Recent News

  • Schedule of Events Available

    Click 'Schedule' for more information.

  • Survival Party Hosted by Salesforce

    Do you have the skills to survive when a 3 hour cruise ends up leaving you stranded on a deserted island? Salesforce Security would like to invite you to find out. We're hosting a party on the Promenade Terrace that is a combination of a Wilderness Survival Skills Workshop and of course a Tiki Bar. If you want to live your Castaway life in style, come join us for this fun, hands-on experience!

  • Capture the Flag (CTF) Built by Salesforce

    This year's CTF features a variety of challenges including topics such as reverse engineering, digital forensics, and even some programming challenges. All levels of expertise are encouraged to play. The CTF will be hosted in the cloud so all you'll need is an internet-connected device to start playing (though realistically you'll probably want a couple VMs).

  • The Micro-Village Hosted by ISECOM

    Touch, learn, play, explore, and feed your brain at the Micro Village! Get your hands on truly "micro" computers: cheap, credit-card-sized computers that plug into monitors or TVs, and use standard keyboards and mouse.

  • Lockpicking Village Hosted by Deviant Ollam

    Learn the latest lockpicking techniques.

Sun, Surf, and C Shells

People from all over the world are coming to Shakacon! You should too!


Shakacon is Hawaii’s only Call for Paper based IT security conference. Shakacon is recognized as Hawaii’s premier information security centric conference with speakers and attendees from around the globe. Shakacon attracts Hawaii’s top security professionals and executives, and our audience consists of CIOs, CISOs, CTOs, IT Managers, Network Engineers, Security Managers, IT Auditors, and various IT professionals.

Shakacon is a unique and intimate security conference where industry, government, academia, and independent experts gather together to share knowledge and experiences in one of the most beautiful places on Earth. Shakacon will offer local, national, and international participants a casual and social learning environment designed to present a “holistic” security view, as well as the opportunity to network with peers and fellow enthusiasts in a relaxed setting.


Call For Papers

	Shakacon VII  - Honolulu, Hawaii
	"Sun, Surf, and C Shells"
Who: Shakacon Crew
What: Shakacon VII
When: July 6-7 (Training) & July 8-9 (Conference) 2015
Where: Honolulu, HI - Hawaii Prince Hotel Waikiki
Why: World Class Speakers, World Class Location, World Class People
How: By plane, boat, canoe, yacht, hydrofoil, stand-up paddle board, jet ski, long board, dolphin, whale sled, nuclear submarine, etc.


Going into our seventh year, Shakacon offers attendees a unique opportunity to really network with some of the world's top security professionals in casual and friendly setting. At its heart, the Shakacon security conference is a laid back conference where industry, government, academia and independent experts will get together to share knowledge and experience in one of the most beautiful places on Earth.

The conference committee strives to build a balanced schedule that appeals to all security practitioners with talks covering all different aspects of the information security landscape. There will be something for everyone and if sitting through talks isn't your cup of Hawaiian coffee you can step into one of the social areas and talk with our sponsors, staff, and attendees.

[Trainer Opportunities]

Don't want to speak at the Con but have an uncanny ability to teach and a proven track record for delivering quality courseware and want to come to Hawaii? We will be evaluating trainers for two days of training leading up to Shakacon (July 6-7). Submit a synopsis/class agenda, prior teaching experience, and maybe you'll get selected to teach in Hawaii. Revenue is split 50/50 between the trainer and conference. The conference will cover all venue related costs (A/V, Food, Drinks, etc.). The trainer is expected to cover their own travel costs (unless they are also selected as a speaker). All selected trainers will receive free admission to the conference.

[CFP Details]

We have up to sixteen (16) spots and typically receive 100+ submissions to speak. If you are serious about speaking please submit your abstract as soon as possible.

(1) Abstract for papers must be submitted to the review committee by March 6, 2015.
(2) Selection notification will occur by April 8, 2015 and abstracts posted to the site by April 13, 2015.
(3) Full Slides for your papers must be submitted by May 31, 2015.

As mentioned, there are a limited number of speaking sessions for which the conference organizers will provide travel and accommodations so please submit your abstract early if you are interested in speaking. Speaking slots will be 50 minutes long (45 minutes for your talk and 5 minutes for Q&A). See [Speaker Benefits] section below for financial details on speaker reimbursements.

The audience will be a broad mix of professional, academic, and enthusiast, so we welcome both technical and non-technical submissions on all aspects of security. The key criteria are practicality and timeliness. We want to provide our attendees with up to date materials they can take away and immediately gain benefit from, as well as new research or tools. Absolutely NO SALES presentations will be accepted.

Proposals should include:

Subject Line:
"Shakacon CFP Submission: <paper title>, <your name>"


1. Name, address, and contact info.
2. Employer and/or affiliations.
3. Brief biography.
4. Presentation experience.
5. Topic summary.
6. Reason this topic should be considered.
7. Other publications or conferences where this material has been or will be published/submitted.
8. Links to videos or slides showing previous presentations.

Please include plain text of all information provided in the body of your email, as well as any file attachments. The plain text information will be reviewed first to find the most suitable candidates.

Please forward the above information to cfp at in order to be considered.

[Speaker Benefits]

Besides a cool speaker badge and the brightest speaker shirt you'll ever lay your eyes on Shakacon will reimburse speakers for two (2) hotel nights and round trip coach airfare. If you choose to stay somewhere other than the official Shakacon hotel we will only be reimburse for hotel room nights at a less than or equal to cost. Reimbursable round trip coach airfare cannot exceed $1,200.00 US without prior approval from conference organizers.

