Conference Program

All sessions will take place at the Hyatt Regency San Francisco.

Download Attendee List (Available to Enigma Conference Attendees)
Note: Only includes attendees who opted into appearing on the list. Log in to your USENIX account to access this file.

This content is available to:

Enigma 2016 Attendee List

Monday, January 25, 2016

Continental Breakfast
Visit the Enigma Sponsor Showcase!
8:45 am–9:00 am
9:00 am–10:00 am

Security in Healthcare

Session Chair: David Brumley, CMU

Hacking Health: Security in Healthcare IT Systems

9:00 am9:30 am

Avi Rubin, Professor, Johns Hopkins University

Avi Rubin, Professor, Johns Hopkins University

Dr. Aviel (Avi) D. Rubin is Professor of Computer Science and Technical Director of the Information Security Institute at Johns Hopkins University. He is also the Director of the JHU Health and Medical Security Lab. Prior to joining Hopkins, Rubin was a research scientist at AT&T Labs. He testified about information security before the U.S. House and Senate on multiple occasions, and he is the author of several books about computer security. Rubin is a frequent keynote speaker at industry and academic conferences, and he delivered a widely viewed TED talk in 2011 and a more recent TED talk in September, 2015. He also testified in federal court as an expert witness on numerous occasions in matters relating to high tech litigation. Rubin served as Associate Editor of IEEE Transactions on Information Forensics and Security, Associate Editor of Communications of the ACM (CACM), and an Advisory Board member of Springer's Information Security and Cryptography Book Series. On his last Sabbatical, Rubin was a Fulbright Scholar at Tel Aviv University. In January 2004, Baltimore Magazine named Rubin a Baltimorean of the Year for his work in safeguarding the integrity of our election process, and he is also the recipient of the 2004 Electronic Frontiers Foundation Pioneer Award. Rubin has a B.S, ('89), M.S.E ('91), and Ph.D. ('94) from the University of Michigan.

How is healthcare IT security different from all other application? Let me count the ways. You’ve got doctors with god complexes, regulators who sometimes do and sometimes don’t understand the impact of their decisions, patients who want access to their medical data in real time on their mobile device (and make sure nobody else can see it), and entrepreneurs churning out new devices, systems and protocols at warp speed. At the same time, health data is moving to the cloud, medical devices are connecting to the Internet, and technology has become wearable. How are we supposed to secure anything in this environment?!? We’ll talk.

How is healthcare IT security different from all other application? Let me count the ways. You’ve got doctors with god complexes, regulators who sometimes do and sometimes don’t understand the impact of their decisions, patients who want access to their medical data in real time on their mobile device (and make sure nobody else can see it), and entrepreneurs churning out new devices, systems and protocols at warp speed. At the same time, health data is moving to the cloud, medical devices are connecting to the Internet, and technology has become wearable. How are we supposed to secure anything in this environment?!? We’ll talk.

Available Media

Medical Device Security

9:00 am10:00 am

Kevin Fu, University of Michigan

Kevin Fu, University of Michigan

Kevin Fu is Associate Professor of Electrical Engineering and Computer Science at the University of Michigan where he directs the Archimedes Center for Medical Device Security and the SPQR.eecs.umich.edu group. His research investigates how to achieve trustworthy computing on embedded devices with application to health care, commerce, and communication. His participation in the provocative 2008 research paper analyzing the security of a pacemaker/defibrillator led to a watershed moment in cybersecurity for medical device manufacturing and regulatory science.

Professor Fu received his Ph.D. in EECS from MIT where his doctoral research pertained to secure storage and web authentication. He received a Sloan Research Fellowship, NSF CAREER award, Fed100 Award, and best paper awards from various academic silos of computing. His research is featured in critical articles by the New York Times, Wall Street Journal, and National Public Radio. Kevin was named MIT Technology Review TR35 Innovator of the Year for work on medical device security. He has testified in Congress on health matters and has written commissioned work for the Institute of Medicine of the National Academies. He served as a visiting scientist at the Food and Drug Administration, the Beth Israel Deaconess Medical Center of Harvard Medical School, Microsoft Research, and MIT CSAIL. His previous employers include Bellcore, Cisco Systems, HP Labs, and Holland Community Hospital. He is a member of the ACM Committee on Computers and Public Policy and the NIST Information Security and Privacy Advisory Board. He is a principal investigator of THaW.org. Prior to joining Michigan, he served on the faculty at UMass Amherst. Kevin also holds a certificate of achievement in artisanal bread making from the French Culinary Institute.

Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What's special about medical devices and cybersecurity? What's hype and what's real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will provide a glimpse into the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

Today, it would be difficult to find medical device technology that does not critically depend on computer software. Network connectivity and wireless communication has transformed the delivery of patient care. The technology often enables patients to lead more normal and healthy lives. However, medical devices that rely on software (e.g., drug infusion pumps, linear accelerators, pacemakers) also inherit the pesky cybersecurity risks endemic to computing. What's special about medical devices and cybersecurity? What's hype and what's real? What can history teach us? How are international standards bodies and regulatory cybersecurity requirements changing the global manufacture of medical devices? This talk will provide a glimpse into the risks, benefits, and regulatory issues for medical device cybersecurity and innovation of trustworthy medical device software.

Available Media
Break with Refreshments
Visit the Enigma Sponsor Showcase!
10:30 am–12:00 pm

Peeking into the Black Market

Session Chair: Tudor Dumitras, University of Maryland, College Park

Bullet-Proof Credit Card Processing

10:30 am11:00 am

Damon McCoy, New York University

Damon McCoy, New York University

Damon McCoy is an Assistant Professor of Computer Science and Engineering at New York University. He received his Ph.D. in Computer Science from the University of Colorado, Boulder. His research focuses on security and privacy measurements of deployed systems. Currently his primary focus is on online payment systems, economics of cybercrime, automotive systems, privacy enhancing technologies and censorship resistance.

There is a thriving ecosystem of online counterfeit websites that utilize abusive spam based advertising and compromised websites to promote their websites. Third-party entities, who I call rogue payment facilitators, have emerged that offer bullet-proof credit card processing services to online merchants selling trademark infringing goods, such as counterfeit electronics and luxury goods. These bullet-proof credit card processing services have become essential for the continued profitability of these abusive online merchants as brand holders have intensified their efforts to disrupt the credit card processing abilities of online counterfeit shops with the assistance of the International AntiCounterfeiting Coalition (IACC) and law firms.

There is a thriving ecosystem of online counterfeit websites that utilize abusive spam based advertising and compromised websites to promote their websites. Third-party entities, who I call rogue payment facilitators, have emerged that offer bullet-proof credit card processing services to online merchants selling trademark infringing goods, such as counterfeit electronics and luxury goods. These bullet-proof credit card processing services have become essential for the continued profitability of these abusive online merchants as brand holders have intensified their efforts to disrupt the credit card processing abilities of online counterfeit shops with the assistance of the International AntiCounterfeiting Coalition (IACC) and law firms.

In this talk, I will first describe the process of disrupting counterfeit credit card processing which involves placing a test purchase with an online counterfeit website to trace the merchant account accepting payments and then filing a complaint with the card holder association, such as Visa or MasterCard. This need for a test purchase to identify the merchant account has led to the rogue payment processors building systems that attempt to filter test purchases while allowing actual customer orders to complete. These systems are often built out of a combination of traditional anti-fraud systems that block suspicious purchases and custom blacklists that are shared between rogue payment facilitators.

Available Media

Drops for Stuff: An Analysis of Reshipping Mule Scams

11:00 am11:30 am

Giovanni Vigna, Professor, University of California, Santa Barbara, and CTO, Lastline, Inc.

Giovanni Vigna, Professor, University of California, Santa Barbara, and CTO, Lastline, Inc.

Giovanni Vigna is a Professor in the Department of Computer Science at the University of California, Santa Barbara. He is also the CTO at Lastline, Inc., and the head of the hacking group Shellphish. His research interests include malware analysis, web security, vulnerability assessment, and mobile phone security. He is known for organizing and running an inter-university Capture the Flag hacking contest, called iCTF, that every year involves dozens of institutions around the world.

Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. Therefore, cybercriminals devised more advanced monetization schemes to work around current restrictions.

Credit card fraud has seen rampant increase in the past years, as customers use credit cards and similar financial instruments frequently. Both online and brick-and-mortar outfits repeatedly fall victim to cybercriminals who siphon off credit card information in bulk. Despite the many and creative ways that attackers use to steal and trade credit card information, the stolen information can rarely be used to withdraw money directly, due to protection mechanisms such as PINs and cash advance limits. Therefore, cybercriminals devised more advanced monetization schemes to work around current restrictions.

