This information is from a previous year. Please visit shellcon.io for up to date information.

Talks
  • Track A & B: Friday 0900-0950

In ShellCon 101 I will explain industry terminology and discuss key aspects of the conference. I am a 17 year old who has been volunteering for ShellCon since the beginning and I want to help newcomers get the most out of the conference and have the full experience. Last year I knew the keynote was really funny but the vocabulary went right over my head. I will go into detail about the Hacker Village, RaiseMe, talks, the layout of the conference, and things to do in downtown San Pedro.

Read More

Sara is a high school ShellCon volunteer. She has been volunteering for ShellCon since the very beginning and has loved every moment of it.


Read More
  • Track A: Friday 1000-1050
  • Slides

As a security practitioner, the trend of Agile and DevSecOps is coming. Whether developers or management are pushing for it, you should be prepared. DevSecOps sets security as a metric of success for developers and encourages security to be a consideration continually through a project lifecycle. This is a vast improvement to the usual methods of taking security into consideration only at the end, in the beginning, or avoiding talking to security at all. You should be seizing the opportunity to leverage the movement to your advantage. I want to arm you with ideas on education, resources, tools, and practices to do DevSecOps well from a Security department standpoint.

Read More

Nicole Schwartz is a Product Manager for the GitLab Secure team. In her career, she has been in Product, System Administration, and Agile coaching. Before her career ever started she...
Read More

Red Team operations require substantial efforts to both create implants and a resilient C2 infrastructure. SiestaTime aims to merge these ideas into a tool with an easy-to-use GUI, which facilitates implant and infrastructure automation alongside its actors reporting.

SiestaTime allows operators to provide registrar, SaaS and VPS credentials in order to deploy a resilient and ready to use Red Team infrastructure. The generated implants will blend-in as legitimate traffic by communicating to the infrastructure using SaaS channels and/or common network methods.

Use your VPS/Domains battery to deploy staging servers and inject your favorite shellcode for interactive sessions, clone sites and hide your implants ready to be downloaded, deploy more redirectors if needed. All this jobs/interactions will be saved and reported to help the team members with documentation process.

SiestaTime is built entirely in Golang, with the ability to generate Implants for multiple platforms, interact with different OS resources, and perform... Read More

Rebujacker works as a Product Security Engineer for a fortune 500 bay area company. He has multiple years of experience performing penetration tests, security assessments, design evaluations… against different technologies....
Read More

  • Track A: Friday 1100-1150

2019 is a hell of a year. Why not make it worse by coming and hearing from one of the world’s foremost experts on mainframe hacking? ‘Hmm’, you’re thinking, ‘mainframes who cares?’ If you’re using any type of credit card (yes even Apple Pay) you care. It is the most important piece of equipment in any enterprise. So how come you still think they’re unhackable?. This talk will go over SNA hacking, VTAM, TSO, CICS, privesc, REXX, and CLISTs, walking through the various techniques successfully used on pentests. Introducing new tools to help conduct penetration tests. You will see how easy it is to get started with mainframe hacking and all the tools currently available today.

Airplane hacks can ground one flight, mainframe hacking can ground the fleet.

Read More

Philip Young, aka Soldier of FORTRAN, is a leading expert in all things mainframe hacking. Having spoken and taught at conferences around the world, including DEFCON, RSA, BlackHat and keynoting...
Read More

Developers often do not know what the common issues are with the framework they are using. At the same time, most common frameworks ship with easy ways to shoot your application’s security in the foot. In this world we live in, developer education will fail if even one mistake is made, which will expose a dangerous vulnerability. In this talk, we’ll show how you can dramatically reduce the chance developers will shoot themselves in the foot by giving them safer versions of their common tools so your company can ship more secure code. We will write wrapper classes and safe versions of common tools to eliminate XSS vectors, open redirects, XXE, SSRF, LFI, and other dangerous bugs in your codebase.

Read More

Morgan Roman works on the application security team at DocuSign. He started his career writing integration tests for web applications and APIs as a software development engineer in test. He...
Read More

  • Track A: Friday 1400-1450

MacOS is a popular operating system across Startups and Fortune 500 companies. Few commercial tools exist that provide proper event visibility in MacOS. Often, these tools are expensive and some lack important monitoring features. However, open source offers a great selection of tools that can be deployed to kick start a MacOS Threat Hunting Program. In this talk, I will simplify threat hunting, select a few open source tools, and guide the audience on a methodology to hunt for threats in MacOS.