Speakers also receive free admission to the conference, all conference related materials, and an invite to the private pre-conference dinner with the conference organizers, staff, and fellow speakers.

[Trainer Benefits]

Trainers are responsible for their own travel and lodging unless other arrangements have been made with the conference organizers. Trainers should evaluate the minimum attendee requirements for their course and plan for possible cancellation of their class if such minimums are not met. Shakacon will take care of all venue costs (A/V equipment, Internet, tables, chairs, food, beverages) for the training; however, trainers are responsible for providing materials necessary for conducting their class (hardcopy material, hardware, software, switches). Revenue from the training class is split 50/50 between the trainer and conference. Trainers receive free admission to the conference.

More conference information, registration details, and travel partner deals will be posted to:

Follow Status on:

[Media Partners]

We are media friendly. Please email info at for inquiries about press passes.

[CFP Review Team]

A big Mahalo to our CFP review committee:

Caleb Sima - BlueBox
Katie Mossouris - HackerOne
Cory Michal-
Alberto Garcia -
Colin Ames - Attack Research
Matthieu Suiche - MoonSols
Vincenzo Iozzo - TiQad
Kent Backman - Independent Researcher
Jonathan Brossard - Toucan Systems
Jeremiah Grossman - Whitehat Security
Daniel Hodson - Oxin Security & Ruxcon
Kris Harms - Cylance
Ryan Talabis - zVelo
Chris Potter - Attack Research
Jason Martin - FireEye
Darryl Higa - Independent Researcher
Patrick Wardle - SynAck
Tammie Kim - Oracle
Josh Schwartz -
Luis Santana -


Register Here

Shakacon VII Conference (July 8-9, 2015)

15% off the general admission price for all active Military, State & Federal Government Employees, and Members of ISSA, ISACA & Infragard. 25% discount for all Students with a valid ID. Contact for your discount code.

NOTE: Official conference badge and preferred conference t-shirt size NOT guaranteed if you register after May 15th.

Shakacon VII Conference Hotel Information

Hawaii Prince Hotel Waikiki is the official Shakacon VII Conference hotel. Book your room reservations today and ask for the SHAKACON special group rate.

Run of Ocean $209.00
**The rates quoted above are based on single or double occupancy and are subject to hotel room tax of 9.25% and state tax of 4.712%, currently totaling 13.962%. (Taxes are subject to change.)

***Group rates are based on space availability at the time of booking.

Third person charge $60.00 + tax per night. Maximum guestroom capacity is (3) adults and (2) children. Children 17 years and under are complimentary in the same room utilizing existing bedding, when sharing with an adult.


- Call toll free reservations line at 1-800-321-6248
- Call hotel directly at (808) 956-1111
- Email
- Online at

NOTE: (1) night room and tax deposit will be required at the time of booking.


Taxi & Bus Services

  • Shakacon has partnered with Uber to get you a FREE ride to Shakacon VII (up to $20 off your first ride). Download the Uber app at visit enter the promo code SHAKACON and request for your Uber ride.
  • The Cab - Call (808) 422-2222
  • Eco Cab - Call (808) 979-1010
  • The Bus - For more information, including bus routes and schedules, visit

Shakacon 2-Day Trainings

July 6-7, 2015

Location: Hawaii Prince Hotel Waikiki - Haleakala/Kilauea Rooms, 3rd Floor
  • 7:30am-8:00amRegistration Opens
    8:00am-5:00pm Training
    *Continental Breakfast & Lunch will be provided.

Shakacon Speaker Welcome Dinner

July 7, 2015

Location: Hawaii Prince Hotel Waikiki – Promenade Terrace, 5th Floor
  • By invitation only.

Survival Party Hosted by Salesforce

July 8, 2015

Time: 5:30pm - 8:30pm
Location: Hawaii Prince Hotel Waikiki – Promenade Terrace, 5th Floor
  • Do you have the skills to survive when a 3 hour cruise ends up leaving you stranded on a deserted island? Salesforce Security would like to invite you to find out. We're hosting a party on the Promenade Terrace that is a combination of a Wilderness Survival Skills Workshop and of course a Tiki Bar. If you want to live your Castaway life in style, come join us for this fun, hands-on experience!

Capture the Flag (CTF) Built by Salesforce

July 8-9, 2015

Time: 8:00am - 5:30pm
Location: Hawaii Prince Hotel Waikiki – Boardroom, 3rd Floor
  • This year's CTF features a variety of challenges including topics such as reverse engineering, digital forensics, and even some programming challenges. All levels of expertise are encouraged to play. The CTF will be hosted in the cloud so all you'll need is an internet-connected device to start playing (though realistically you'll probably want a couple VMs).

