I spent most of Thursday and all of Friday on what must be the polar opposite of BlackHat/Mandalay Bay, way over at the Rio for the one and only: Defcon.
Wrapping up at Black Hat
Thursday morning, Jay Radcliffe hosted a session called "Medical Devices Roundtable: Is there a Doctor in the house? Security and privacy in the Medical World." There was a real sense of urgency from every point that audience members raised -- in many ways it seems we're only just scratching the surface of the implications of increasingly-connected and communicative medical devices. So many medical devices, especially implantables, bring substantial quality-of-life benefits to their wearers, but what was clear from the roundtable was that the medical community speaks a very different language from infosec. Security often just isn't on the radar at all for the manufacturers, the pharmaceutical regulators, or even the medical professionals that work with them. For example, many of these crucial devices phone home with loads of valuable historical medical information to monitor trends or alert to issues, but how many of these device manufacturers are concerned about data retention -- who has access to it, does it expire, how is it secured from those that might want to tamper with it?
Jay also brought up the concept of hacking the implantables themselves, e.g. pacemaker failure -- if you had a pacemaker that someone tampered with wirelessly, and it killed you, a coroner would rule your death a heart attack; no one would even know to check your pacemaker (and would they have the expertise to find anything?) -- there's no process in place right now that checks these implanted medical devices for failure or malicious activity. We're going to hear a lot more about these issues in the coming years at infosec conferences around the world (I noticed Defcon will be introducing a village on Biohacking soon), so really, stay tuned.
This was my first Defcon, though I've wanted to attend for many years now, probably since back in my college days when I was just a basic compsci student. I remember friends would scrounge up the cash to fly out to Vegas over the summer break and return with some amazing stories. And some warnings too, of course. I didn't have my laptop on or my phone's Wifi enabled the entire time I was there, as I didn't want to end up on the Wall of Sheep (or worse, having to wipe and re-image my phone and laptops), so aside from some spare Tweets here or there, I was radio-silent while at Defcon.
For a n00b Defcon was a bit of a sensory overload. First there's the crowds and the very long lines (#LineCon), but really it was the no-holds-barred celebration of bending the rules just-so, and breaking things to find out how they work, that slight mischievousness that pervades every part of Defcon that I really enjoyed.
The main draw at Defcon is the socializing, but a close second for me was the more interactive side of Defcon, which are the Villages, basically themed rooms scattered around the con. Amongst the many villages, there was the Packet Hacking Village (name says it all -- packing sniffing and the Wall of Sheep, aka those who are silly enough to forget to turn off their phone Wifi at a hacker convention are named and shamed!), the Privacy Village, the Lockpick Village (old-school hacking!), Hardware Hacking Village (for those that love their soldering irons and flux), and my absolute favorite, the Social Engineering Village.
I probably could have spent all day in the Social Engineering Village alone. We all know that Humans are the weakest link in security, and this Village is devoted to demonstrating that principle to jaw-dropping effect. Anyone who's a bit of a student of human psychology would get a kick out of this room -- you listen to social engineers make live calls to employees at Very Big Companies. These social engineers are competing in a capture the flag competition, where they have to get the employee on the other end (who has no idea what's going on, of course), to divulge sensitive information that could be easily used by someone with malicious intent to do, well, bad stuff. Each type of information the social engineer extracts, it's a flag they've captured. Pretty simple.
You'd think these social engineers might have to employ incredible trickery to get people to divulge what kind of security their company uses, for example, but usually all they had to do was simply ask under the guise of "it's a survey for corporate." You could hear the hesitation in the employee's voice that maybe, just maybe, there was something a little off about the questions they were being asked, but most people just want to be helpful -- and in fact, sometimes the unknowing victim would oh-so-helpfully divulge sensitive information the social engineer hadn't even asked for! (Those of us in the room would cringe and gasp when this happened.) On the flipside, sometimes the social engineer would encounter an employee who clearly had some security awareness training and would very quickly end the call, to which all of us in the room would cheer and applause -- clearly someone had paid attention! Perhaps not all is lost!
The only day I was able attend talks was Friday, and admittedly I didn't get to attend nearly as many as I'd like to. The first talk was I went to "Stolen Data Markets An Economic and Organizational Assessment," by Dr. Thomas Holt, Olga Smirnova, & Yi-Ting Chua -- incredibly well-researched and with a lot of concrete insights. This team challenged a number of assumptions I had about the profitability of credential selling in the black market, as well as how the entire black market for credentials works. For one thing, I had assumed cryptocurrency was a popular option, but it ends up most criminals still prefer more traditional currencies (USD, cold hard cash!). One depressing stat I walked away with was that US, UK and Canadian credentials are significantly cheaper on the black market, mainly because the market is FLOODED with credentials from these countries thanks to the many data breaches we've had recently, driving prices down.
"Saving Cyberspace by Reinventing File Sharing" by Eijah was an interesting treatise on the state of file-sharing: where we've been, where we're going, and what our rights are. A bit of this session was a promotion for his new service called DemonSaw, which he says will allow people to securely and anonymously fileshare. My interest is piqued, though I'll want to give it a try myself before calling a verdict on this one.
"Acquire current user hashes without admin privileges" by Anton Sapozhnikov was mainly a proof-of-concept talk of this new technique which, no surprise here, still starts when a user's creds are compromised via phishing or social engineering. I'll post a link to the POC when it's online (me trying to summarize Anton's research would be an insult to his work). It's Windows flaws all the way down.
The last panel of the day I attended was the "Diversity in Infosec" panel, mainly to hear what people would have to say. I've always thought infosec is a bit further ahead than many other fields on this front, given that this is very much a "show your work" kind of world, and a lot of the panelists said as much as well. But what was interesting in the whole diversity discussion was that it didn't just focus on more typical gender/race/orientation issues, but actually the growing differences between old-school hackers and the increasing commercialization of infosec and hacker culture. I feel if anything this is where the biggest split might be over time, especially as infosec matures in the corporate world.
Some of the best conversations I had all week were at the Taxi Panel at LineCon, aka waiting in the incredibly long taxi lines at the Rio (where Defcon was this year). It was definitely a bummer that many, many of the talks I wanted to attend filled far beyond capacity with no prayer of getting in. From what I heard, this was a pretty classic Defcon experience. Moving to Paris and Bally's next year should hopefully solve this problem.
As folks who follow on me on Twitter probably know (sorry), my Defcon badge bit the dust not long after I got it. Why the heck does this matter? Well, having a Defcon badge is something of a point of geek pride -- I mean, it blinks and looks awesome for one thing, but it also has an IR transmitter/reciever on it, and by merit of this being the badge to a hacker convention, it is HIGHLY customizable. I couldn't wait to start working on my badge to see what I could do with it, but then... it died. It took a bit of time in the Hardware Hacking Village to figure out exactly what went wrong -- my voltage regulator had failed, thus I was without a blinky badge. Very very long (boring) story short, Jay Radcliffe took pity on me and volunteered to swap his badge with me -- thank you Jay!
(The badge is also a key component to the elaborate crypto puzzle, bits and pieces of it are distributed throughout the con ephemera. Next year I will definitely pay more attention to this challenge, it looked like a hell of a lot of fun to crack, though incredibly challenging.)
One and a half days is not enough for Defcon. I will absolutely be back next year for the full four days of Defcon23.
Were you in Vegas last week for Hacker Summer Camp? I'd like to hear what you thought -- did you have a favorite convention, was there an event or talk that stood out? (Was McAfee a spectacle or did he bring up salient points, or both?) What would make the experience better? Let me know!
(And as always, you can find me on Twitter: @mvarmazis)