm

An enterprise defender does not have an easy role; however there are many free or cost-effective changes which can be implemented to significantly reduce or mitigate risk to the network. Many are simply configuration changes in the security stack you already have. If one alters their thinking from how to prevent one specific technique to how to prevent each step of the kill chain, they can have a much greater impact. This talk will take a practical approach at observing the the kill chain of an average phishing attack and security controls you can implement at each step of the way to better prevent or detect the attack.

Schuyler is the Global Information Security Director of Operations at Activision Blizzard. He has experience in incident response, penetration testing, malware analysis, enterprise architecture, and extensive experience in watching Disney movies with his kids.

@mackwage

Setup for Hack Jeopardy
7:00 pm - 7:55 pm

Stable Talks
Stable Talks
Adam Hogan - Eye on the Prize
12:00 pm - 12:25 pm

Eye on the Prize - a Proposal for the Legalization of Hacking Back

The myriad objections to legalizing hacking back all agree that an undisciplined horde of skids responding aggressively to every threat presents significant risks we would all like to avoid. Unfortunately the debate has advanced little from this well established point. I propose we continue the discussion by exploring ways in which hacking back can be legalized responsibly. To this end I argue that stopping piracy in the age of sail shared a number of the same problems we face stopping cyber attackers. This also presents a framework with which to allow responsible hacking back: that of the Admiralty Prize Courts. Prize Courts served as adjudicators to the legitimacy of capturing pirates, and held illegitimate attackers responsible for their misdeeds. This system limited who was legally allowed to attack pirates, held control over the viable targets, and controlled the incentives for pirate hunting. I will argue this is a system we can emulate to regulate hacking back.

Adam Hogan is a field security engineer for CrowdStrike. With 15 years in infosec he has worked as a SOC analyst, intrusion detection consultant and taught security classes before joining a sales team for the privilege of not having to go into the same office every day to feign interest in what his colleagues’ children did over the weekend that was just so cute. He currently lives near Columbus, Ohio. His graduate studies were in economics, which makes him a bona fide expert in ruining diner parties with statistics.

@adamwhogan

Alexander Leary - Building Better Backdoors with WMI
12:30 pm - 12:55 pm

This presentation will provide a brief overview of WMI, and how creating WMI providers can be leveraged to create a reliable and covert persistence mechanism for offensive security professionals to use.

Alexander Leary is a Senior Security Consultant at NetSPI, with a specialization in network penetration testing and threat emulation.

@0xbadjuju

Alexander Leary, Scott Sutherland - Beyond xp_cmdshell
1:00 pm - 1:25 pm

Alexander Leary, Scott Sutherland - Beyond xp_cmdshell: Owning the Empire through SQL Server

"During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.

This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments."

Alexander Leary and Scott Sutherland conduct penetration testing, red team, and purple team engagements through NetSPI. Scott is the author of PowerUpSQL and Alexander has contributed code to PowerUPSQL and PowerShell Empire.

Alexander Leary @0xbadjuju
Scott Sutherland @_nullbind

Andrea Little Limbago - Bots, Trolls, and Warriors
1:30 pm - 1:55 pm

Andrea Little Limbago - Bots, Trolls, and Warriors: The Modern Adversary Playbook

Adversaries increasingly integrate ‘traditional’ computer attack vectors with advances in automation and the power of disinformation to reach a wider range of targets and achieve a wider range of objectives. Increasingly, these bots, trolls and warriors are employed simultaneously to achieve strategic impact and surprise. Bots reflect the implementation of automation and machine learning, and manifest in everything from widespread DDoS to malvertising to social bots. Trolls represent groups or individuals who leverage online forums to influence opinions, perspectives, and achieve specific objectives. Finally, cyber warriors are increasingly brazen and leverage both tried and true techniques as well as highly customized attacks. To counter this playbook, defenders must similarly pursue socio-technical innovations. The stakes are high, as it has far-reaching impact on stability, democracy, security and privacy for the foreseeable future.

Andrea Little Limbago is the Chief Social Scientist at Endgame, where she researches and writes on geopolitics and cybersecurity, data science, and directs the company’s technical content. Her writing has been featured in Politico, VentureBeat, the Hill and Christian Science Monitor, and she has presented at a range of security conferences (e.g., Enigma and O’Reilly), government conferences (e.g. SOCOM’s Global Synchronization), and in academia (e.g. International Studies Association Annual Conference). She previously worked in academia and at the Department of Defense. Andrea holds a PhD in Political Science from the University of Colorado at Boulder, where she taught international relations and foreign policy courses, and a Bachelor’s degree from Bowdoin College.

@limbagoa

OPEN
2:00 pm - 2:25 pm

Anthony Russell - Building Google for Criminal Enterprises
2:30 pm - 2:55 pm

"I was able to create a proof of concept application that scrubs a recreation of the Ohio Voter Database, and link each entry confidently to its real owners Facebook page. By doing this I have created a method by which you can use the Voter Database to seed you with name address and DOB, and Facebook to hydrate that information with personal information.

My application was able to positively link a voter record to a Facebook account approximately 45% of the time with a high confidence score.

Extrapolate that out, over the 6.5 million records in my database and you get 2.86 million Ohio resident Facebook records."

Security Software Engineer | Hobbyist Hardware/Software Hacker | Blogger | Volunteer Youth Educator | OIF Veteran

@DotNetRussell

Koby Kilimnik - V!4GR4: Cyber-Crime, Enlarged
3:00 pm - 3:25 pm

"Trafficking of counterfeit pharmaceuticals is a massive industry, and have been known for its persistent usage of different blackhat techniques in order to maintain its operation. A large part of those attempts are web application attacks, which are used in order to operate a huge network which generates substantial income to its operators. In this session we're going to introduce some of the main Methods of Operation for these groups, estimate the size of this operation, and why it matters. We will walk through real attack data, to see some of the latest attacks generated by these organizations, and discuss how organizations can be better protected against those attacks."