Shakacon 2-Day Conference

July 8-9, 2015

Location: Hawaii Prince Hotel Waikiki – Mauna Kea Ballroom, 3rd Floor

  • Day 1 - July 8, 2015
    7:00amRegistration/Check-In & Continental Breakfast
    8:00amOpening Remarks by Jason Martin, Co-Founder of Shakacon
    8:15amKEYNOTE SPEAKER - Slipping out the front door of the party: The challenges of detecting silent exits of your data by Stephen Adegbite, Wells Fargo & Co.
    9:30amSuns out Guns out: Hacking without a Vehicle by Chris Valasek, IOActive & Charlie Miller, Twitter
    10:20amBreak (10 minutes)
    10:30amThere's Waldo by Patrick Wardle & Colby Moore, Synack
    11:30amExploiting Elevator Security Weaknesses by Deviant Ollam, The CORE Group
    12:20pmLunch & Turbo Talk - FireEye
    1:30pmMaking Android's Bootable Recovery Work for You by Drew Suarez, Matasano Security
    2:30pmGPU assisted fast static analysis by Rick Wesson, Support Intelligence
    3:20pmBreak (10 minutes)
    3:30pmBreaking Vaults: Stealing LastPass protected secrets by Martin Vigo, Salesforce
    4:30pmHacking Highly Secured Enterprise Environments by Zoltan Balazs, MRG Effitas
    5:20pmClosing Remarks by Jason Martin, Co-Founder of Shakacon
    5:30pmEnd of Conference Day 1

    Day 2 - July 9, 2015
    7:00amRegistration/Check-In & Continental Breakfast
    8:00amOpening Remarks by Jason Martin, Co-Founder of Shakacon
    8:15amKEYNOTE SPEAKER: Project Zero: Make 0day hard by Chris Evans, Google
    9:30amAutomotive Exploitation Techniques by Craig Smith, Open Garages & Theia Labs
    10:20amBreak (10 minutes)
    10:30amMedical Devices: Passwords to Pwnage by Scott Erven, Protiviti
    11:30amSocial Engineering the Windows Kernel by James Forshaw, Google
    12:20pmLunch & Turbo Talk - Beyond Security
    1:30pmMalware is Hard: Let's go Shopping! By Richard Wartell, Palo Alto Networks
    2:30pmRed vs. Blue: Modern Active Directory Attacks, Detection & Protection by Sean Metcalf, DAn Solutions
    3:20pmBreak (10 minutes)
    3:30pmI am the 100% (terms and conditions apply) by Chris Evans & Natalie Silvanovich, Google
    4:30pmSecret Pentesting Techniques by David Kennedy, TrustedSec & Binary Defense Systems
    5:20pmClosing Remarks by Jason Martin, Co-Founder of Shakacon
    5:30pmPost-Conference Networking Event & After Party Entertainment by DualCore (Promenade Terrace)

    *Continental Breakfast, Lunch & Afternoon Refreshments will be provided.

Shakacon Post-Conference Networking Event & After Party featuring Dualcore

Thursday, July 9, 2015

Location: Hawaii Prince Hotel Waikiki – Promenade Terrace, 5th Floor
5:30pm Appetizers, Cocktails, Raffle Prize Giveaways, & Entertainment by Dualcore


**Conference Keynote – Day 1**

Name: Stephen Adegbite, Senior Vice President, Enterprise Information Security Program Oversight and Strategy, Wells Fargo & Co.

Bio: Steve Adegbite is the Senior Vice President in charge of the Enterprise Information Security Program Oversight and Strategy Organization at Wells Fargo & Co. Prior to joining Wells Fargo & Co., Mr. Adegbite was the Director, Cyber Security Strategies at Lockheed Martin Information Services and Global Services (IS&GS). Prior to joining Lockheed Martin, Mr. Adegbite was the Chief Security Strategist for Adobe Systems Inc. within the Adobe Secure Software Engineering, Steve has also worked with Operations (IO) positions at the National Security Agency (NSA), the National Geospatial-Intelligence Agency (NGA) and the Defense Intelligence Agency (DIA), both as a government employee and as an associate consultant for Booz Allen Hamilton, a strategy and technology consulting firm. Mr. Adegbite is a current member of President Obama’s Homeland Security Advisory Council.

Title: Slipping out the front door of the party: The challenges of detecting silent exits of your data

Synopsis: The security landscape is changing...I know…I know this is a much worn cliché. However, it’s something to note that for every landscape change, a resurgence of old attacks get repackaged and whitewashed as something new. Lucky us! The good thing is that with the resurgence of certain attacks our defenses are increasingly better almost to the point where the attack becomes a non-factor.

Except for one…Data Exfiltration/Data Exposure. Looking at recent cyber events hitting the financial and retail sectors such as the Home Depot, JP Morgan and even unimaginable places like the Dairy Queen breech. It’s no surprise that this will be a continued trend.

This Keynote talk will look at defining the problem...exploring the question "Is data exfiltration different than data exposure or are they one in the same? And going one step further, why the answer is important for present and future actions against this threat. We will look at the past and present for this threat in a hope that you will leave thinking the same bold statement I have..."the age of destructive cyber attacks are at an end...the days of "silent exits" of data has begun."

**Conference Keynote – Day 2**

Name: Chris Evans

Bio: At Google, Chris founded and built the Chrome Security Team. He is currently focused on doing the same for Google Project Zero. He has launched various progressive initiatives including the Chromium Vulnerability Reward Program and Pwnium competitions. He particularly enjoys driving wider community participation and is also a director for the Internet Bug Bounty charity.

As time permits, Chris is a vulnerability researcher, speaking at various worldwide conferences and serving on talk and paper selection panels. He has found vulnerabilities in most of the popular operating systems and web browsers.

Chris also enjoys contributing to open source and security design best practices, being the author of vsftpd and it's "privsep" concept, and having detected the "Diginotar incident" with contributions to the design of SSL in Chrome.

