Kevin Mitnick Documentary – I Am Rebel (Phreaks and Geeks) 480p

Kevin Mitnick, the nation’s first dark-side hacker, who used his “social engineering” skills to send the FBI on a cat-and-mouse chase and eventually became the government’s greatest tool in understanding computer security. The legendary Lewis De Payne is also featured in this video.


Karsten Nohl – Where in the World Is Carmen Sandiego?


Becoming a secret travel agent.

Travel booking systems are among the oldest global IT infrastructures, and have changed surprisingly little since the 80s. The personal information contained in these systems is hence not well secured by today’s standards. This talk shows real-world hacking risks from tracking travelers to stealing flights.

Airline reservation systems grew from mainframes with green-screen terminals to modern-looking XML/SOAP APIs to access those same mainframes.

The systems lack central concepts of IT security, in particular good authentication and proper access control.

We show how these weaknesses translate into disclosure of traveler’s personal information and would allow several forms of fraud and theft, if left unfixed.

In the airline and travel industries, a passenger name record (PNR) is a record in the database of a computer reservation system (CRS) that contains the itinerary for a passenger, or a group of passengers travelling together. The concept of a PNR was first introduced by airlines that needed to exchange reservation information in case passengers required flights of multiple airlines to reach their destination (“interlining”). For this purpose, IATA and ATA have defined standards for interline messaging of PNR and other data through the “ATA/IATA Reservations Interline Message Procedures – Passenger” (AIRIMP). There is no general industry standard for the layout and content of a PNR. In practice, each CRS or hosting system has its own proprietary standards, although common industry needs, including the need to map PNR data easily to AIRIMP messages, has resulted in many general similarities in data content and format between all of the major systems.

When a passenger books an itinerary, the travel agent or travel website user will create a PNR in the computer reservation system it uses. This is typically one of the large Global Distribution Systems, such as Amadeus, Sabre, or Travelport (Apollo, Galileo, and Worldspan) but if the booking is made directly with an airline the PNR can also be in the database of the airline’s CRS. This PNR is called the Master PNR for the passenger and the associated itinerary. The PNR is identified in the particular database by a record locator.

When portions of the travel are not provided by the holder of the Master PNR, then copies of the PNR information are sent to the CRSs of the airlines that will be providing transportation. These CRSs will open copies of the original PNR in their own database to manage the portion of the itinerary for which they are responsible. Many airlines have their CRS hosted by one of the GDSs, which allows sharing of the PNR.

The record locators of the copied PNRs are communicated back to the CRS that owns the Master PNR, so all records remain tied together. This allows exchanging updates of the PNR when the status of trip changes in any of the CRSs.

Although PNRs were originally introduced for air travel, airlines systems can now also be used for bookings of hotels, car rental, airport transfers, and train trips.

Presented by  Karsten Nohl and Nemanja Nikodijevic.

Chaos Communication Congress 33c2
December 28, 2016

Credential Assessment: Mapping Privilege Escalation at Scale


In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first obtained access and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes.

Bio: Matt Weeks

Matt Weeks currently leads root9B’s research and development arm. As a researcher, he has uncovered a number of major vulnerabilities in various products. He also developed for the Metasploit framework, runs the site and the southwest CCDC regional red team. Previously, he led the USAF’s intrusion forensics and reverse engineering lab and the creation of their enterprise hunt teams.

Unveiling the attack chain of Russian-speaking cybercriminals


Existing research on the Asprox actor has focused primarily on the malware they spread, but little has been published on who they are, how they operate and spread malware, and what resources they own. In this rare talk, we will disclose our many years of deep research on this actor: for example, since their initial operation in 2007, the Asprox gang now owns 2+ billion compromised emails, 2+ million compromised web servers (backdoored with webshells), 0.9+ million compromised SMTP accounts (some of which belong to the US military), 0.4+ million compromised FTP accounts, and SSH access to 1200+ compromised servers. We will detail how they’ve evolved into their currently sophisticated infection infrastructure, including their multiple layers of distribution and command-and-control servers, their anti-detection proxy servers, their malware obfuscation tool chain, their means of infecting endpoints, their large scale tool to auto-compromise websites and inject webshells, and their evolution in 2014 to Android malware and mobile botnets. We will study statistics such as daily downloads and conversion rate, and will explain their monetization methods within multiple underground economies, and the economics. Finally, we’ll cover how we’ve managed to collect our data, how we analyzed the data, and the many techniques we used in tracking this actor.