One monetization scheme that has been steadily gaining traction is represented by reshipping scams. In such scams, cybercriminals purchase high-value or highly demanded products from online merchants using stolen payment instruments, and then ship the items to a credulous U.S. citizen. This person, who has been recruited by the scammer under the guise of "work-from-home" opportunities, then forwards the received products to the cybercriminals, most of whom are located overseas. Once the goods reach the cybercriminals, they are then resold on the black market for an illicit profit. Due to the intricacies of this kind of scam, it is exceedingly difficult to trace, stop, and return shipments, which is why reshipping scams have become a common means for miscreants to turn stolen credit cards into cash.

Available Media

Data Integrity Based Attacks in Investigative Domains: How Companies Are Exploiting Data Science to Thwart Investigative Outcomes

12:00 pm12:30 pm

Eric W. D. Rozier, Assistant Professor of EECS, University of Cincinnati

Eric W. D. Rozier, Assistant Professor of EECS, University of Cincinnati

Eric Rozier is an Assistant Professor of EECS at the University of Cincinnati. His Ph.D. is from UIUC. His research interests include data science/engineering with a focus on privacy. Rozier cofounded the Fortinet Cybersecurity Laboratory at the University of Miami and has been named a National Academy of Engineering Frontier's of Engineering Education Faculty member, a two time University of Chicago Data Science for Social Good Faculty Fellow, and an IBM Doctoral Research Fellow.

The Trustworthy Data Engineering Laboratory (TRUST Lab) has been working with the World Bank, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the City of Cincinnati to help solve a common problem faced by many organizations involved in data driven investigations: companies and entities that attempt to disguise malicious activities through attacks on the integrity of available data.

The Trustworthy Data Engineering Laboratory (TRUST Lab) has been working with the World Bank, the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the City of Cincinnati to help solve a common problem faced by many organizations involved in data driven investigations: companies and entities that attempt to disguise malicious activities through attacks on the integrity of available data.

In this talk we will explore the challenge of assuring data integrity in heterogenous data systems that face the challenges of velocity, variety, and volume that accompany the domain of Big Data. We will examine real case studies in debarrment and corruption in international procurement with the World Bank, investigations into violations of the Foreign Corrupt Practices Act with the FBI, cases of violations of the Resource Conservation and Recovery Act with the EPA, and human rights abuses of low income citizens by corporate slum-lords in the city of Cincinnati. In each of these cases we will show how malicious actors manipulated the data collection and data analytics process either through misinformation, abuse of regional corporate legal structures, collusion with state actors, or knowledge of underlying predictive analytics algorithms to damage the integrity of data used by machine learning and predictive analytic processes, or the outcomes derived from these processes, to avoid regulatory oversite, sanctions, and investigations launched by national and multi-national authorities.

Available Media
Lunch (Provided)
Visit the Enigma Sponsor Showcase!
1:00 pm–1:30 pm

Peeking into the Black Market (continued)

Dolla Dolla Bill Y'all: Cybercrime Cashouts

11:30 am12:00 pm

Benjamin Brown, Akamai Technologies

Benjamin Brown, Akamai Technologies

Benjamin Brown currently works on darknet research, threat intelligence, incident response, adversarial resilience, and systems architecture safety review at Akamai Technologies. He has experience in the non-profit, academic, and corporate worlds as well as degrees in both Anthropology and International Studies. Research interests include darknet and deepweb ethnographic studies, novel and side-channel attack vectors, radio systems, the psychology and anthropology of information security, and thinking about security as an ecology of complex systems.

The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud, cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts, credit card data, and fullz, I want us to look at how they get their grubby paws on that cold hard cash. Let's dig into the tools, techniques, and procedures used by this new generation of e-launderers and cyber hustlers.

The hardest part of cybercrime is the cashout. The strategy for cashing out needs to be easy enough to make it worth your while and safe enough to stay out of the klink. With more and more focus on identifying and stopping credit card fraud, cybercrooks are diversifying their methods for cashing out. While criminals can, and do, sell whole and bundled online retailer accounts, credit card data, and fullz, I want us to look at how they get their grubby paws on that cold hard cash. Let's dig into the tools, techniques, and procedures used by this new generation of e-launderers and cyber hustlers.

Understanding the lifecycle of a financially motivated cybercrime is an important part of successfully and efficiently defending against them. When we have insight into the tools, techniques, procedures, motivations, methods, and ecosystems driving these attacks, we are afforded the opportunity to build defense in depth that specifically targets the weaknesses and load-bearing assumptions of the attackers. This talk is not a general hand-waving at the topic of "cybercrime," but instead an in-depth exposition showing currently active tools and methods, non-public case study information, and defense tactics that are actively and successfully being employed right now.

Available Media
1:30 pm–2:30 pm

Security Features in Practice

Session Chair: Shelley Zhuang, Eleven Two Capital

From Concept to Deployment—The Life (and Death) of Security Features

9:00 am9:30 am

Glenn Wurster, Senior Security Research Manager, BlackBerry

Glenn Wurster, Senior Security Research Manager, BlackBerry

Glenn Wurster has spent the last five years as a security researcher for BlackBerry, breaking things and researching new security technologies for BlackBerry products. He works alongside developers to introduce security mitigations and eliminate vulnerabilities. Glenn holds a Ph.D. in Computer Security from Carleton University. In addition to working with BlackBerry researchers and developers, he also works alongside external researchers to advance the field of computer security. He has been on several program committees, including most recently being the co-chair of the Security and Privacy in Smartphones and Mobile Devices Workshop, co-located with the ACM Conference on Computer and Communications Security.

The research world is filled with new ideas about how to increase the security of shipping products. Many of these ideas, however, never manage to make it into production. Some ideas form the core for other technologies that do end up making it, some are relegated to a footnote in subsequent academic papers, and some disappear into obscurity.

In this presentation, I’ll provide a case-study of several features developed either in the academic community or internally at BlackBerry. At least one of these features has made it into a shipping product, while others have been left on the cutting-room floor. I’ll explore how the core idea morphed and was adapted before it managed to make it into product.

The research world is filled with new ideas about how to increase the security of shipping products. Many of these ideas, however, never manage to make it into production. Some ideas form the core for other technologies that do end up making it, some are relegated to a footnote in subsequent academic papers, and some disappear into obscurity.

In this presentation, I’ll provide a case-study of several features developed either in the academic community or internally at BlackBerry. At least one of these features has made it into a shipping product, while others have been left on the cutting-room floor. I’ll explore how the core idea morphed and was adapted before it managed to make it into product.

Available Media

Lessons Learned While Protecting Gmail

9:30 am10:00 am

Elie Bursztein, Anti-spam and Abuse Research Lead @Google

Elie Bursztein, Anti-spam and Abuse Research Lead @Google

Elie Bursztein leads Google's anti-abuse research, which invents ways to protect users against cyber-criminal activities and Internet threats. Elie helped redesign Google's CAPTCHA to make it easier, and made Chrome on Android safer and faster by implementing better cryptography. Recently he got the best paper award for his research on Secret Questions at WWW 2015 and malicious Ads injectors at S&P 2015. Elie was born in Paris, France, wears berets, and now lives with his wife in Mountain View, California.

In this talk we summarize the main (hard) lessons learned while defending Gmail users against a plethora of threats that include network attacks, spam, phishing, malware, and web based attacks. After summarizing Gmail defenses overall architecture, we delve into the detail of our spam and phishing detection systems and how we leverage email authentication technologies. Next we discuss the challenge of building malware scanners at scale and how to deal with malicious documents not detected by traditional AV. We then discuss how we secure the network communication and what are the limitations of current STARTTLS implementation. Finally we showcase the techniques and tools that we found effective to harden our web front end against web attacks and malicious content. We illustrate each of those components with key statistics and examples of attacks that we had to curb.

In this talk we summarize the main (hard) lessons learned while defending Gmail users against a plethora of threats that include network attacks, spam, phishing, malware, and web based attacks. After summarizing Gmail defenses overall architecture, we delve into the detail of our spam and phishing detection systems and how we leverage email authentication technologies. Next we discuss the challenge of building malware scanners at scale and how to deal with malicious documents not detected by traditional AV. We then discuss how we secure the network communication and what are the limitations of current STARTTLS implementation. Finally we showcase the techniques and tools that we found effective to harden our web front end against web attacks and malicious content. We illustrate each of those components with key statistics and examples of attacks that we had to curb.

Available Media
Break with Refreshments
Sponsored by Darktrace
3:00 pm–5:00 pm

Security at Scale in Practice

Session Chair: Vern Paxson, University of California, Berkeley, and International Computer Science Institute (ICSI)

PKI at Scale Using Short­-lived Certificates

3:30 pm4:00 pm

Bryan Payne, Netflix

Bryan Payne, Netflix

Dr. Bryan D. Payne has dedicated his career to the complex field of computer security. He currently leads the Platform Security team at Netflix, which focuses on building a secure foundation to support strategic security needs for the Netflix streaming service. Prior to Netflix, he worked on both offensive and defensive security projects for government, academia, and industry. As a result, Dr. Payne brings a unique perspective to modern security issues. He created the LibVMI open source project and was a co­founder of the OpenStack Security Group. His current interests include security at scale and cryptographic engineering.