Chris' current focus is defending internet users from sophisticated targeted attacks.

Title: Project Zero: make 0day hard

Synopsis: We'll provide a frank assessment of the current attack landscape and how it has changed since the "mass malware" years. We will then explore what this means for effective defenses and vulnerability response. This will lead into a detailed description of where Project Zero fits it, with it's mission to make zero days hard and lower the incidence of targeted exploitation. We'll dive into some depth on the most significant Project Zero publications, policies and general observations to date.

Name: Chris Evans and Natalie Silvanovich

Bio: At Google, Chris founded and built the Chrome Security Team. He is currently focused on doing the same for Google Project Zero. He has launched various progressive initiatives including the Chromium Vulnerability Reward Program and Pwnium competitions. He particularly enjoys driving wider community participation and is also a director for the Internet Bug Bounty charity.

As time permits, Chris is a vulnerability researcher, speaking at various worldwide conferences and serving on talk and paper selection panels. He has found vulnerabilities in most of the popular operating systems and web browsers.

Chris also enjoys contributing to open source and security design best practices, being the author of vsftpd and it's "privsep" concept, and having detected the "Diginotar incident" with contributions to the design of SSL in Chrome.

Chris' current focus is defending internet users from sophisticated targeted attacks.

NATALIE SILVANOVICH is a security researcher on Google Project Zero. She has spent the last seven years working in mobile security, both finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets, and has spoken at several conferences on the subject of Tamagotchi hacking. She is actively involved in hackerspaces and is a founding member of Kwartzlab Makerspace in Kitchener, Ontario, Canada.

Title: I am the 100% (terms and conditions apply)

Synopsis: For a certain class of attacker, the reliability of an exploit is very important. In this talk, we will consider what types of memory corruption vulnerabilities lead to the ability to construct very reliable exploits. We will show two examples of perfectly[*] reliable exploits, and their construction and limitations. We will also discuss the factors that impact the ability to write a reliable exploit.

Name: Chris Valasek & Charlie Miller

Bio: CHRIS VALASEK serves as Director, Vehicle Security Research at IOActive, an industry leader in comprehensive computer security services. In this role, Valasek is responsible for guiding IOActive’s vehicle security research efforts. He is also heavily involved in bleeding-edge automotive security research.

CHARLIE MILLER is a security engineer at Twitter, a hacker, and a gentleman. Back when he still had time to research, he was the first with a public remote exploit for both the iPhone and the G1 Android phone. He is a four time winner of the CanSecWest Pwn2Own competition. He has authored three information security books and holds a PhD from the University of Notre Dame. He has hacked browsers, phones, cars, and batteries. Charlie spends his free time trying to get back together with Apple, but sadly they still list their relationship status as “It’s complicated”.

Title: Suns out Guns out: Hacking without a Vehicle

Synopsis: Car hacking is not only hard, but very expensive. Automotive security is still in its infancy and requires more trained eyes on the problem; unfortunately the biggest barrier of entry is the overall cost. This talk will focus on a researcher's ability to assess the security of pieces of a car without having to purchase the full vehicle. By providing a cost effective blueprint for assessing several ECU's outside of the vehicle we feel more researchers will jump into the automotive security arena. Also, go-karts...yes go-karts.

Name: Craig Smith

Bio: Craig Smith is the founder of Open Garages and the author of the Car Hacker's Handbook. Craig has performed security work with the auto-industry and published independent work for 6 years. He has worked in the security industry for over 15 years and currently runs his own independent security research company, Theia Labs.

Title: Automotive Exploitation Techniques

Synopsis: Demonstrating some of the newest car hacking tools from Open Garages. This includes how to use the CAN of Fingers (c0f) to develop smart vehicle exploit code. There will also be a demonstration of the web based remote vehicle C&C interfaced used by NBC reporters in NYC to hack a vehicle in Seattle. There will be examples from the 2015 Car Hacker's Handbook as well.

Name: David Kennedy

Bio: Dave Kennedy is founder of TrustedSec and Binary Defense Systems. Both organizations focus on the betterment of the security industry from an offense and a defense perspective. David was the former Chief Security Officer (CSO) for a Fortune 1000 company where he ran the entire information security program. Kennedy is a co-author of the book "Metasploit: The Penetration Testers Guide," the creator of the Social-Engineer Toolkit (SET), and Artillery. Kennedy has been interviewed by several news organizations including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News. Kennedy is the co-host of the social-engineer podcast and on a number of additional podcasts. Kennedy has testified in front of Congress on two occasions on the security around government websites. Kennedy is one of the co-authors of the Penetration Testing Execution Standard (PTES); a framework designed to fix the penetration testing industry. Kennedy is the co-founder of DerbyCon, a large-scale conference in Louisville Kentucky. Prior to Diebold, Kennedy was a VP of Consulting and Partner of a mid-size information security consulting company running the security consulting practice. Prior to the private sector, Kennedy worked for the United States Marine Corps and deployed to Iraq twice for intelligence related missions.​

Title: Secret Pentesting Techniques

Synopsis: Penetration testing is one of those fine arts that require research, skill, and a passion to identify exposures. This talk will go into the types of techniques that I use on a regular basis both custom and public in order to gain access to an organization. These techniques are highly effective, evade preventative measures, and work. We'll be going through a number of different methods for circumventing security controls, new research, and most importantly - how to appropriately test and look forward. I’ll also be demoing a new tool for pivoting and lateral movement that will be released soon. The talk will cover why these attacks work and what we need to do as an industry to get better and defending against attacks in general. Instead of just blowing everything up and walking away, there is light at the end of the tunnel if we want to do the work to get there.