Open source evangelist , programmer and a naturally curious human being. Jack of all trades master of none, waste too many hours awake at night and too little during the day, contributed to the nodejs, ruby core and archlinux. Koby is an experienced coder & hacker who went from penetration testing to security coding at ODI & Cisco, now a security researcher in Imperva. Koby’s code: www.github.com/solebox Koby’s keybase: keybase.io/solebox

@KernelXSS

Open
3:30 pm - 3:55 pm

Bill Gardner - The skills gap: how can we fix it?
4:00 pm - 4:25 pm

How can educator help the community get the graduates you need?

Bill Gardner is an Assistant Professor at Marshall University, where he teaches in the Digital Forensic and Information Assurance Program. Prior to joining the faculty at Marshall, Bill co-founded the 304Geek and SecureWV/Hack3rCon. Bill is the coauthor of "Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats" with Valerie Thomas, and "Google Hacking for Penetration Testers" with Johnny Long and Justin Brown.

@oncee

Carl Sampson - Extending Burp
4:30 pm - 4:55 pm

Burp is one of the most popular tools used in dynamic web application testing with a lot of great features built-in. It also provides an API that lets you extend it further. It can be intimidating when starting to write an extension, but once you get going it’s not too bad. This talk will walk through an example of creating a Burp extension that uses several different features of the API.

Carl Sampson is a product security engineer for Salesforce. He has 20 years of experience between development and application security and has worked in a number of organizations across the insurance and marketing sectors. He lives in central Indiana with his wife and three children. He has a passion for automation, tools development, and is the cofounder and leader of the Indy OWASP chapter.

@chs

Casey Smith - Shellcode Via VBScript/JScript Implications
5:00 pm - 5:25 pm

"This talk will explore a recent discovery of being able to execute shellcode and make Win32 api calls from the Windows Script Host. This will be a deep dive case study of executing shellcode via an HTA file. We will discuss patterns fro execution and detection. There are many other applications that you can be applied using these techniques. This talk will be of interest for Red Team and Blue Team. "

Casey Smith has a passion for understanding and testing defensive systems.

@subTee

Daniel Brown - Retail Store/POS Penetration Testing
5:30 pm - 5:55 pm

Penetration Testing a retail/POS environment. The methods companies are using to try and protect them, methods of bypassing security implementations, and how they tie into a companies overall security.

I am a penetration tester for Payment Software Company (PSC) and have been in the industry for 3 years. I perform external, internal, retail/POS, wireless and web application penetration tests for companies who are subject to PCI compliance. I graduated from Louisiana State University (LSU), and currently reside in Houston, TX. I took an unusual path to become a penetration tester, starting out with a small company doing customer support and showing that I had an aptitude for infosec work in general. This work included Risk Assessments, Audits, Security Assessments, Vulnerability Management, and of course Penetration Testing.

@dbrow43

Dave Mattingly - Improv Comedy as a Social Engineering Tool
6:00 pm - 6:25 pm

The rules of improv comedy can apply to many social interactions, including bluffing your way to compromise a target. The constantly changing situations of improv are great practice for accepting unexpected circumstances, and happily going with the flow.

Dave Mattingly was a comedy and punk radio DJ, while he was a NASA rocket scientist. He ran a sci-fi and RPG publishing company, while writing anti-terrorism software for DHS and anti-fraud detection for the finance industry. He's an itinerant preacher, entrepreneur, award-winning speaker, and occasional improv comic. In short, he doesn't know what he wants to do when he grows up.

@dave_mattingly

Evil_Mog, Renderman - How to safely conduct shenanigans
6:30 pm - 6:55 pm

There are some legendary pranks pulled off at derbycon, this talk goes through how to conduct shenanigans safely without getting you ejected from the venue, it will also detail how to get goon and venue support to make shenanigans epic.

Evil_mog & Renderman are collectively the churchofwifi v3, the self proclaimed shenanigan leads of derbycon.

@Evil_mog
@ihackedwhat

James Forshaw - The .NET Inter-Operability Operation
7:00 pm - 7:25 pm

One of the best features of the .NET runtime is its in-built ability to call native code, whether that’s APIs exposed from dynamic libraries or remote COM objects. Adding this in-built functionality to an “type-safe” runtime has its drawbacks, not the least the introduction of security issues due to misuse. This presentation will go into depth on how the .NET runtime implements its various interop features, where the bodies are buried and how to use that to find issues ranging from novel code execution mechanisms, elevation of privilege up to remote code execution. The presentation will assume the attendee has some familiarity with .NET and how the runtime executes code.

James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.

@tiraniddo

Jason Blanchard - A presentation or presentations because...
7:30 pm - 7:55 pm

Jason Blanchard - A presentation or presentations because... presenting

In less than 30 minutes, you'll smile, nod in agreement, be amazed, become incredibly self-aware of how you perceive information for the rest of your life, and learn the basics of storytelling and audience manipulation so when you need to explain something to someone they'll understand. Essentially this is a presentation or presenting presentations within a presentation I like to call Inception Presentation. It will get way meta and you'll love it. #softskills

For those of you who don't know me... I'm the marketing guy who spins wheels, gives talks at Hacker Cons and generally smiles all the time. I've been manipulating people's emotions for years as a video editor, content creator, storyteller, marketing person, and professional speaker. I generally like to make people laugh as a stand-up comedian. My name is Jason Blanchard and I approve this speaker bio.

@BanjoCrashland