While TLS is considered a “best practice” for security, deploying the underlying PKI at scale for cloud applications presents many challenges. This starts with the need to securely bootstrap secrets into each instance. The challenges continue at runtime with the need for insight into the continued trustworthiness of each instance. Unfortunately, in practice, it can be difficult to deploy and maintain such a PKI. In an effort to solve both scale and management challenges, some advocate for the use of short-­lived certificates in lieu of revocation lists. The idea is that a compromised private key is less valuable because it will only work for a limited timespan. But what is really required to deploy such a system?

While TLS is considered a “best practice” for security, deploying the underlying PKI at scale for cloud applications presents many challenges. This starts with the need to securely bootstrap secrets into each instance. The challenges continue at runtime with the need for insight into the continued trustworthiness of each instance. Unfortunately, in practice, it can be difficult to deploy and maintain such a PKI. In an effort to solve both scale and management challenges, some advocate for the use of short-­lived certificates in lieu of revocation lists. The idea is that a compromised private key is less valuable because it will only work for a limited timespan. But what is really required to deploy such a system?

This talk will take a deep dive into the world of PKI deployments at scale. We will start with a brief overview of PKIs in general before drilling into the specific use case of protecting internally facing microservices using TLS with mutual authentication. From here we will explore the pros and cons of using short-­lived certificates. Then we will look at the operational challenges around such deployments, including scaling certificate authority services, handling reloading of certificates into services at run­time, and determining if an instance is trustworthy enough to receive renewed credentials. We will close with some parting thoughts about the remaining challenges in this space.

Available Media

Building a DDoS Mitigation Pipeline

4:00 pm4:30 pm

Marek Majkowski, CloudFlare

Marek Majkowski, CloudFlare

After fruitful encounters with such diverse topics as high performance key value databases, distributed queueing systems, making real time web communication enjoyable, and accelerating the time so that testing servers and protocols takes seconds, Marek Majkowski finally settled for working on DDoS mitigation in the CloudFlare London office, where he appreciates most the parking space for his motorbike.

Over the last two years we've fully rewritten CloudFlare's DDoS mitigation pipeline. Our initial goal was to relieve the our over-worked OPS team and reduce their distractions related to reacting to DDoS'es. The system we created proved to be capable of much more than we expected. Not only it is quicker and makes less mistakes than human operators, but also it allowed us to deploy new mitigation techniques much faster. 

Over the last two years we've fully rewritten CloudFlare's DDoS mitigation pipeline. Our initial goal was to relieve the our over-worked OPS team and reduce their distractions related to reacting to DDoS'es. The system we created proved to be capable of much more than we expected. Not only it is quicker and makes less mistakes than human operators, but also it allowed us to deploy new mitigation techniques much faster. 

The main design goal of the new pipeline was to avoid latency and be able to deploy mitigation in real-time, immediately after the threat is detected. To achieve this first we use sampled packets from switches (sflow) and http logs as a data source and automatically categorize them into various attack types. Then, the categorized attack metadata runs through a rich logic expressed in our reactive programming engine, which allows us to express high level constraints. Finally, this metadata is a source for the centrally-managed iptables mitigations framework. 

While composed of many moving pieces, our framework is, at least in spirit, fairly simple, and most importantly practical. We've successfully automated mitigations to most common attacks and nowadays the OPS team rarely needs to manually deploy mitigations. In this talk we'll discuss the design of the new mitigation framework, the context behind it, our incremental development and the future work.

Available Media

Server-side Second Factors: A Statistical Approach to Measuring User Authenticity

4:30 pm5:00 pm

David Freeman, Head of Anti-Abuse Engineering, LinkedIn Corporation

David Freeman, Head of Anti-Abuse Engineering, LinkedIn Corporation

Dr. Freeman is Head of Anti-Abuse Engineering at LinkedIn, where he leads a team of data scientists and engineers building systems to detect and prevent fraud and abuse across the LinkedIn site and ecosystem. He holds a Ph.D. in mathematics from the University of California, Berkeley, and did postdoctoral research in cryptography and security at CWI and Stanford University.

In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser’s useragent. We find that we can achieve good accuracy using only user login history and reputation systems; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.

In this work we propose a statistical framework for measuring the validity of a login attempt. We built a prototype implementation and tested on real login data from LinkedIn using only two features: IP address and browser’s useragent. We find that we can achieve good accuracy using only user login history and reputation systems; in particular, a nascent service with no labeled account takeover data can still use our framework to protect its users. When combined with labeled data, our system can achieve even higher accuracy.

Available Media
6:00 pm–8:00 pm
Enigma Reception
Sponsored by Google

Tuesday, January 26, 2016

Continental Breakfast
Visit the Enigma Sponsor Showcase!
8:55 am–9:00 am
9:00 am–10:00 am

Security in Autos (and Other Connected Things!)

Session Chair: Daniela Oliveira, University of Florida

Computer Security and the Internet of Things

2:00 pm2:30 pm

Tadayoshi Kohno, Short-Dooley Professor of Computer Science & Engineering, University of Washington

Tadayoshi Kohno, Short-Dooley Professor of Computer Science & Engineering, University of Washington

Tadayoshi Kohno is the Short-Dooley Professor of Computer Science & Engineering at the University of Washington. His research focuses on helping protect the security, privacy, and safety of users of current and future generation technologies. Kohno is the recipient of an Alfred P. Sloan Research Fellowship, an NSF CAREER Award, and a Technology Review TR-35 Young Innovator Award. Kohno is a member of the National Academies Forum on Cyber Resilience, the IEEE Center for Secure Design, and the USENIX Security Steering Committee.

Computers are now integrating into everyday objects, from medical devices to children's toys. This integration of technology brings many benefits. Without the appropriate checks and balances, however, these emerging technologies also have the potential to compromise our digital and physical security and privacy. This talk will explore case studies in the design and analysis of computer systems for several types of everyday objects, including wireless medical devices, children's toys, and automobiles. I will discuss the discovery of security risks with leading examples of these technologies, the challenges to securing these technologies and the ecosystem leading to their vulnerabilities, and new directions for security and privacy. For example, I will discuss efforts (in collaboration with UC San Diego) to compromise the computers in an automobile from a thousand miles away, and the implications and consequences of this and other works.

Computers are now integrating into everyday objects, from medical devices to children's toys. This integration of technology brings many benefits. Without the appropriate checks and balances, however, these emerging technologies also have the potential to compromise our digital and physical security and privacy. This talk will explore case studies in the design and analysis of computer systems for several types of everyday objects, including wireless medical devices, children's toys, and automobiles. I will discuss the discovery of security risks with leading examples of these technologies, the challenges to securing these technologies and the ecosystem leading to their vulnerabilities, and new directions for security and privacy. For example, I will discuss efforts (in collaboration with UC San Diego) to compromise the computers in an automobile from a thousand miles away, and the implications and consequences of this and other works. I will also discuss directions for mitigating computer security and privacy risks, including both technical directions and education.

Available Media

Modern Automotive Vulnerabilities: Causes, Disclosures, and Outcomes

1:30 pm2:00 pm

Stefan Savage, Professor, Department of Computer Science and Engineering, University of California, San Diego

Stefan Savage, Professor, Department of Computer Science and Engineering, University of California, San Diego

Stefan Savage is part of the Systems & Networking and Security research groups at the University of California, San Diego. His interests are all over the map, ranging from the economics of e-crime, to characterizing availability, to automotive systems to routing protocols, data center virtualization and back again. He has very broad interests (i.e. "try me if you have a crazy idea").

Stefan got his undergrad degree in Applied History from CMU and his Ph.D. from the University of Washington (courtesy Brian Bershad and Tom Anderson). He was Co-founder and Chief Scientist at Asta Networks (now kaput), served on the Strategy Advisory Council of Rendition Networks (since acquired by OpsWare) and helped develop some of the technology used by Netsift (since acquired by Cisco). He does other consulting here and there.

Over the last six years, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels." A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers.

Over the last six years, a range of research has transformed our understanding of automobiles. What we traditionally envisioned as mere mechanical conveyances are now more widely appreciated as complex distributed systems "with wheels." A car purchased today has virtually all aspects of its physical behavior mediated through dozens of microprocessors, themselves networked internally, and connected to a range of external digital channels. As a result, software vulnerabilities in automotive firmware potentially allow an adversary to obtain arbitrary control over the vehicle. Indeed, multiple research groups have been able to demonstrate such remote control of unmodified automobiles from a variety of manufacturers. In this talk, I'll highlight how our understanding of automotive security vulnerabilities has changed over time, how unique challenges in the automotive sector give rise to these problems, and how different approaches to disclosure have played a role in driving industry and government response.