Name: Deviant Ollam

Bio: While paying the bills as a security auditor and penetration testing consultant with his firm, The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organisation of Lockpickers. Every year at DEFCON and ShmooCon, Deviant runs the Lockpick Village, and he has conducted physical security training sessions for Black Hat, The SANS Institute, DeepSec, ToorCon, HackCon, Shakacon, HackInTheBox, ekoparty, AusCERT, GovCERT, CONFidence, the FBI, the NSA, DARPA, the National Defense University, the United States Naval Academy at Annapolis, and the United States Military Academy at West Point. His favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th and 10th.

Title: Exploiting Elevator Security Weaknesses

Synopsis: Throughout the history of hacker culture, elevators have played a key role. From the mystique of students at MIT taking late-night rides upon car tops (don't do that, please!), to the work of modern pen testers who use elevators to bypass building security systems (it's easier than you think!), these devices are often misunderstood and their full range of features and abilities go unexplored. This talk will be an in-depth explanation of how elevator control systems work...allowing for greater understanding, system optimizing, and the subversion of security in many facilities. Those who attend will learn why an elevator is virtually no different than an unlocked staircase as far as building security is concerned!

Name: Drew Suarez

Bio: Drew is a security consultant for Matasano Security with a focus in mobile application testing and research. Before moving into security, Drew worked with large scale UNIX environments for a variety of companies. In addition, Drew is a member of the CyanogenMod (open source side) team and has ported custom android bootable firmware to dozens of devices. Besides facilitating the installation of custom code such as CyanogenMod, Drew likes working on unloved, problem devices with strange or non-standard setups.

Title: Making Android’s Bootable Recovery Work for You

Synopsis: Android bootable recovery mode is a self-contained alternative boot mode that loads a tiny Linux environment onto a mobile device. While most stock devices are shipped with recoveries that fairly limited in nature, their use can be greatly extended with a little bit of effort. In this presentation, I will show you how to build your own custom recovery for your Android device. This can be used towards a number of interesting security related goals such as: penetration testing, forensics, data acquisition, bypassing security controls, modifying software, Android development and in some cases provides a direct exploitation route into a device. Using a variety of commonly available tools, attendees will learn how to deconstruct and inspect a number of different boot and recovery software implementations and rapidly begin compiling their own custom tools.

The intent is for an attendee to understand the scope and capabilities of Android bootable firmware and learn how to rapidly develop their own custom software for a variety of different purposes. Additionally, it teaches attendees how to look for flaws in bootable firmware which help undermine the security of Android devices. Security research, vulnerability testing, data acquisition and modification, bypassing security controls and platform testing are all intended goals and uses of a custom Android recovery firmware. By the end of the talk, an attendee should have acquired enough knowledge to start making useful tools for security's many needs.

Name: James Forshaw

Bio: James is a security researcher in Google's Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, BlueHat, HITB, and Infiltrate.

Title: Social Engineering the Windows Kernel

Synopsis: One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.

The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.

This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.

Name: Martin Vigo

Bio: Martin Vigo is a Product Security Engineer with a special interest in Web and Mobile security. He previously worked as a Software Engineer where he developed a strong passion for information security. Currently he helps engineers design secure systems and applications, conducts security reviews and penetration testing and is responsible for mobile security. Martin is also involved in educating fellow developers on security essentials and best practices. He has also presented secure development and mobile apps hardening talks at several conferences.

Outside the office, Martin enjoys research, bug bounties, gin tonics and scuba diving.

Title: Breaking Vaults: Stealing LastPass protected secrets

Synopsis: LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.

The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.

Name: Patrick Wardle & Colby Moore

Bio: Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of OSX and mobile malware.

Colby Moore is a Security Research Engineer at Synack, working mainly on breaking emerging technologies. He is a former employee of VRL and has identified 0-day vulnerabilities in embedded systems and major applications. Colby prefers focus on that sweet spot where hardware and software meet, usually resulting in um....interesting....consequences.

Title: There's Waldo

Synopsis: Mobile apps are truly ubiquitous and enhance our lives in many ways. However, many either leak or insecurely handle geolocation data, affording an attacker the ability to locate, track, or even determine a user’s identity. This talk describes classes of geolocation vulnerabilities, how apps may be audited to find such bugs, and best practices to ensure users remain protected. To provide a more 'hands-on' feel, real world case studies are presented to demonstrate attacks uncovered by Synack researchers.

The talk will begin with a technical overview of geolocation capabilities in mobile OSs and how apps may access a user's location. Next the talk will identify common classes of geolocation bugs and illustrate how developers often utilize a user's location in an insecure manner. One example, since geolocation APIs may default to the highest level of accuracy, a user's precise location may be revealed if not properly secured (on the device, in transit, or in the cloud).

