My first DEFCON
DEFCON 26 was the first conference of any kind that I’ve attended. I wasn’t able to attend the conference last year as I was having major arthroscopic surgery at the time. I had lost all major functions of my right arm due to freak accident I suffered earlier in 2017 that resulted in frequent and painful dislocations. Through vigorous physical therapy since surgery, I’ve been able to regain all functions of my right arm. While the recovery and rehabilitation process went very well, it was financially draining and unfortunately led to my life savings being exhausted. Nonetheless, I haven’t let physical and financial pain deter me from my security research.
A friend of mine offered to pay for a ticket to DEFCON and I gladly accepted. I was eager to attend and expand my knowledge base and meet other researchers interested in collaborating on my favorite topics such as tracking cryptojacking incidents and monitoring Mirai-like botnets. Perhaps I might meet those who inspire my work, such as Ronald F. Guilmette, Mikko Hypponen, and Brian Krebs! Unfortunately not all these lofty aspirations came true. Still, my time at DEFCON was well spent meeting new people with interesting ideas and the talks presented at the Packet Hacking Village particularly piqued my interest.
DAY ONE
Arriving Thursday morning, I joined the massive crowd heading up the escalator to conference area at Caesar’s Palace. I had seen posts on Twitter about “linecon” but this was not the case. I was quickly ushered to the area to purchase my badge with no waiting time. However, I was given a warning to install the batteries in my badge correctly as there were reports of overheating and explosions. Taking heed, I ensured the four AA batteries were installed correctly and the badge came to life with blinking LEDs.
Hitting the convention floor, I quickly found most of the villages and other designated areas were not yet open. Asking a passerby in the hallway, I learned the first day of DEFCON is largely for setting up and preparation. Taking advantage of the time to familiarize myself with location of each village, I continued to wander around the venue for a few hours. The convention space at Caesars Palace is massive and I was astounded at the sheer size of the facility.
As the fatigue began to set in from traversing the enormous space, I received an email from a reporter asking follow-up questions regarding the recent cryptojacking campaign targeting nearly a quarter million MikroTik routers. Luckily I had been lugging around my laptop and quickly turned my phone’s hotspot feature to get online. Warnings were shared of the risk of connecting to the WiFi, which are inherent to connecting to any open wireless network. Connecting to one at a “hacker convention” only seemed to exacerbate that risk.
Exiting the convention area in search of food, I stumbled across a member of Federal Law Enforcement I’d met with weeks earlier regarding an ongoing case. They were surprised to hear I was attending my first DEFCON given that I had lived in Las Vegas for 16 years. I advised I was looking to expand my horizons since I was still relatively new to the security field. They also echoed the badge battery issue, which led me to make some modifications after I got home later in the evening. In retrospect, it might not have been the best idea to surprise a member of law enforcement at DEFCON given it’s a time they work overtime monitoring criminals of the “cyber” variety.
Upon returning home, I began to work on the modifications to my badge. The enclosure holding the four AA batteries was easy to remove after I carefully cut the wires connecting to the terminals. Once this was done, I was able to adhere a USB power bank to the back of the badge and power via the USB micro connector. This actually reduced the weight of the badge (yes, I weighed it) and provided a readily available power source to charge my phone.
DAY TWO
Feeling more knowledgeable of the conference layout, I placed the upgraded badge around my neck and I headed to the Packet Hacking Village. I immediately knew I was in the right place when I heard village team member and Senior Lecturer at Tufts University, Ming Chow, share a story about Coinhive and how a student injected it on his computer.
The talk by Pedro Fortuna titled, “Protecting Crypto Exchanges From a New Wave of Man-in-the-Browser Attacks” started shortly after my arrival. I found this presentation particularly interesting as I’ve been closely following cryptocurrency-related cybercrime.
Pedro’s findings revealed glaring security holes and poor practices among popular cryptocurrency exchanges/wallet services. Hopefully his recommendations will be implemented soon for the sake of everyone buying/trading/hoarding cryptocurrency.
Afterward, I stayed for two more presentations,“Freedom of Information: Hacking the Human Black Box” and “Car Infotainment Hacking Methodology and Attack Surface Scenarios.” The first presentation discussed how the FOIA can be used to gather OSINT data, sometimes “too much” as government agencies failed to redact the appropriate information. The latter demonstrated the many ways car entertainment systems are vulnerable and easily exploitable.
I quickly proceeded to the Vote Hacking Village and arrived just in time for David Sanger’s keynote presentation. The entire presentation was recorded live by a dedicated volunteer standing on a chair and is available here. David’s talk highlighted the dire need to improve the United States’ cybersecurity policies especially regarding our voting and election systems. This seemed appropriate given children as young as 11 years old managed to hack voting machines at DEFCON this year.
DAY THREE
On the third day of DEFCON I returned to my favorite spot, the Packet Hacking Village. My presence didn’t go unnoticed this time as Ming asked the entire room, “Is there a bad packets here?” and I grinned as I waved my hand. After the first presentation concluded, Ming brought me two t-shirts and thanked me for my work. This was incredibly humbling experience that I really appreciated.
Halfway through the remaining talks, there was a pause as the speaker was a no-show. Per Ming, this was the first time in six years that a speaker was missing in action. All hope was not lost however as an anonymous CISO took the stage for a “sky talk” and began a Q&A session with the audience. I wasn’t familiar with the “sky talk” term until I asked my friend and frequent DEFCON attendee, Dr. Neal Krawetz, for an explanation. He stated it was done by people who wanted to speak but either didn’t submit or were not accepted. It’s called a sky talk because it used to be held on something like the 20th floor or elsewhere “above’ the venue.
The anonymous CISO, being a woman in a male dominated industry, detailed the challenges she faced in her role. I certainly could see the lack of diversity at DEFCON as the vast majority attending, presenting, and selling “swag” were men. She also mentioned the disappointment of long-time attendees of hearing the same type of presentations each year. Instead, she came to look for the new perspective from the next generation. Considering the constantly evolving world of security vulnerabilities, I couldn’t help but agree.
One of the most anticipated talks I was looking forward to, “IoT Data Exfiltration” was at the end of the day. Mike Raggo and Chet Hosmer’s presentation painted an eye-opening picture of the data exfiltratIon vulnerabilitIes that exist in modern IoT devices. Another point highlighted was the constant connections many of these devices have to unknown servers in other countries. This was similar to the case I documented last year with my IP cameras soon corrected after I worked directly with the manufacturer.
At the conclusion of the Packet Hacking Village talks, I was approached by one of my Twitter followers, d3m0sth3n3s. Earlier in the day, she helped me identify malware targeting IoT devices. It was refreshing to meet someone with far more knowledge on the subject who was willing share and collaborate her findings with me.
My DEFCON adventure came to a close in the evening after meeting with a mutual friend in the hallway. I hurried home as an ominous haboob was rolling in and lightning strikes started to illuminate the the Las Vegas strip.
FINAL THOUGHTS
My first DEFCON was an interesting experience from beginning to end. I found an unique atmosphere and full of exciting energy. While I had hoped for more networking with other security researchers with similar interests, I was grateful for ones I met. The topics presented at the Packet Hacking Village have inspired me to continue researching the security issues we face in the ever-growing world of IoT devices.