Available Media
Break with Refreshments
Visit the Enigma Sponsor Showcase!
10:30 am–12:00 pm

Usable Security

Session Chair: Sunny Consolvo, Google

Why Is Usable Security Hard, and What Should We Do about It?

10:30 am11:00 am

Adrienne Porter Felt, Staff Software Engineer, Google Chrome

Adrienne Porter Felt, Staff Software Engineer, Google Chrome

Adrienne Porter Felt leads Google Chrome's usable security team, whose goal is to help people make safe decisions while using Chrome. Along with her team, Dr. Felt is responsible for building and improving the security warnings, indicators, and settings that you see in Chrome today. Previously, Dr. Felt was a research scientist on Google's security research team, where she examined how browser users react to security warnings. She received a Ph.D. in computer science from the University of California, Berkeley; for her dissertation, she evaluated whether Android and Chrome permissions are useful for either developers or end users.

Everyone wants to build software that's both usable and secure, yet the world is full of software that falters at this intersection. How does this happen? I experienced the disconnect firsthand, when the Chrome security team redid Chrome's security UI to conform to best practices for usable security. In the process, we learned how hard it is to actually adhere to oft-cited wisdom about usable security when faced with real-world constraints and priorities. With a set of case studies, I'll illustrate the limitations we encountered when trying to apply common wisdom to a browser with more than a billion users—and discuss what has actually worked for us in practice, which might work for other practitioners too.

Everyone wants to build software that's both usable and secure, yet the world is full of software that falters at this intersection. How does this happen? I experienced the disconnect firsthand, when the Chrome security team redid Chrome's security UI to conform to best practices for usable security. In the process, we learned how hard it is to actually adhere to oft-cited wisdom about usable security when faced with real-world constraints and priorities. With a set of case studies, I'll illustrate the limitations we encountered when trying to apply common wisdom to a browser with more than a billion users—and discuss what has actually worked for us in practice, which might work for other practitioners too.

Available Media

Security and Usability from the Frontlines of Enterprise IT

11:00 am

Jon Oberheide, Co-Founder and CTO, Duo Security

Jon Oberheide, Co-Founder and CTO, Duo Security

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his Ph.D. at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.

When you think about security and usability, IT is probably not the first thing to pop in your head. Yet the IT systems and security that underpin every organization are critical to secure the data of companies, their employees, and the consumers they serve. At the same time, the security industry has created a complex market that requires a encyclopedic glossary to navigate, solutions that require superhuman powers to operationalize, and a user experience where "the users didn't hate it" is a glowing endorsement. While the sales pitch of "we suck less" is more effective that you might imagine, empowered employees in modern organizations demand more of their IT organizations and expect the same streamlined user experience with technology at work as they do at home. The bar is low for IT security, but we can do better.

When you think about security and usability, IT is probably not the first thing to pop in your head. Yet the IT systems and security that underpin every organization are critical to secure the data of companies, their employees, and the consumers they serve. At the same time, the security industry has created a complex market that requires a encyclopedic glossary to navigate, solutions that require superhuman powers to operationalize, and a user experience where "the users didn't hate it" is a glowing endorsement. While the sales pitch of "we suck less" is more effective that you might imagine, empowered employees in modern organizations demand more of their IT organizations and expect the same streamlined user experience with technology at work as they do at home. The bar is low for IT security, but we can do better.

In this talk, we'll share some of our philosophies on the intersection of simplicity, usability, and security applied to IT security controls, gleaned from our learnings at Duo protecting over 8,000 organizations of all shapes and sizes with diverse security cultures and user populations. We believe the impact that simplicity can have on security and usability for organizations, IT admins, and end users is undervalued, and advocate for further research.

Available Media

Usable Security—The Source Awakens

11:30 am12:00 pm

Matthew Smith, Professor, University of Bonn, Germany

Matthew Smith, Professor, University of Bonn, Germany

Matthew Smith is a Professor for Usable Security and Privacy at the University of Bonn. His research is focused on human factors of security and privacy mechanisms with a wide range of application areas, including TLS and network security, authentication, mobile and app security and, most recently, usable security for developers and administrators.

Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or migrate entirely to less secure but more usable systems. Problems with usability are a major contributor to many recent high-profile security failures. The research domain of usable security and privacy addresses these issues. However, the main focus of researchers in this field has been on the “non-expert” end-user. After placing this issue in context of current research, the presenter will argue that we need to push the frontiers of usable security research to include the human aspects of system security and the administrators and developers involved in it. The talk will use TLS as an example to illustrate usable security and privacy issues across all levels and for all actors involved in the system.

Many aspects of information security combine technical and human factors. If a highly secure system is unusable, users will try to circumvent the system or migrate entirely to less secure but more usable systems. Problems with usability are a major contributor to many recent high-profile security failures. The research domain of usable security and privacy addresses these issues. However, the main focus of researchers in this field has been on the “non-expert” end-user. After placing this issue in context of current research, the presenter will argue that we need to push the frontiers of usable security research to include the human aspects of system security and the administrators and developers involved in it. The talk will use TLS as an example to illustrate usable security and privacy issues across all levels and for all actors involved in the system.

Available Media
Lunch (Provided)
Visit the Enigma Sponsor Showcase!
1:00 pm–2:30 pm

Trustworthy Computing

Session Chairs: Alex Stamos, Facebook; Kurt Opsahl, Electronic Frontier Foundation

Defending, Detecting, and Responding to Hardware and Firmware Attacks

1:00 pm1:30 pm

Teddy Reed, Facebook

Teddy Reed, Facebook

Teddy is a Security Engineer at Facebook developing production security tools. He is very passionate about trustworthy, safe, and secure code development. He loves open source and collaborative engineering when scale, resiliency, and performance enable defensive and protective software design. Teddy has published at security conferences on trusted computing, hardware trusted systems, UAVs, competition game theory, and other security-related research.

Firmware attacks, mostly those that allow unauthenticated BIOS/UEFI changes, disable kernel and OS security features. These unauthenticated attacks have been proven trivially easy with physical access, and difficult but achievable remotely or though software-only channels. Recent data breaches have revealed in-the-wild firmware-based persistence and reinfection payloads. The firmware landscape has the same fragmentation problem as Android devices, but suffers from more opaque security update announcement methods and authenticated automated update processes. Combine these issues with a culture landscape that still likens secure boot to an extinction level event, and it is obvious our enterprises are in danger.

Firmware attacks, mostly those that allow unauthenticated BIOS/UEFI changes, disable kernel and OS security features. These unauthenticated attacks have been proven trivially easy with physical access, and difficult but achievable remotely or though software-only channels. Recent data breaches have revealed in-the-wild firmware-based persistence and reinfection payloads. The firmware landscape has the same fragmentation problem as Android devices, but suffers from more opaque security update announcement methods and authenticated automated update processes. Combine these issues with a culture landscape that still likens secure boot to an extinction level event, and it is obvious our enterprises are in danger.

This presentation takes a different approach to hardware and firmware security by exploring how our enterprise defenders can recognize vulnerable systems, detect, and respond to compromise. Defense begins with visibility, that means baselining kernel drivers, kernels, boot loaders, ACPI table content, SMBIOS metadata, Option ROMs, UEFI drivers, and other boot related platform code; it then continues into logging run time OS API-generated hardware events. This data and pipeline can fuel existing correlation and indicators of compromise (IOC) collections to identify known good and eventually known bad. Creating production deployable and repeatable recipes for these somewhat esoteric features is essential. We will present a summary of immediate tools and actions for “deep systems defense," an analysis of where our defenders remain blind to compromise, and recommendations on where our industry can focus tailored effort to generate massive impact.

Available Media

Trust Beyond the First Hop—What Really Happens to Data Sent to HTTPS Websites

1:30 pm2:00 pm

Nick Sullivan, Security Engineering Lead, CloudFlare

Nick Sullivan, Security Engineering Lead, CloudFlare

Nick Sullivan is a leading cryptography and security technologist. He founded and built the security team at CloudFlare, one of the world's leading web security companies. He is a digital rights management pioneer in his work building Apple’s multi-billion dollar iTunes store. He holds an MSc in Cryptography and a BMath in Pure Mathematics.

There's a lot of fuss about the best way to visually show how secure your connection is when browsing online. The more mainstream example is the "lock" icon at the top left hand side of a browser—which indicates that you are currently visiting a website over an encrypted and authenticated HTTPS connection. This extra visual lets the trained web explorer know that the site they're visiting can't be tampered or "snooped" on. The visual impact of this information is top of mind for Google's Chrome team and Mozilla--with future browsers showing a solid bar of "red" for a more in-your-face indicators of an unencrypted connection.