Unfortunately, as our case studies show, such bugs are alarmingly common (numerous popular applications will be mentioned). A specific case study on Grindr (a common dating app), will be presented to illustrate a myriad of geolocation bugs that placed its users in harm’s way (see: 'Grindr vulnerability places men in harm's way' First, due to the lack of SSL pinning, we present a MitM attack that reveals the user's exact location. Following this, we demonstrate a scalable remote attack. This attack combined several bugs, including the fact that the app reported (to anybody), the precise relative distance of all 'near-by' users. With these distances and the ability to spoof one's location and perform unlimited requests, trilateration could precisely locate and track users world-wide. Unfortunately though we reported the bugs, patches only appeared after it was reported that the Egyptian government was tracking and arresting Grindr users.

Step by step demonstrations will be given, showing how we were able to harvest data and run calculations to determine tens of thousands of user's locations in real time. But it would be silly if we stopped there... Leveraging our capability we demonstrate a custom framework developed to map patterns of life and subsequently correlate these patters to true identity. By setting "hot spots" in our framework (think celebrity homes or US capitols) we can monitor target locations for user activity - potentially exposing identities of parties that may traditionally wish to remain private such as celebrities, athletes, and politicians. And yes, it works ;).

Besides illustrating location-specific bugs and providing real-world examples, the talk will provide suggestions best practices to ensure applications are developed in a manner that does not put users at risk. Such suggestions include precision limiting of geolocation data, rate limiting APIs (in order to make large-scale data harvesting difficult), and limiting the speed and magnitude of user location changes (to prevent harvesting of distances from arbitrary points). For companies or anybody developing location-aware apps, these suggestions will be directly applicable - and ideally, Waldo will remain hidden.

Name: Richard Wartell

Bio: Wartortell works as a reverse engineer and malware researcher for Palo Alto Networks. Previously he worked in Threat Intel, Binary Rewriting and Binary Transparency. He also casts a mean Ice Punch, and this is not even his final form.

Title: Malware is Hard: Let’s Go Shopping!

Synopsis: Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.

Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.

Name: Rick Wesson

Bio: Rick Wesson is the CEO of Support Intelligence. He is also a farmer, teaches at risk youth how to code, eat well and feed their families. He has served as the VP of the Santa Cruz Credit Union while fostering Financial Literacy. Today, Mr. Wesson spends his time writing code, moving rocks, and making things for his 7 acre organic farm in the East Bay.

Title: GPU assisted fast static analysis

Synopsis: Fast static analysis leveraging GPUs. In debugging our kernels we learned how to make movies out of compiled and encrypted code, which is visually stimulating. We discuss clustering 100 million malware samples and provide a path to scalable static analysis at the 10 millisecond per sample range.

Name: Scott Erven

Bio: Scott is an Associate Director at Protiviti. He has over 15 years of information security and information technology experience with subject matter expertise in medical device and healthcare security. Scott has consulted with the Dept. of Homeland Security, FDA, and advised national policymakers. His research on medical device security has been featured in Wired and numerous media outlets worldwide. He has presented his research and expertise in the field internationally. Scott also served as a subject matter expert and exam writer for numerous industry certifications. His current focus is on research that affects human life and public safety issues inside today's healthcare landscape.

Title: Medical Devices: Passwords to Pwnage

Synopsis: Last year I presented at Shakacon on how medical device security is significantly lagging behind other industries, and also demonstrated thousands of healthcare organizations had Internet facing exposures allowing direct attack vectors to medical devices. Well just how hard is it to take it to the next step in an attack and gain administrative access to these critical life saving devices?

I will discuss and publicly disclose over 20 CVE's I have reported that will demonstrate how an attacker can gain remote administrative access to medical devices and supporting systems. No 1337 haxor skills needed here. Over 100 service and support credentials for medical devices will be released. I will also focus on the positive response and coordination with DHS/ICS-CERT, FDA and the device manufacturers. In addition, I will discuss recent research on application security and design failures in medical devices that allow for compromise of healthcare organizations' internal networks.

Name: Sean Metcalf

Bio: Sean Metcalf is the Chief Technology Officer at DAn Solutions, a company that provides Microsoft platform engineering and security enterprise. Mr. Metcalf is one of about 100 people in the world who holds the elite Microsoft Certified Master Directory Services (MCM) certification. Furthermore, he assisted Microsoft in developing the Microsoft Certified Master Directory Services certification program for Windows Server 2012.

Mr. Metcalf has provided Active Directory and security expertise to government, corporate, and educational entities since Active Directory was released. He currently provides security consulting services to customers with large Active Directory environments and regularly posts useful Active Directory security information on his blog, Follow him on Twitter @PyroTek3.

Title: Red vs. Blue: Modern Active Directory Attacks, Detection & Protection

Synopsis: While Kerberos "Golden Tickets" and "Silver Tickets" received a lot of press in the second half of 2014, there hasn't been much detail provided on how exactly they work, why they are successful, and how to mitigate them (other than: "don't get pwned"). Golden Tickets are the ultimate method for persistent, forever AD admin rights to a network since they are valid Kerberos tickets and can't be detected, right?

This talk covers the latest Active Directory attack vectors and describes how to detect Golden Ticket usage. Provided are key indicators that can detect Kerberos attacks on your network, including Golden tickets, Silver tickets & MS14-068 exploitation, as well as methods to identify, mitigate, and prevent common Active Directory attack vectors. When forged Kerberos tickets are used in AD, there are some interesting artifacts that can be identified. Yes, despite what you may have read on the internet, there are ways to detect Golden & Silver Ticket usage!