Read More

Plug started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually lead him to his first LA2600 meeting in 1998. From that point...
Read More

Art began his journey with security during the BBS days. Professionally, Art has been involved with numerous aspects of cyber security over his career (from Red to Blue and in...
Read More

  • Track B: Friday 1400-1450
  • Video

Every day we hear about weak security of IoT devices, about vendors that don’t take security seriously and how using and not changing default passwords could lead to a leak of important and personal data. GPS trackers made with a default password and predictable serial numbers allow full control of the tracker and leak the user’s position. Due to heavy white labeling and use of the same cloud infrastructure the scale of the problem is huge. I’m going to show and discuss where the weaknesses are, what models and APIs are affected and how they can be exploited. Live demo included. The talk is by itself also a comprehensive guide on analyzing IoT device security, spanning from Android app to HW.

Read More

Currently security researcher at Avast. I lead research across various disciplines such as dynamic binary translation, hardware-assisted virtualization, IoT, firmware vulnerabilities and malware analysis. I’m devoted to technology and I’m...
Read More

  • Track A: Friday 1500-1550
  • Video

PErfidious is a Python3 tool that aims to directly take a benign PE executable and malicious shellcode, transform the malicious shellcode and inject the transformed shellcode directly into various parts of the executable’s .text section, thus completely avoiding the need to look for code-caves or creating additional sections. After injection, PErfidious recalculates the size of the .text section and all the virtual address changes caused by the increase in the size of the .text section and modifies respective fields in the PE header, thus making sure that the PE file doesn’t look injected.

Read More

Shreyans is a Cybersecurity Graduate Student at the University of Maryland and has previously worked as a Malware Research Intern at Cybrary Inc. Here he created PErfidious and researched other...
Read More

  • Track B: Friday 1500-1550
  • Video

Competitions are everywhere in cyber security, but have you ever wondered what it takes to create one? This talk covers the challenges of creating an exciting competition that helps people develop skills and covers the challenges faced in building infrastructure to support competitions. We will primarily be covering CCDC competitions (Collegiate Cyber Defense Competitions) but we will also cover capture the flag competitions through the lens of a competition organizer and the challenges faced. If you are interested in competing in or want to help put together an competition, this talk is for you.

Read More

Wasabi is a security researcher who dabbles in the arts of system administration. He participated in CCDC, CPTC, and many CTFs as a competitor before starting to help organize cyber...
Read More

Bluescreenofwin is a Windows System Administrator and Windows hacker. He is currently employed as a Security Analyst and when he is not drowning in logs he can be found brewing...
Read More

  • Track A: Friday 1600-1650
  • Video

Software developers are the foundation of any application. In order to achieve secure software, developers must be supported and helped by the organization they author code for. As software developers author code that makes up a web application, they need to embrace and practice a wide variety of secure coding techniques. The OWASP Top Ten Proactive Controls (2018) is an OWASP documentation project that lists critical security techniques that should be included in every software development project. This document was written by developers for developers to assist those new to secure development.

Read More

Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for KSOC, Nucleus Security, Signal Sciences...
Read More

  • Track B: Friday 1600-1650
  • Video

Since the 2014 Sony Pictures hack, studios and post production houses all over Hollywood have been the target of attacks. In 2017, a hacker targeted and successfully compromised Larson Studios, a family-owned post-production house, exfiltrating “Orange is the New Black” Season 5. The attacker demanded ransom to keep the content from being uploaded to The Pirate Bay.

This talk will give a behind the scenes view of the film making process from a content security and blue team defensive perspective. Learn the digital workflow that goes into making the blockbuster films you love and where the industry is vulnerable to attack. Hear campfire stories from one of 30 MPAA Certified Trusted Partner Network Assessors worldwide.

Read More

Michael Wylie, MBA, CISSP is the Director of Cybersecurity Services at Richey May Technology Solutions. In his role, Michael is responsible for delivering information assurance by means of vulnerability assessments,...
Read More

  • Track A & B: Saturday 0900-0950
  • Video

This talk will go over a new tool I’m releasing, NAT Pinning v2. NAT Pinning allows an attacker to remotely access any TCP/UDP services bound on a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. It uses multiple techniques to be cross-platform, cross-browser, and multi-protocol. Some areas we’ll cover:

  • NAT (Network Address Translation)
  • Router Investigation
  • Firmware Dumping
  • Reverse Engineering Firmware
  • Network Protocol Investigation
  • Browser Protocols
  • Timing Attacks
Read More

Samy Kamkar is an independent security researcher, sometimes known for creating The MySpace Worm, one of the fastest spreading viruses of all time. His open source software, hardware, and research...
Read More

  • Track A: Saturday 1030-1120

Xamarin allows developers to create mobile applications for both iOS and Android using C#. The managed code is compiled into the app and later executed by the mono runtime once started. Hooking the C# methods can be challenging, especially early in the start process when trying to bypass root or jailbreak detection. This talk will demonstrate a methodology that can be used for early C# method hooking of Xamarin release builds on both iOS and Android.