There's a lot of fuss about the best way to visually show how secure your connection is when browsing online. The more mainstream example is the "lock" icon at the top left hand side of a browser—which indicates that you are currently visiting a website over an encrypted and authenticated HTTPS connection. This extra visual lets the trained web explorer know that the site they're visiting can't be tampered or "snooped" on. The visual impact of this information is top of mind for Google's Chrome team and Mozilla--with future browsers showing a solid bar of "red" for a more in-your-face indicators of an unencrypted connection.

This focus on improving HTTPS adoption by web browser is admirable. However, the basic visual information expressed to the web user belies a complex and evolving topology of services sitting on the other side. There's way more to it than a lock or a colored address bar. With the proliferation of low-cost web infrastructure services, even small personal blogs have access to secure global caching and HTTPS. Furthermore, HTTPS termination is not what it used to be in the early days of the web. In this session we will take a look "under the hood" to share more about where data is actually going.

Hear what happens to web data once it leaves the happy embrace of an HTTPS tunnel and spills out to the other side. Attendees will also learn about potential approaches to bridge the gap and allow web services to extend trust beyond the first hop.

Available Media

Protecting High Risk Users

2:00 pm2:30 pm

Eva Galperin, Electronic Frontier Foundation
Morgan Marquis-Boire, Citizen Lab, University of Toronto

Eva Galperin, Electronic Frontier Foundation

Eva Galperin is a Global Policy Analyst at the Electronic Frontier Foundation. Her work is primarily focused on privacy and security for vulnerable populations around the world. To that end, she has applied the combination of her political science and technical background to everything from organizing EFF's Tor Relay Challenge to writing privacy and security training materials to publishing research on malware in Syria and Vietnam.

Morgan Marquis-Boire, Citizen Lab, University of Toronto

Morgan Marquis-Boire is a Senior Researcher at the Citizen Lab, University of Toronto. He is the Director of Security for First Look Media and a contributing writer for The Intercept. Prior to this, he worked on the security team at Google. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Inter-regional Crime and Justice Research Institute. In addition to this, he serves as a member of the Freedom of the Press Foundation advisory board and as an advisor to Amnesty International.

Protecting high-risk individuals has always been a problem for the security industry. While many enterprises focus on mitigating scenarios that will affect the greatest number of their users, harm from attacks is not distributed proportionally. Cyber-attacks on high-risk individuals in dangerous situations can lead to torture, kidnapping, and worse. But dealing with targeted attacks is time-consuming and resource intensive. This problem is exacerbated when the target is an individual or small NGO rather than a large enterprise. This talk will discuss the challenges of protecting high-risk, targeted users using the experience of the speakers in assisting targeted NGOs and individuals.

Protecting high-risk individuals has always been a problem for the security industry. While many enterprises focus on mitigating scenarios that will affect the greatest number of their users, harm from attacks is not distributed proportionally. Cyber-attacks on high-risk individuals in dangerous situations can lead to torture, kidnapping, and worse. But dealing with targeted attacks is time-consuming and resource intensive. This problem is exacerbated when the target is an individual or small NGO rather than a large enterprise. This talk will discuss the challenges of protecting high-risk, targeted users using the experience of the speakers in assisting targeted NGOs and individuals.

Available Media
Break with Refreshments
Visit the Enigma Sponsor Showcase!
3:00 pm–5:00 pm

Trustworthy Computing 2

Session Chairs: Alex Stamos, Facebook; Kurt Opsahl, Electronic Frontier Foundation

Panopticlick: Fingerprinting Your Web Presence

3:30 pm4:00 pm

Bill Budington, Electronic Frontier Foundation

Bill Budington, Software Engineer, EFF

William Budington is a Software Engineer at the EFF, where he works on Panopticlick, Open Democracy Tools, and other technology projects.  As a crypto-enthusiast, he's taken part in the W3C Web Crypto Working Group and is excited to see the web grow as a platform for cryptographic applications.  He loves hacker spaces and getting together with other techies to tinker, code, share, and build the technological commons.

The tabs you open shouldn't keep tabs on you.  Luckily, you can protect yourself.  The set of information left by the browser is only identifying because it is distinct from other users.  By employing a few privacy-enhancing techniques, users can effectively 'blend in' by being indistinguishable from others browsing the web.  This talk will address different fingerprinting metrics that are employed by sites, and specific mitigation behaviors that you can use to protect yourself invasive web trackers.

The tabs you open shouldn't keep tabs on you.  Luckily, you can protect yourself.  The set of information left by the browser is only identifying because it is distinct from other users.  By employing a few privacy-enhancing techniques, users can effectively 'blend in' by being indistinguishable from others browsing the web.  This talk will address different fingerprinting metrics that are employed by sites, and specific mitigation behaviors that you can use to protect yourself invasive web trackers.

Available Media

Several Horror Stories about the Encrypted Web

4:30 pm5:00 pm

Peter Eckersley and Yan Zhu, Electronic Frontier Foundation

Peter Eckersley, Electronic Frontier Foundation

Peter Eckersley is Chief Computer Scientist for the Electronic Frontier Foundation. He leads a team of technologists who watch for technologies that, by accident or design, pose a risk to computer users' freedoms—and then look for ways to fix them. They write code to make the Internet more secure, more open, and safer against surveillance and censorship. They explain gadgets to lawyers and policymakers, and law and policy to gadgets.

Peter's work at EFF has included privacy and security projects such as the Let's Encrypt CA, Panopticlick, HTTPS Everywhere, and the SSL Observatory; helping to launch a movement for open wireless networks; fighting to keep modern computing platforms open; helping to startthe campaign against the SOPA/PIPA Internet blacklist legislation; and running the first controlled tests to confirm that Comcast was using forged reset packets to interfere with P2P protocols.

Yan Zhu, Electronic Frontier Foundation

Yan is a Technology Fellow at EFF working on Let's Encrypt, HTTPS Everywhere, and other projects for encrypting the web. She is also a Software Engineer at Brave Software, a developer of SecureDrop, and a former member of the W3C Technical Architecture Group.

You would think that encrypting Internet protocols would be a simple matter of applying a trapdoor one-way function to all of your messages. In reality, encrypting the Web is a more sordid and byzantine undertaking. In this talk we will report upon a number of the more ghastly things we've encountered while working on the Let's Encrypt and HTTPS Everywhere projects, and on new methods you can use to stay safe and sane in this Lovecraftian world.

You would think that encrypting Internet protocols would be a simple matter of applying a trapdoor one-way function to all of your messages. In reality, encrypting the Web is a more sordid and byzantine undertaking. In this talk we will report upon a number of the more ghastly things we've encountered while working on the Let's Encrypt and HTTPS Everywhere projects, and on new methods you can use to stay safe and sane in this Lovecraftian world.

Available Media

Social Media Self-Defense: A Guide to Stopping Stalkers

4:00 pm4:30 pm

Elle Armageddon, Privacy Advocate and Educator

Elle Armageddon, Privacy Advocate and Educator

Elle Armageddon is a Bay Area-born feminist, writer, and activist. She publishes guides which teach people how to protect themselves from both local law enforcement and everyday threats to their privacy. She also collaborates with the National Lawyers Guild and other legal collectives to create educational materials and Know-Your-Rights workshops. Her work has been translated into several languages, and she aspires to make privacy and security more accessible to a wider audience.

Social media is ubiquitous in our society. Our profiles may provide a window into our lives for prospective employers or potential lovers, and if we're not careful, they can also provide valuable information to those who wish to do us harm. Fortunately, with a proper threat model, and a little bit of effort, it is possible to mitigate many of the dangers presented by maintaining an online presence. This talk will help identify some of the threats the average social media user may face, as well as some basic strategies for circumventing those threats.

Social media is ubiquitous in our society. Our profiles may provide a window into our lives for prospective employers or potential lovers, and if we're not careful, they can also provide valuable information to those who wish to do us harm. Fortunately, with a proper threat model, and a little bit of effort, it is possible to mitigate many of the dangers presented by maintaining an online presence. This talk will help identify some of the threats the average social media user may face, as well as some basic strategies for circumventing those threats.

Available Media

The Global Conversation on Encryption

4:30 pm5:00 pm

Amie Stepanovich, U.S. Policy Manager, Access Now

Amie Stepanovich, U.S. Policy Manager, Access Now

Amie Stepanovich is U.S. Policy Manager at Access Now, where she responds to threats at the intersection of human rights and communications surveillance. She is a board member of the Internet Education Foundation and the Committee on Individual Rights and Responsibilities' Liaison to the ABA's Cybersecurity Working Group. Stepanovich has a J.D. from New York Law School, and a B.S. from the Florida State University.