Some of the topics covered:

  • How attackers go from zero to (Domain) Admin
  • MS14-068: the vulnerability, the exploit, and the danger
  • "SPN Scanning" with PowerShell to identify potential targets without network scans (SQL, Exchange, FIM, webservers, etc.)
  • Exploiting weak service account passwords as a regular AD user
  • Mimikatz, the attacker's multi-tool
  • Using Silver Tickets for stealthy persistence that won’t be detected (until now)
  • Identifying forged Kerberos tickets (Golden & Silver Tickets) on your network
  • Detecting offensive PowerShell tools like Invoke-Mimikatz
  • Active Directory attack mitigation
Kerberos expertise is not required since the presentation covers how Active Directory leverages Kerberos for authentication identifying the areas useful for attack. Information presented is useful for both Red Team & Blue Team members as well as AD administrators.

Name: Zoltán Balázs

Bio: Zoltán (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing. Before MRG Effitas, he worked for 5 years in the financial industry as an IT Security expert, and for 2 years as a senior IT security consultant at one of the Big Four companies. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie browser tool, consisting of POC malicious browser extensions for Firefox, Chrome and Safari. He has been invited to present at information security conferences worldwide including DEFCON, Hacker Halted USA, OHM, Hacktivity, Ethical Hacking.

He is a proud member of the team, 2nd runner up at global Cyberlympics 2012 hacking competition.

Title: Hacking Highly Secured Enterprise Environments

Synopsis: In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.

I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!

Training Sessions

Training: Powershell for Penetration Testers

Trainer: Nikhil Mittal

Description: PowerShell has changed the way how Windows is used, secured and also the way Windows is owned. It is an automation platform for everybody; developers, defenders and attackers. PowerShell provides easy access to almost everything in a Windows machine and network. It comes installed by default in modern version of Windows. During a penetration test, it could be really helpful to use this powerful shell and scripting language for further attacks.

This training would help anyone who wants to know more about PowerShell from a security perspective. If you are a defender, you could learn how this attack vector can be used against a corporate environment. If you are a pen tester you would learn how to use PowerShell for pen testing in a windows environment. You will learn various techniques like privilege escalation, backdoors, keylogging, data exfiltration, dumping system secrets in plain, persistence, pivoting, in-memory code execution, using top sites as C&C, web shells, bots...the list goes on.

Learning how to use a target environment for your purpose is crucial in pen tests. Open source tools which help in achieving this would also be discussed including those written by the trainer. The training aims to bring PowerShell goodness to security professionals and includes hands-on in a lab environment and CTF like exercises. You would be able to write your own scripts for security testing after this training. This training aims to forever change how you pen test a Windows based environment.


  1. PowerShell Cheat Sheet, solutions to exercises, sample source code, updated tools and extra slides explaining things which could not be covered
  2. Attendees would learn a powerful attack method which could be applied from day one after the training
  3. The attendees would understand that it is not always required to use a third party tool or foreign code on the target machine for post exploitation
  4. The attendees would learn how PowerShell make things easier than previous scripting options like VB.

  • Introduction to PowerShell
  • Using ISE, help system, camlets and syntax of PowerShell
  • Writing simple PowerShell scripts
  • Functions, Objects, Pipeline, Jobs and Modules
  • Playing with the Windows Registry
  • .Net with PowerShell
  • COM with PowerShell
  • WMI with PowerShell
  • Recon, Information Gathering and the likes - Tools written/integrating in PowerShell
  • Vulnerability Scanning and Analysis - Tools written/integrated in PowerShell
  • Exploitation - Getting a foothold on a system
  • Writing shells in PowerShell
  • Post-Exploitation - What PowerShell is actually made for
  • Pivoting to other machines
  • Poshing the hazes
  • PowerShell with Human Interface Devices
  • Client Side Attacks with PowerShell
  • Achieving Persistence
  • Owning other MS products - SQL Server and AD
  • Attacking UNIX machines
  • Clearing Tracks
  • Quick System Audits with PowerShell
  • Detecting PowerShell attacks
  • Security controls available with PowerShell

  • Basic understanding of a programming or scripting language could be helpful but is not mandatory.
  • An open mind.
Bio: Nikhil Mittal is a hacker, infosec researcher, speaker and enthusiast. His area of interest includes penetration testing, attack research, defense strategies and post exploitation research. He has 5+ years of experience in Penetration Testing for his clients which include many global corporate giants.

He specializes in assessing security risks at secure environments which require novel attack vectors and "out of the box" approach. He has worked extensively on using Human Interface Device in Penetration Tests and PowerShell for post exploitation. He is created of Kautilya, a toolkit which makes it easy to use Teensy in penetration tests and Nishang, a post exploitation framework in PowerShell. In his spare time, Nikhil researches on new attack methodologies and updates his tools and frameworks.

Nikhil has held trainings and boot camps for various corporate (in US, Europe, SE Asia), for educational institutes like IITs and at the world's top information security conferences.

He has spoken at conferences like Defcon, BlackHat USA, BlackHat Europe, RSA China, Troopers, PHDays, BlackHat Abu Dhabi, Hackfest, ClubHack, EuSecWest and more.

Training: Automotive Exploitation Techniques

Trainer: Craig Smith

Description: Hands-on car hacking course. No previous knowledge of mechanics required. Course walks you through the layout of modern car systems, including Infotainment attacks, ECUs, CAN bus and other embedded system attacks. This class will go over vehicle methodologies that can be applied to any vehicle. Tools will be provided as well as working on a functional car test bench to practice attacks on. You will learn the skills to analyze a car's security and create attacks that can be weaponized into further exploits.

