Talks


This page is a listing of talks I have given; when, where, what conference, the title, and description (with a youtube link if the talk was recorded). They are listed in chronological order.


Title: Intro to Steganography

Conference: BSidsPHX 2012

When: March, 2012

Where, Tempe, AZ

Description: This talk had no official program guide description. The main organizer of the con had a speaker flake on him last minute. I through something together half from a recent 2600 presentation and another small piece for a bigger topic I was toying with (that I ended up doing later in 2012 for HOPE 9).

This talk was not recorded

 


Title: Explosive Steganography

Conference: Hackers on Planet Earth 9 (HOPE9)

When: July, 2012

Where: Midtown NYC, NY

Description: Encryption makes information secret, steganography hides the information in plain sight. We fancy hiding it in a “pile” that most people would avoid. This talk explores hiding steganography in mediums such as archive exploders, file carving exploders, and virus files. There will be a release of the open source tools eZIPlode/asour, magicbomb/-asour and hivasour/hivsneeze.


Title: Doing it Wrong with Scalpel

Conference: CactusCon I

When: April, 2013

Where: Tempe, AZ

Description: Despite the name of the talk, we will go through introductory concepts of what scalpel is used for, how to use it, and basic modifications to the scalpel.conf file. We start with doing it right. Then we start editing source code and do it wrong, very stupid wrong, then eventually kind of cool wrong. One misconfiguration of scalpel.h led to an exaggerated discovery that produced the magicbomb tool. I will explain how to avoid falling into the traps that magicbomb produces. Finally, we will trick scalpel to scan for viruses. As it turns out, scalpel will dig deeper where other AV vendors stop short…not that it turns out to be useful in any way.

This talk had an audio recording only…I will try to dig it up for this page eventually


Title: Mask Your Checksums

Conference: Toorcon 15

When: October, 2013

Where: San Diego, CA

Description: When publicly submitting packet data, it is common wisdom to mask things such as your IP addresses. It is also advised that you mask your checksums, why? This talk attempts to beat this dead horse to the ground, with demonstrations and an open-source tool release.


Title: It’s A Tumor

Conference: CactusCon II

When: May, 2014

Where: Chandler, AZ

Description: This talk is a look into a corner of malware we don’t often look at; the quarantining process. Since it is not very interesting, I naturally took an interest into it.This talk is about the result of this experimentation, a Tumor; A file that just kind of sits around, slowly growing larger. It’s okay though, the tumor is benign.
Expect a proof of concept, a little bit of terminal action, and lots of hex and bitwise operations.

Talks at CactusCon II were allegedly recorded, but I don’t know of them actually getting out.


Title: on Learning Languages

Conference: Neighbors on Planet Earth (NOPE)

When: July, 2014

Where: Wall St area, NY

Description: There was no official program guide, we were all told to tweet our topic the night before (or the morning of). Here’s my tweet:

nope

None of the talks were recorded. But Nick Far snapped a picture while I was giving the talk:

nope2


Title: This is the X You Are Looking For

Conference: Hackers on Planet Earth X (HOPEX)

When: July, 2014

Where: Midtown NYC, NY

Description: When you hear you are being profiled for which books you check out in a library, what do you do with this knowledge? Do you tell your friends to “evade,” to not check these books out, or to find other means of getting this content? No. You tell everyone in the world to deliberately check these books out (and now we have had the pleasure of reading Catcher in the Rye).

This talk is about looking signature detection in the face and confusing or saturating the tool or analyst. A number of techniques will be explored, including a fun malware signature trick called a tumor (it’s OK, it’s benign), and others focusing on open source Intrusion Detection Systems. There may be some random banter about grocery loyalty cards, too. Although this talk intends to be just as technical as expected at a conference like this, it will also be light, fun, and philosophical in nature. Expect a gratuitous slide deck, lots of terminal action, signatures in the nude, hex, and beautiful regex.


Title: Abuse of Blind Automation in Security Tools

Conference: Defcon 22

When: August, 2014

Where: Las Vegas, NV

Description: It is impossibly overwhelming for security personnel to manually analyze all of the data that comes to them in a meaningful way. Intelligent scripting and automation is key. This talk aims to be a humorous reminder of why the word “intelligent” really matters; your security devices might start doing some stupid things when we feed them.

This talk is about abusing signature detection systems and confusing or saturating the tool or analyst. Some technologies you can expect to see trolled are anti-virus, intrusion detection, forensic file carving, PirateEye (yep), grocery store loyalty cards (huh?), and anything we can think of abusing.