Around the world, leading government officials are discussing new laws and policies that could undermine encryption. From back doors, to key escrow, to outright bans on encryption, these proposals would limit user access to important security tools and technologies. These proposals all come with meaningful costs—to security, to the economy, and to the human rights of users. This talk will discuss some of the proposals that are being discussed, their potential impact, how technologists, academics, and members of civil society are responding, and what you can do to help.

Around the world, leading government officials are discussing new laws and policies that could undermine encryption. From back doors, to key escrow, to outright bans on encryption, these proposals would limit user access to important security tools and technologies. These proposals all come with meaningful costs—to security, to the economy, and to the human rights of users. This talk will discuss some of the proposals that are being discussed, their potential impact, how technologists, academics, and members of civil society are responding, and what you can do to help.

Available Media
5:30 pm–6:30 pm
Trusty Happy Hour
Sponsored by Facebook
6:30 pm–9:30 pm
Capture the Flag Event
Presented by Electronic Frontier Foundation

EFF is excited to announce that it will be running a "Capture the Flag" hacking contest at Enigma. The challenges will include web hacking, binary analysis, cryptography challenges, and more. Participants will need access to a linux based OS for certain challenges. Prizes will be awarded to the winners. Contestants do not need to be at the conference to be eligible. Register and get more information at eff-ctf.org.

Wednesday, January 27, 2016

Continental Breakfast
8:55 am–9:00 am
9:00 am–10:00 am

Threats

Session Chair: Andy Chou, Founder of Coverity

Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications

9:00 am9:30 am

Ron Rivest, Massachusetts Institute of Technology

Ron Rivest, Massachusetts Institute of Technology

Professor Rivest is an Institute Professor at MIT, a member of its Department of Electrical Engineering and Computer Science, a member of MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), a member of that lab's Theory of Computation Group and a leader of its Cryptography and Information Security Group.

He received a B.A. in Mathematics from Yale University in 1969, and a Ph.D. in Computer Science from Stanford University in 1974. His research interests include cryptography, computer and network security, algorithms, and voting system security.

Rivest is a co-inventor of the RSA public-key cryptosystem, has extensive experience in cryptographic design and cryptanalysis. He is also a founder of RSA Data Security and of Verisign. Together with Adi Shamir and Len Adleman, he has received the 2002 ACM Turing Award.

He is also well-known as a co-author of the text, Introduction to Algorithms (with Cormen, Leiseron, and Stein).

He is a member of the National Academy of Engineering and the National Academy of Sciences, and is a Fellow of the Association for Computing Machinery, the International Association for Cryptographic Research, and the American Academy of Arts and Sciences. He is on the Advisory Board for the Electronic Privacy Information Center and on the board of Verified Voting.

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates.

Twenty years ago, law enforcement organizations lobbied to require data and communication services to engineer their products to guarantee law enforcement access to all data. After lengthy debate and vigorous predictions of enforcement channels “going dark,” these attempts to regulate the emerging Internet were abandoned. In the intervening years, innovation on the Internet flourished, and law enforcement agencies found new and more effective means of accessing vastly larger quantities of data. Today we are again hearing calls for regulation to mandate the provision of exceptional access mechanisms. In this report, a group of computer scientists and security experts, many of whom participated in a 1997 study of these same topics, has convened to explore the likely effects of imposing extraordinary access mandates.

We have found that the damage that could be caused by law enforcement exceptional access requirements would be even greater today than it would have been 20 years ago. In the wake of the growing economic and social cost of the fundamental insecurity of today’s Internet environment, any proposals that alter the security dynamics online should be approached with caution. Exceptional access would force Internet system developers to reverse “forward secrecy” design practices that seek to minimize the impact on user privacy when systems are breached. The complexity of today’s Internet environment, with millions of apps and globally connected services, means that new law enforcement requirements are likely to introduce unanticipated, hard to detect security flaws. Beyond these and other technical vulnerabilities, the prospect of globally deployed exceptional access systems raises difficult problems about how such an environment would be governed and how to ensure that such systems would respect human rights and the rule of law.

Available Media

The Golden Age of Bulk Surveillance

9:30 am10:00 am

Nicholas Weaver, Researcher, International Computer Science Institute

Nicholas Weaver, Researcher, International Computer Science Institute

Nicholas Weaver received a B.A. in Astrophysics and Computer Science in 1995, and a Ph.D. in Computer Science in 2003 from the University of California, Berkeley. Although his dissertation was on novel FPGA architectures, he also focused on computer security, including postulating the possibility of very fast computer worms in 2001. He joined the International Computer Science Institute (ICSI) in 2003. His primary research focus is on network security, notably worms, botnets, surveillance, and other internet-scale attacks, and network measurement. Other areas have included both hardware acceleration and software parallelization of network intrusion detection, defenses for DNS resolvers, and tools for detecting ISP-introduced manipulations of a user's network connection.

This talk will focus on the concepts behind bulk surveillance, why they work so well, how such systems can be built, and some of the major players in the commercial industry. For we are now in a world where, if you are lucky, the adversary can be any country your traffic passes through except your own. And any traffic in the clear is not just an information leakage, but a potential attack vector.

This talk will focus on the concepts behind bulk surveillance, why they work so well, how such systems can be built, and some of the major players in the commercial industry. For we are now in a world where, if you are lucky, the adversary can be any country your traffic passes through except your own. And any traffic in the clear is not just an information leakage, but a potential attack vector.

Available Media
Break with Refreshments
10:30 am–12:00 pm

Vulnerability Research and Detection

Session Chair: Parisa Tabriz, Google

What Makes Software Exploitation Hard?

10:30 am11:00 am

Ben Hawkes, Google

Ben Hawkes, Google

Ben Hawkes is a founding member and the current manager of Google's "Project Zero" security research team. As a researcher, Ben has discovered dozens of serious vulnerabilities across a number of different software platforms (including Android, Linux, and Windows). He has regularly presented and published research focused on vulnerability analysis and software exploitation, such as novel heap exploitation techniques on Windows. Prior to Project Zero, Ben worked for four years on the security of Google's product launches, with a particular interest in virtualization and sandboxing.

Project Zero has a simple mission—"make 0day hard." To achieve this goal we use our own attack research to improve software and design new defenses. This talk describes some of the technologies and trends that Project Zero researchers have recently encountered that in our view have made vulnerability discovery and exploitation fundamentally harder.

Project Zero has a simple mission—"make 0day hard." To achieve this goal we use our own attack research to improve software and design new defenses. This talk describes some of the technologies and trends that Project Zero researchers have recently encountered that in our view have made vulnerability discovery and exploitation fundamentally harder.

Available Media

ToStaticHTML for Everyone! About DOMPurify, Security in the DOM, and Why We Really Need Both

11:00 am11:30 am

Mario Heiderich, Post-Doc, Ruhr-University Bochum, Germany

Mario Heiderich, Post-Doc, Ruhr-University Bochum, Germany

Dr.-Ing. Mario Heiderich is from Berlin, Germany, earned his doctorate at the Ruhr-University in Bochum, and focuses on client-side security, specifically covering scripting-based attacks and defences. Mario proposes the omnipresent problem of Cross-Site Scripting (XSS) only to be solvable where it executes: in the DOM of a user-agent. He presented his ideas in his doctoral thesis and accompanied his post-doctoral work by releasing an open-source library that addresses XSS, DOM Clobbering and other attacks without being a pain to use.

Modern web applications (including mobile apps) may not be able to rely on server-side Cross-Site Scripting (XSS) filtering. This also holds for applications that work offline (e.g. use appcache and offline functionality), applications for which a server only sees encrypted data (e.g. using Web Crypto API or OpenPGP.js), websites that make use of JavaScript templating and MVC, or applications that communicate on a peer-to-peer basis and thus don’t even involve central servers. Existing browser-side XSS filters, like XSS Auditor or NoScript, fail as well, which is due to the fact that they are located outside the DOM.

Modern web applications (including mobile apps) may not be able to rely on server-side Cross-Site Scripting (XSS) filtering. This also holds for applications that work offline (e.g. use appcache and offline functionality), applications for which a server only sees encrypted data (e.g. using Web Crypto API or OpenPGP.js), websites that make use of JavaScript templating and MVC, or applications that communicate on a peer-to-peer basis and thus don’t even involve central servers. Existing browser-side XSS filters, like XSS Auditor or NoScript, fail as well, which is due to the fact that they are located outside the DOM.

To cope with this problem, XSS sanitation within the Document Object Model (DOM) is required. This poses several novel technical challenges: A DOM-based sanitizer must rely on native JavaScript functions. However, in the DOM, any function or property can be overwritten, through a class of attacks called DOM Clobbering. These attacks are known to the web security community as preparatory steps for XSS exploits. However, we give the first precise academic description of these attacks, and describe a novel application for these attack vectors, namely disabling any DOM based XSS filter.