Students will receive a CAN bus sniffer and a copy of all course materials and software tools.


    Day 1
    • Course overview of scope
      • What is car hacking
      • Benefits / why hack cars
      • Focusing on remote and local attacks
      • Hands on to feel comfortable doing these hacks at home
    • Vehicle Attack Surface
      • Define what the attack surface is. Infotainment, IC, CANBus, TPMS, etc.
      • Intro to threat modeling
    • SocketCAN
      • Setting up virtual CAN devices
      • Getting the build environment ready for testing
      • Tool overview
    • Infotainment System overview
      • Connected to CAN
      • Bluetooth
      • WiFi
      • USB
      • CD
      • Map Updates
      • XM
    • Vehicle Communication Systems overview
      • OBD Connector
      • CAN
      • Overview of other Bus protocols: GMLAN, PWM, K-Line, Line
      • Ethernet
    • Diagnostic Communication
      • Overview of ISO-TP / UDS
      • Scan Tools and PIDs
      • DTCs and Military
      • Hands-on: Query and clear DTC codes
      • Pull VIN from ECU
    • Intro to CAN Bus
      • Packet Structure
      • CAN data is unique per make/model
      • Adding a GUI to SocketCAN
      • Overview of reversing methodologies
      • Hands-on ICSim
        • Reverse door unlock codes
        • Reverse Turn signals
        • Reverse Speedometer
    • Overview of Engine Control Units
      • The "brains" of a car
      • How to build an ECU test bench
      • ECU Wiring diagrams
      • Test Bench setup, simulating engine signals via HW
    • Open Garages
      • Overview of Open Garages
      • How to find or start your own Open Garages
      • Final bonus hands on: SuperTuxKart hacking
    Day 2
    • How to weaponized CAN findings
      • Botnet video demo
      • Determine Host
        • ISO-TP UDS Queries
        • Passive monitoring
    • Writing assembler to make any payload usable in shellcode
      • Quick Intro to assembler for the target arch
      • Assembler code to trigger a one-time CAN pocket
      • Cleanup code to eliminate NULLs
      • Assembler code to send a constant CAN signal
      • Busybox demo
    • Immobilizer hacking and “hotwiring”
      • Intro to immobilizer tech
      • Crypto attacks
      • Current trends in attacking keyless entry systems
      • Methods to start a vehicle without a key
Bio: Craig Smith is the founder of Open Garages and the author of the Car Hacker’s Handbook. Craig has performed security work with the auto-industry and published independent work for 6 years. He has worked in the security industry for over 15 years and currently runs his own independent security research company, Theia Labs.

Training: Penetration Testing with the Pi

Trainer: Bob Monroe

Description: This workshop will use the tiny, portable Raspberry Pi to cover many of the steps of an OSSTMM penetration test. The steps will be illustrated using different Pi functionality — starting with building out your own Pi for your testing needs and taking it right through exploitation analysis. Everything you learn will be wrapped up by challenges we prepared for you — including several real-world system that have to be hacked. If you want to take a deep dive into this new dimension of computing, this workshop will fit your needs!

Each registered student will get a Raspberry Pi 2 (or B+ depending on availability), a touch screen display, a portable keyboard with built in touchpad and a red laser pointer, a battery pack, and the microSD card with software pre-installed. And you will put it together yourself. So roll up your mental sleeves and bring your data work gloves because this 2-day class will have you going in hard.


  • Raspberry Pi construction and architecture, with focus on security usability and portability
  • Developing, documenting, and testing networks using the OSSTMM testing framework.
  • Reuse of RPi and software architectures for security testing, auditing and forensics.
  • Developing customized tool sets for the RPi based on user needs and future scalability.
These concepts and principles will enable you to construct reusable, extensible, efficient, and maintainable Raspberry Pi security testing systems.

You'll learn techniques to build good role models for structuring your own designs, as well as to clearly articulate the tradeoffs of alternative methods for designing your customized testing systems. OSSTMM testing techniques will show you how to build highly effective security testing software platforms and hardware architectures based on microcomputers. Example uses will include vehicle tracking, WiFi network security analysis, and Man in the Middle attacks with the RPi.

You are expected to be familiar with Linux . Guidance will be available.

Bio: Bob has been working as a writer, researcher, and trainer for ISECOM since May 2012. He maintains updates for our OSSTMM Professional Security Tester certification materials and creates video-based security training with the Raspberry Pi device. He is one of the primary writers for Hacker Highschool, which is an ISECOM project aimed to teaching teens about security awareness and the profession. Bob's specialty is public teaching and security awareness training. Along with work for the U.S. Army, he has provided security classes for the VA, Military District of Washington, Commandant of the Marine Corp and staff, as well as countless others across the world. He holds a U.S. Patent for airport security automation technology that combines radar and thermal imaging to protect aircraft movement areas and the surrounding airspace. With well over two decades of experience in cyber security, Bob is always learning something new. His current projects include using microcomputers as a security and forensic tool, reviewing technology books for Microsoft Press, Cisco, VMware and Person, and working with eForensic , Hackin9 and Pen Test magazines as a writer and video presenter.

Bob is a retired US Army Ranger Officer living in Mililani, HI.





Subscribe to our mailing list

* indicates required

Watch, Add, Like, Follow Us!