Bio: Wayne Huang

Wayne Huang was Founder and CEO of Armorize Technologies, and is now VP Engineering at Proofpoint. Huang is a frequent speaker at security conferences, including BlackHat ‘10, DEFCON ‘10, RSA ‘07 ‘10 ‘15 ‘16, SteelCon ‘16, Troopers ‘16, AusCERT ‘16, SyScan ‘08, ‘09, OWASP ‘08, ‘09, Hacks in Taiwan ‘06 ‘07, WWW ‘03 ‘04, PHP ‘07 and DSN ‘04. Into security since 7th grade, he has led teams to develop security products ranging from source code analysis, web application firewall, vulnerability assessment, exploit & malware detection, anti-malvertising, email security, and APT defense. He received his Ph.D. in EE from National Taiwan University, and his B.S. and M.S. in CS from NCTU. He holds two US patents on source code analysis.

Bio: Sun Huang

Sun Huang is a Senior Threat Researcher at Proofpoint. He has more than 9 years of experience in information security. Sun has discovered many Web application 0days, including those of CMS and C2 Panel. Sun has participated in many security contests, and was one of the top 10 researchers in Paypal’s 2013 Bug Bounty Wall of Fame. He was also the third place AT&T bug reporter in 2013. Sun currently holds CCNA, ECSS, CEH, and PMP certifications. Sun has presented at RSA ‘15 ‘16, SteelCon ‘16, Troopers ‘16, AusCERT ‘16.

Stagefright: An Android Exploitation Case Study (Derbycon 2016)


Last year, Joshua disclosed multiple vulnerabilities in Android’s multimedia processing library libstagefright. This disclosure went viral under the moniker “Stagefright,” garnered national press, and ultimately helped spur widespread change throughout the mobile ecosystem. Since initial disclosure, a multitude of additional vulnerabilities have been disclosed affecting the library. In the course of his research, Joshua developed and shared multiple exploits for the issues he disclosed with Google. In response to Joshua and others’ findings, the Android Security Team made many security improvements. Some changes went effective immediately, some later, and others still are set to ship with the next version of Android?Nougat. Joshua will discuss the culmination of knowledge gained from the body of research that made these exploits possible despite exploit mitigations present in Android. He will divulge details of how his latest exploit, a Metasploit module for CVE-2015-3864, works and explore remaining challenges that leave the Android operating system vulnerable to attack. Joshua will release the Metasploit module to the public at DerbyCon

Joshua J. Drake is the VP of Platform Research and Exploitation at Zimperium Enterprise Mobile Security and lead author of the Android Hacker’s Handbook. Joshua has been doing vulnerability research on a wide range of applications and operating systems for over 20 years with a focus on Android since early 2012. His professional experience began in 2005 and includes roles at VeriSign/iDefense, Rapid7/Metasploit, and Accuvant LABS.

Thinking Purple (Derbycon 2016)


Breaking with the adversarial approach of Red vs Blue, look at how the current system and approaches may be broken in some organizations and provide recommendation not only for the mature organization with a large structure but also how small businesses can take a more purple strategy in the way they operate their teams including how they acquire pentest services. Presentation will cover an approach beyond the red and blue team and more of a organizational and strategic approach to change the paradigm of thinking and action to more symbiotic approach to security.

Carlos Perez is a Director at a Security Vendor working on reverse engineering, security research and integration projects. Carlos also works as a trainer providing training both to government and private organizations across the world in security technologies and also provides consulting in his spare time on infrastructure and security. His work and thoughts can be found on his webpage He has presented in several security conferences and is a co-host of the Security Weekly podcast.

A Year in the Empire (Derbycon 2016)


PowerShell is an ideal platform for building a new class of offensive toolsets and parties on both sides of the red and blue divide have begun to take notice. Driving some of this newfound awareness is the Empire project – a pure PowerShell post-exploitation agent that packages together the wealth of new and existing offensive PowerShell tech into a single weaponized framework. Since its release a year ago, the Empire project has garnered dozens of additional modules from the offensive community in addition to signatures and mitigations on the defensive side. This presentation will take you through the design considerations for Empire, the community contributions, its enhanced capabilities, its redesigned C2 system, and the new RESTful API. Welcome to the Empire.

Will Schroeder (@harmj0y) is security researcher and red teamer. He has presented at a number of conferences including ShmooCon, DEF CON, DerbyCon and several Security BSides conferences on topics spanning AV-evasion, post-exploitation, red teaming tradecraft, and offensive PowerShell. Will is a co-founder of the Veil-Framework, developed PowerView and PowerUp, is an active developer on the PowerSploit project, and is a co-founder and core developer of Empire. Matt Nelson (@enigma0x3) is a red teamer and penetration tester. He performs a variety of offensive services for a number of government and private sector clients, including advanced red team assessments. Matt has a passion for offensive PowerShell, is an active developer on the Empire project, and helps build offensive toolsets to facilitate red team engagements.