DEF CON DEF CON 32 Engage - Episode Guide, Ratings & Streaming

Opening remarks by Jeff "The Dark Tangent" Moss.

Holding upwards of $400,000, ATMs continue to be a target of opportunity and have seen over a 600% increase in crime in just the last few years. During this time, I led security research with another colleague into the enterprise ATM industry resulting in the discovery of 6 zero-day vulnerabilities affecting Diebold Nixdorf’s Vynamic Security Suite (VSS), the most prolific ATM security solution in the market. 10 minutes or less is all that a malicious actor would need to gain full control of any system running VSS via offline code injection and decryption of the primary Windows OS. Diebold Nixdorf is one of three major North American enterprise class ATM manufacturers with a global presence in the financial, casino/gaming, and point-of-sale markets. Similar attack surfaces are currently being used in the wild and impact millions of systems across the globe. Furthermore, VSS is known to be present throughout the US gaming industry, including most of the ATM/cash-out systems across Vegas

CCTV systems have "blind spots" where detection confidence is lower due to factors like angle and distance. This talk explores a novel issue with object detection: location-based confidence weakness. We show how a pedestrian’s position impacts detection confidence and analyze this across four lighting conditions and five object detectors (YOLOv3, Faster R-CNN, SSD, DiffusionDet, RTMDet). Footage from Broadway, Shibuya Crossing, and Castro Street reveals consistent blind spots. We introduce TipToe, an evasion attack that exploits these blind spots to create a minimum-confidence path, reducing detection confidence by up to 0.16 in Shibuya Crossing with YOLOv3 and similar results elsewhere.

A false sense of security can be more dangerous than no security at all. We investigated the goTenna Pro radio, which claims to use AES-256 encryption for its "off-the-grid" mesh network. Despite this, our research revealed that it's possible to fingerprint and track messages, intercept and decrypt AES-256, and inject messages into the network. We’ll explain our testing methods, demonstrate these vulnerabilities live, and discuss their implications. Tools from this research will be released open-source to aid future studies. We will also cover how we worked with goTenna to address these issues

Explore the hidden world of the LockBit ransomware gang in this presentation, where I recount my two-year infiltration into their ranks. Discover how I gained the trust of key figures, including the gang's leader, LockBitSupp. I’ll share firsthand accounts of these interactions and detail the impact of my actions on the syndicate’s operations, including how I helped expose LockBitSupp’s true identity. This talk highlights the crucial role of human intelligence alongside cyber threat intelligence in combating ransomware and protecting organizations from LockBit attacks.

Join General Paul M. Nakasone, U.S. Army (Ret.), at DefCon for an in-depth look at modern cyber warfare. With stories from his career as leader of the NSA and U.S. Cyber Command, he will reveal insights into defending against nation-state hackers and securing critical infrastructure. General Nakasone will discuss the evolving cyber battlefield, the role of intelligence sharing, international alliances, and innovative defenses. He’ll also present a forward-looking vision for cyber warfare, emphasizing adaptive strategies, resilient defenses, and the development of new leadership to tackle emerging threats.

Advanced Local Procedure Call (ALPC) is a Windows kernel Inter Process Communication method, which has recently seen numerous vulnerabilities related to TOCTOU file operations and memory corruption. Despite Windows' security measures, we identified a flaw in the ALPC security mechanism that allowed unauthorized users to gain system privileges. In this talk, we will overview ALPC and RPC communication mechanisms, including the marshal/unmarshal process and kernel security in ALPC syscalls. We’ll analyze historical bugs, detail the vulnerability we discovered, and demonstrate exploitation methods. Finally, we’ll share insights on this attack surface and offer tips on finding similar bugs

On Fri, 29 Mar 2024, at 08:51:26, OSS security received a message from Microsoft engineer Andres Freund about a backdoor in the upstream xz/liblzma library that could compromise SSH servers. A mysterious maintainer, Jia Tan, had compromised the XZ project, posing a major risk.We’ll explore who Jia Tan is, how long he’s been involved, and his potential involvement in other projects. We’ll detail how the backdoor was discovered, how it was implemented, and its technical workings. This case isn’t just about a hidden threat but also a complex puzzle, offering lessons on what went wrong and how to improve.

Opening an unknown file and facing hundreds of unfamiliar functions can make analysis slow and tedious, often leading to missed malware insights. This talk will present a proven method for efficiently handling thousands of unknown functions, using the Golang-based qBit family as an example. While focused on Ghidra, this approach is applicable to other tools. We’ll cover creating and using FunctionID and BSim databases to generate portable symbols that streamline analysis. This method benefits both individual researchers and larger teams, scaling well for collaborative efforts. The talk will include a dataset of symbols for Golang binaries and provide access to the discussed scripts and databases.

Discover a MySQL honeypot that "attacks the attackers." In 2023, we identified CVE-2023-21980, a vulnerability allowing a rogue MySQL server to execute RCE on a connecting client. In 2024, we found another RCE in mysqldump (CVE-2024-21096). We combined these with an arbitrary file read vulnerability to create a rogue MySQL server that uses a chain of three exploits: file read, 2023 RCE, and 2024 RCE. This atomic honeypot uncovered two new attack methods against MySQL, enabling us to analyze attackers' code and counter-attack effectively.

Websites are riddled with timing oracles eager to divulge their innermost secrets. It's time we started listening to them. In this session, I'll unleash novel attack concepts to coax out server secrets including masked misconfigurations, blind data-structure injection, hidden routes to forbidden areas, and a vast expanse of invisible attack-surface. This is not a theoretical threat; every technique will be illustrated with multiple real-world case studies on diverse targets. Unprecedented advances have made these attacks both accurate and efficient; in the space of ten seconds you can now reliably detect a sub-millisecond differential with no prior configuration or 'lab conditions' required. In other words, I'm going to share timing attacks you can actually use