Read More

Roadfork is a senior application security consultant with a background in electronics. Having assumed multiple roles throughout his professional career, Roadfork has over 15 years experience with network security, web...
Read More

We all know that encryption is a critical component to modern security, but it’s not enough to sprinkle encryption on you data as if it’s magic pixie dust. Sometimes we take the finer points for granted. In this talk we’ll cover the history of encryption in broad strokes. Then we’ll dig into some basic concepts: What’s the difference between encrypting and encoding data, or is the difference only semantics? Can obfuscation be considered a type of encryption? What’s the difference between transposition and substitution ciphers? Between stream and block ciphers? What’s a cipher?!? Is TLS/SSL symmetric or asymmetric? (hint: it’s both). We’ll conclude with some practical discussion, such as what can I use in my project?

Read More

Nerd who lives, works, and plays in southern California. Developer by day, armchair infosec enthusiast by night.


Read More
  • Track A: Saturday 1130-1220

With how many apps are running in the cloud, hacking these instances becomes easier with a simple vulnerability due to an unsanitized user input. In this talk, we’ll discuss a number of different methods that helped us exfil data from different applications using Server-Side Request Forgery (SSRF). Using these methods, we were able to hack some of the major transportation, hospitality, and social media companies and make $50,000 in rewards in 3 months.

Read More

Ben is the Head of Hacker Operations at HackerOne by day, and a hacker by night. He has helped identify and exploit over 600 security vulnerabilities across 100s of web...
Read More

  • Track B: Saturday 1130-1220
  • Video

Application security reviews are big part of Application Security Programs. It’s an important topic for all organizations, especially for those with externally facing websites or/and APIs. I perform security reviews of 3rd party software we use and custom built applications. In this talk I will focus on an organization’s custom built application security review.

Read More

Nia has 20 years of experience in the IT and Security field. Nia is a GIAC Certified Forensic Examiner, GIAC Certified Web Application Penetration Tester, certified Splunk Architect, and certified...
Read More

  • Track A: Saturday 1400-1450

As users move to the world of Mobile Apps, it becomes important to understand the security and privacy risks around Mobile Apps. This session will delve into security and privacy issues like secure mobile app development, third party SDK security, cryptographic storage, IP protection among others.

Read More

Anshu Gupta is a senior level security executive who has Fortune 500 security consulting experience at Ernst & Young and KPMG where he worked at companies like Microsoft, Salesforce, Oracle,...
Read More

  • Track B: Saturday 1400-1450
  • Video

Remediation is a crucial step when recovering from an incident. Proactively implementing security controls and hardening an environment doesn’t need to wait until AFTER an incident has occurred. The presenter will detail common remediation strategies that are used when responding to breaches, in addition to risk-reduction methods that align to proactively applying a remediation strategy.

Read More

Nader Zaveri has over 12 years of experience in IT security, infrastructure and risk management.

Nader has also spent several years with major consulting firms where he has led and...
Read More

Many companies use commercial static analysis tools (SAST) to find bugs, but these SAST tools tend to be expensive, have high false positive rates, and are difficult to customize. “Lightweight” static analysis tools hit a sweet spot that is more powerful than grep but still simple enough that you can write your own.

In this talk, we’ll describe how to create your own lightweight static analysis scripts using open source libraries and tools. These techniques can be used by penetration testers to more effectively find bugs and/or integrated into CI/CD checks by security engineers to raise the security bar of the applications they support.

Read More

Clint Gibler is a Research Director at NCC Group, a global information assurance specialist providing organizations with security consulting services. He’s helped companies implement security automation and DevSecOps best practices...
Read More

Daniel is a Ph.D. candidate at the University of California, Davis. His research focuses on developing scalable static analysis techniques to find error-handling defects in systems software. He has designed...
Read More

On the ground (e.g. during Non-Technical OS-INT), many unforseen small conflicts may arise. The ability to think on your feet paired with an ability to read people’s basic statistical probabilities and a sense of charisma can make the difference between exiting the conflict unscathed and tanking the excursion.

The ability to follow the same basic skeleton of social engineering procedures helps shape one’s ability to assess a conflict, identify goals, assess resources available based on general statistical knowledge, plan, and launch an attack that will neutralize the conflict while protecting the asset/target/bystander.

Discusses basic tenets of certain aspects of psychology, sociology, anthropology, etc., to pull together strategies to assess, formulate, and launch on the fly as the situation demands.

Also makes fun time-killer when out on the town.

Read More

Adrigon “Rig” Moroi is a social worker and educator who enjoys recoding people in her spare time. Beyond her B.A. in Linguistics and Psychology (Human Development) and her M.A.Ed. in...
Read More


© 2019 ShellCon