To solve this problem, we present a two-part solution: First we show how to embed any server or client side filter securely into the DOM, by giving a methodology how to defend against DOM Clobbering attacks. Second, we give an example instantiation of an XSS filter which is highly efficient when implemented in JavaScript. Both parts are combined into a proof-of-concept implementation called DOMPurify. However, any other approach to implement XSS filters to be called from within the DOM (native browser code, browser extensions, different JavaScript libraries) also fits into our framework.

Available Media

Sanitize, Fuzz, and Harden Your C++ Code

11:30 am12:00 pm

Kostya Serebryany, Software Engineer, Google

Kostya Serebryany, Software Engineer, Google

Konstantin (Kostya) Serebryany is a Software Engineer at Google. His team develops and deploys dynamic testing tools, such as AddressSanitizer and ThreadSanitizer. Prior to joining Google in 2007, Konstantin spent four years at Elbrus/MCST working for Sun compiler lab and then three years at Intel Compiler Lab. Konstantin holds a Ph.D. from mesi.ru and a Masters from msu.ru.

The Sanitizers (AddressSanitizer and friends) is a family of dynamic testing tools for C and C++ based on compile-time instrumentation. They find bugs like use-after-free, buffer overflows, data races, uses of uninitialized memory, integer overflows, and many other kinds of bugs both in the user space and in the kernel. These tools are only as good as your test coverage, and so we’ll also discuss libFuzzer, a library for in-process contol- and data-flow guided fuzzing. Finally, even if these tools miss some of the bugs there is one more line of defense: security hardening of production binaries using compiler instrumentation. Control Flow Integrity will halt the program if a VPTR or an indirect function pointer looks corrupt, and Safe Stack will protect the return address from stack buffer overflow.

The Sanitizers (AddressSanitizer and friends) is a family of dynamic testing tools for C and C++ based on compile-time instrumentation. They find bugs like use-after-free, buffer overflows, data races, uses of uninitialized memory, integer overflows, and many other kinds of bugs both in the user space and in the kernel. These tools are only as good as your test coverage, and so we’ll also discuss libFuzzer, a library for in-process contol- and data-flow guided fuzzing. Finally, even if these tools miss some of the bugs there is one more line of defense: security hardening of production binaries using compiler instrumentation. Control Flow Integrity will halt the program if a VPTR or an indirect function pointer looks corrupt, and Safe Stack will protect the return address from stack buffer overflow.

Available Media
Lunch (Provided)
1:00 pm–3:00 pm

Competitive Hacking

Session Chair: David Brumley, CMU

Building a Competitive Hacking Team

1:00 pm1:30 pm

Tyler Nighswander, Researcher, ForAllSecure

Tyler Nighswander, Researcher, ForAllSecure

Tyler Nighswander has been a computer hacker for several years. While an undergraduate student at Carnegie Mellon University, Tyler was one of the initial members of the competitive hacking team called the Plaid Parliament of Pwning. This team rose from a small group of students to the number one competitive hacking team in the world. After traveling around the world to compete in hacking competitions, Tyler settled now works on getting humans and computers to think more like hackers.

The world of competitive hacking can be a strange and confusing place. However, the growing importance of cybersecurity and need for professionals with hands-on experience make these exercises relevant for students, experts, and recruiters. We will discuss competitive hacking in the form of Capture the Flag contests with an emphasis on how to build an effective team, based on Carnegie Mellon's Plaid Parliament of Pwning. With this guidance, we hope to make participating in CTFs more fun and friendly for everyone.

The world of competitive hacking can be a strange and confusing place. However, the growing importance of cybersecurity and need for professionals with hands-on experience make these exercises relevant for students, experts, and recruiters. We will discuss competitive hacking in the form of Capture the Flag contests with an emphasis on how to build an effective team, based on Carnegie Mellon's Plaid Parliament of Pwning. With this guidance, we hope to make participating in CTFs more fun and friendly for everyone.

Available Media

Capture the Flag: An Owner’s Manual

1:30 pm2:00 pm

Vito Genovese, Partner, Legitimate Business Syndicate

Vito Genovese, Partner, Legitimate Business Syndicate

Vito Genovese is a founding member of Legitimate Business Syndicate, organizers of DEF CON Capture the Flag starting in 2013. Vito's work includes building infrastructure for distributed software development, designing and building both cloud-based and on-site scoring systems for cybersecurity games, visual design and branding of competition materials, picking fonts, sourcing coffee and other beverages, and writing public material for the Legitimate Business Syndicate blog and Twitter accounts.

Capture the Flag is a genre of hacking competitions that turn vulnerability research into a real-time multiplayer game between teams of experts. Competing in a CTF is extremely challenging and demanding, and organizing one immediately presents a greater challenge: how do you run a competition for clever and creative computer hackers that love nothing more than breaking rules, voiding assumptions, and infiltrating infrastructure? It’s complicated.

This talk explores what it takes to build a team, design principles for a fun contest, the art of starting on time, and keeping momentum for successive contests. We’ll also be looking at the differences between CTF organizing teams, CTF competing teams, and modern commercial devops teams, and some of the common ways all these teams mature, grow, and change over time.

Capture the Flag is a genre of hacking competitions that turn vulnerability research into a real-time multiplayer game between teams of experts. Competing in a CTF is extremely challenging and demanding, and organizing one immediately presents a greater challenge: how do you run a competition for clever and creative computer hackers that love nothing more than breaking rules, voiding assumptions, and infiltrating infrastructure? It’s complicated.

This talk explores what it takes to build a team, design principles for a fun contest, the art of starting on time, and keeping momentum for successive contests. We’ll also be looking at the differences between CTF organizing teams, CTF competing teams, and modern commercial devops teams, and some of the common ways all these teams mature, grow, and change over time.

Available Media

A Million Hit Points and Infinite Charisma: How Games Can Fix Computer Security Education

2:00 pm2:30 pm

Zachary Peterson, Assistant Professor, Cal Poly, San Luis Obispo

Zachary Peterson, Assistant Professor, Cal Poly, San Luis Obispo

Zachary Peterson is an Assistant Professor of Computer Science at Cal Poly, San Luis Obispo. He has a passion for creating new ways of engaging students of all ages in computer security, especially through the use of games and play. He has co-created numerous non-digital security games, including [d0x3d!], a network security board game, and is the founder of 3GSE, a USENIX workshop dedicated to the use of games for security education.

Year after year, we see reports on an ever increasing gap, both in the public and private sectors, between the number of computer security professional we need and the number we expect to produce. While the reasons for this trend are varied and systemic, there is a perception, particularly among those new to computing, that security can be asocial and isolating, that it is void of creativity and individual expression, and lacks positive social relevance. But, as we all know, security can inherently have all of these qualities, which perhaps manifest themselves most clearly in cybersecurity games. Indeed, the freedoms of play inherent in games may directly address the qualities deficient in security pedagogy, with many educators now turning to security games, in and out of the classroom, as a meaningful tool for outreach and education.

Year after year, we see reports on an ever increasing gap, both in the public and private sectors, between the number of computer security professional we need and the number we expect to produce. While the reasons for this trend are varied and systemic, there is a perception, particularly among those new to computing, that security can be asocial and isolating, that it is void of creativity and individual expression, and lacks positive social relevance. But, as we all know, security can inherently have all of these qualities, which perhaps manifest themselves most clearly in cybersecurity games. Indeed, the freedoms of play inherent in games may directly address the qualities deficient in security pedagogy, with many educators now turning to security games, in and out of the classroom, as a meaningful tool for outreach and education. In this talk, we take a critical look at the use of games in cybersecurity education, and explore some of the ways games can (and cannot) fix computer security education.

Available Media

Timeless Debugging

2:30 pm3:00 pm

George Hotz, comma.ai

George Hotz, comma.ai

George Hotz first became known at 17 when he developed a procedure to unlock the original iPhone. Coming from the world of electrical engineering, he took computer security by storm, releasing jailbreaks, winning six figures in hacking contests, and soloing capture the flag competitions. But starting this year, he's switched full time to working on AI, the last problem humanity will ever have to solve. And in the process, hopefully getting an answer to the age old question, what am I? He worked for Vicarious for the first half of the year, learned a lot of machine learning, and is now trying his hand at an AI company. He believes that compression is intelligence, and thinks we have about 19 years left on this planet.

Forget reversible debugging, why is it that the concept of time exists in debugging at all? Viewing execution as a timeless trace, the open source tool QIRA(qira.me) attempts to move debugging into a new paradigm. Battle tested in CTFs, I will be presenting the tool and showing off a 10x speedup in exploit development cycle.