Expect to see some new open-source scripts that you can all use. The presenters don’t often live in the high-level, so you may see the terminal, some hex and bitwise maths, raw signatures, and demonstrations of these wacky concepts in action. We don’t intend to present dry slides on “hacker magic” just to look 1337. We want to show you cool stuff that we are passionate about, stuff we encourage everyone to try themselves, and maybe inspire new ideas (even if they’re just pranks…especially).


Title: Hit the Ground Running with Assembly

Conference: Toorcon 16

When: October, 2014

Where: San Diego, CA

Description: This workshop is target for those that have so far found assembly language a little intimidating. Assembly isn’t hard, but many textbooks make it harder than it needs to be. One approach is to saturate the reader with theory and then finally get to a “hello world” 500 pages in (challenge yourself to learn any programming language this way). Another popular teaching method is to start high level (such as HLA). Again, assembly isn’t hard, there’s no reason waste time with high level just to eventually get down to the low level that could have been achieved from the start.

This workshop rapidly cover essential theory (registers, memory, etc..) and then dives right into writing no nonsense assembly (no macros, high-level, #includes, etc..). We will then watch the theory and code unfold in a debugger. Expect to learn about registers, data movement, the stack, math/logic ops, memory, shifts/rotates, conditionals, subroutines, and some system calls. We will also explore cheating with gcc to discover how some high level concepts map to assembly.

This is not meant to be exhaustive (although some resources can be recommended for that), however, after this workshop, you should feel much more comfortable with assembly, be able to write simple asm programs, and not get stuck when furthering your reading of other material on assembly. This is targeted for Linux using nasm (assembler), ld (loader), and edb (debugger). This is meant to be interactive; so it is recommended to come with a working GNU/Linux (32-bit) environment with nasm and edb installed. If you come with Kali Linux (32-bit), you are already good to go.


Title: Learn a New Programming Language NOW

Conference: Toorcon 16

When: October, 2014

Where: San Diego, CA

Description: Imagine that you are already comfortable with programming and have your favorite language (this is already you), your boss asks you to develop something in a language you are not familiar with (or whatever other reason). You don’t want to waste your time reading an entire book on this language. You already know how loops work, you don’t want to read a whole chapter on loops, just tell us how to do a while loop in the language in 1 or 2 sentences and we’re good. Additionally, in 50 lines or less: tell us how to input/output, math, data structure (variables, arrays, etc…), logic, compare, subroutine, and handle files. With that, we can start programming/scripting and just google those other edge cases.

I’m working on a project that I would like to share with everyone and would love contribution. It is a list of skeleton “50-liners” programs/scripts that have the above essential items. It works off of the theory that 90% of the code that we actually write, is only 10% of the actual language, and that 10% can be learned NOW. The languages I have made available so far are perl, python, ruby, lua, javascript, php, bash, C, spin and assembly (x86 and propeller). I’m hungry for moar.


Title: Internalized Context

Conference: CactusCon III (2015)

When: March 13th, 2015

Where: Tempe, AZ

Description:

Data needs context to reliably provide meaning. Regardless, some streams of data can have patterns that are so consistent that it would be hard to interpret the data any other way than with very specific meanings. As an exercise, this talk starts with an analysis of packet data (with a PoC script).

Finally, the meat of this talk will be about the patterns in executable code. The PoC script demonstrated will show analysis of data streams at a machine-code level (assembly is too high-level) and attempts to make a determination of its executability. This is done without ELF/PE headers; just a snippet of potentially executable code (alignment agnostic). The PoC lua script could quickly be integrated with some IDS in order to raise the fidelity of some shellcode based rules (because why analyze shellCCCCCCCCCCCCCCCCCCCCCCCCode that’s not code).

PDF version of slides

Raw version (txt) of slides


Title: REvisiting RE:DoS

Conference: Defcon 23

When: August 7th, 2016

Where: Las Vegas, NV

Description:

Regular Expression Denial of Service has existed for well over a decade, but has not received the love it deserves lately. There are some proof of concept attacks out there currently, most of which are ineffective due to implementation optimizations. Regardless of the effectiveness most of these PoC’s are geared only to NFA engines.

This talk will demonstrate working PoC’s that bypass optimizations. Both NFA and DFA engines will get love. Tools will be released (with demonstration) that benchmark NFA/DFA engines and automate creation of ‘evil strings’ given an arbitrary regular expression. Attendees can expect a review of regex and a deep under the hood explanation of both regex engines before abuses ensue.