Forget reversible debugging, why is it that the concept of time exists in debugging at all? Viewing execution as a timeless trace, the open source tool QIRA(qira.me) attempts to move debugging into a new paradigm. Battle tested in CTFs, I will be presenting the tool and showing off a 10x speedup in exploit development cycle.

Available Media
Break with Refreshments
3:30 pm–5:00 pm

Election Security

Session Chair: Dan S. Wallach, Rice University

Internet Voting: What Could Go Wrong?

4:30 pm5:00 pm

J. Alex Halderman, University of Michigan

J. Alex Halderman, University of Michigan

J. Alex Halderman is an Associate Professor of Computer Science and Engineering at the University of Michigan and Director of Michigan’s Center for Computer Security and Society. His interests include computer and network security, Internet security measurement, censorship resistance, and electronic voting, as well as the interaction of technology with law and international affairs. Named one of Popular Science’s “Brilliant 10” for 2015, his recent projects include ZMap, Let’s Encrypt, and the TLS Logjam vulnerability.

Internet voting has the potential to ease voter participation and provide a high-tech upgrade to traditional polling methods. Unfortunately, it also raises some of the most difficult challenges in computer security, due to the need to safeguard election servers and voters' computers against powerful attackers, while simultaneously protecting the secret ballot. How well can election technology defend against modern security threats? To find out, colleagues and I performed in-depth security evaluations of Internet voting systems used in the U.S. and around the world. We found staggering gaps in system designs and operational procedures—problems that would allow attackers to change votes, compromise privacy, disrupt returns, or cast doubt on election results. These case studies illustrate the practical obstacles to securing Internet voting and carry lessons for any locality considering adopting such systems.

Internet voting has the potential to ease voter participation and provide a high-tech upgrade to traditional polling methods. Unfortunately, it also raises some of the most difficult challenges in computer security, due to the need to safeguard election servers and voters' computers against powerful attackers, while simultaneously protecting the secret ballot. How well can election technology defend against modern security threats? To find out, colleagues and I performed in-depth security evaluations of Internet voting systems used in the U.S. and around the world. We found staggering gaps in system designs and operational procedures—problems that would allow attackers to change votes, compromise privacy, disrupt returns, or cast doubt on election results. These case studies illustrate the practical obstacles to securing Internet voting and carry lessons for any locality considering adopting such systems.

Available Media

We Need Something Better—Building STAR Vote

4:00 pm4:30 pm

Dana DeBeauvoir, County Clerk, Travis County, Texas

Dana DeBeauvoir, County Clerk, Travis County, Texas

County Clerk Dana DeBeauvoir has always been inspired by public service. Her interest led her to obtain a Masters Degree from the LBJ School of Public Affairs and ultimately to run for public office. Since her election as County Clerk in 1986, Dana has devoted herself to bringing high ethical standards, effective and cost-efficient management practices, the benefits of new technology, and high-quality customer service to the office of the County Clerk. The Clerk’s Office has a wide range of responsibilities, including the conduct of elections, the filing and preservation of real property records, and the management of civil, probate, and misdemeanor court documents.

Although worried about new requirements, most Election Administrators (EAs) welcomed the Help America Vote Act deadline in 2006. The Act brought funding that made it possible to retire old voting equipment, such as punchcard, and switch to ADA-friendly electronic voting systems. Direct Recording Electronic (DRE) voting systems seemed to promise so much better service to voters as well as faster and more accurate processing of election night returns. But were they as great as they promised to be? EAs did not design these systems nor did they write the laws requiring their use. In response to the criticism of the DREs, some EAs responded by developing techniques to mitigate the vulnerabilities by using auditing and testing. County Clerk DeBeauvoir will review the most used mitigators and discuss whether such actions are effective. Newer certified voting systems claim to have better security, but not to the standards offered by STAR Vote.

Although worried about new requirements, most Election Administrators (EAs) welcomed the Help America Vote Act deadline in 2006. The Act brought funding that made it possible to retire old voting equipment, such as punchcard, and switch to ADA-friendly electronic voting systems. Direct Recording Electronic (DRE) voting systems seemed to promise so much better service to voters as well as faster and more accurate processing of election night returns. But were they as great as they promised to be? EAs did not design these systems nor did they write the laws requiring their use. In response to the criticism of the DREs, some EAs responded by developing techniques to mitigate the vulnerabilities by using auditing and testing. County Clerk DeBeauvoir will review the most used mitigators and discuss whether such actions are effective. Newer certified voting systems claim to have better security, but not to the standards offered by STAR Vote. STAR Vote (Secure, Transparent, Auditable, Reliable) is a concept for a new voting system that offers the best of both worlds—an electronic voting system with a paper ballot back-up for auditing and recount purposes. We’ll conclude with a discussion of the elements of the STAR Vote design, a timetable for its implementation, and how you can help complete this project.

Available Media

Verification, Auditing, and Evidence: If We Didn’t Notice Anything Wrong, Is the Election Outcome Right?

3:30 pm4:00 pm

Vanessa Teague, The University of Melbourne

Vanessa Teague, The University of Melbourne

Vanessa Teague is a Senior Lecturer in the department of computing and information systems at the University of Melbourne, Australia. Her main research interest is in electronic voting, with a focus on cryptographic schemes for end-to-end verifiable elections and a special interest in complex voting schemes such as IRV. She was a major contributor to the Victorian Electoral Commission's end-to-end verifiable electronic voting project, the first of its kind to run at a state level anywhere in the world. With Alex Halderman, she recently discovered serious security vulnerabilities in the NSW iVote Internet voting system.

The Ancient Greeks could vote securely and privately with bronze disks and a wooden urn, so why can't we get it right using a sophisticated technology like the Internet? End-to-end verifiability gives voters the opportunity to verify that their vote matches their intention and is accurately included in a correct count. In this talk I'll explain what it is, how it works and why it can help us to run supervised poll site e-voting more flexibly and securely than paper alone. I'll describe its first deployment in a state election: the vVote project in Victoria, Australia. Then I'll discuss the open problems that need to be solved before we can safely run government elections over the Internet.

The Ancient Greeks could vote securely and privately with bronze disks and a wooden urn, so why can't we get it right using a sophisticated technology like the Internet? End-to-end verifiability gives voters the opportunity to verify that their vote matches their intention and is accurately included in a correct count. In this talk I'll explain what it is, how it works and why it can help us to run supervised poll site e-voting more flexibly and securely than paper alone. I'll describe its first deployment in a state election: the vVote project in Victoria, Australia. Then I'll discuss the open problems that need to be solved before we can safely run government elections over the Internet.

Available Media
5:00 pm–5:30pm

Closing Session

Disrupting Nation State Hackers

5:00 pm

Rob Joyce, Chief, Tailored Access Operations, National Security Agency

Rob Joyce, Chief, Tailored Access Operations, National Security Agency

Rob Joyce began serving as the Chief of the National Security Agency’s Tailored Access Operations (TAO) organization in April 2013. As the Chief of TAO, Rob leads an organization that provides unique, highly valued capabilities to the Intelligence Community and the Nation’s leadership. His organization is the NSA mission element charged with providing tools and expertise in computer network exploitation to deliver foreign intelligence. This information is used in a range of activities – from national policy-making to military operations that support our warfighters around the world, 24 hours a day.

Rob has served at the NSA for over 25 years, holding various leadership positions within both NSA missions: the Information Assurance and Signals Intelligence Directorates. Prior to becoming the Chief of TAO, Rob served as the Deputy Director of the Information Assurance Directorate (IAD) at NSA, where he led efforts to harden, protect and defend the Nation’s most critical National Security systems and improve cybersecurity for the nation.

Mr. Joyce began his career as an engineer and is a technologist at heart. He holds a Bachelors Degree in Electrical and Computer Engineering from Clarkson University in 1989 and earned a Masters Degree in Electrical Engineering from The Johns Hopkins University in 1993. He was elevated to the Senior Executive Service in 2001. Throughout his career with NSA, he has been the recipient of two Presidential Rank Awards, one meritorious and one at the distinguished level.

Rob is a Scout Master and enjoys participating with the Boy Scouts in the annual World Championship of Punkin Chunkin, building a contraption to fling pumpkins for distance. Over the Christmas holidays, Rob runs a computerized light display synchronized to music, which is likely visible from the international space station.

From his role as the Chief of NSA's Tailored Access Operation, home of the hackers at NSA, Mr. Joyce will talk about the security practices and capabilities that most effectively frustrate people seeking to exploit networks.

From his role as the Chief of NSA's Tailored Access Operation, home of the hackers at NSA, Mr. Joyce will talk about the security practices and capabilities that most effectively frustrate people seeking to exploit networks.

Available Media
5:30 pm–5:45 pm