My 8 takeaways from Defcon 25

On July 27th to July 30th, I was at Defcon 25. Here are my top 8 takeaways.

1. Resistance is futile: The evolution of bots has reached Borg-level complexity.

Most people know bots are useful to do some automated tasks like answer pre-sales questions, for a business website, or as we can see in the last election, to amplify a political message on social media forums or chat platforms. Bots has evolved from a crude tool of automation, to a sentient being that sometimes may pass the Turing test. However, malicious attackers have a different agenda with bots, and its on-going evolution has opened a pandora’s box.

We are approaching 4th gen bots. Now bots are used in browser-based exploits and automation of social media account.

Researcher Inbar Paz in Do Tinder Bots Dream of Electric Toys? presentation break down the different generation of bots.

Before, users ask this question: Is the person I talk to online, really a person, or a bot?

Now users need to also ask: Is the message from Facebook really messaged from my friend, or was her account compromised? And is that message simply a hidden exploit? Is h0tGirl2385 really a person on Tinder, or just another bot?¹

Inbar Paz talks about new dating app software-as-service plans using bots to autogen user profile. This is truely a sad day for humanity — or for lonely bacherlor/bachelorettes.

The question is getting harder to answer. Sure, the bots ellicting your reaction surely will fail the Turing test, but that might not be the goal longer. Just making you click that email or Facebook message on a pop-up window is enough to trick you into becoming a host to distribute a new network of attack — all without your authorization.²

Tomer Cohen explains how bots are used to automate malicious distributed attack using Wix, Facebook, and Chrome Extension.

The example from Paz is automation from dating profiles. However, if you are to extrapolate this, all social media platforms with user accounts are fair game. The lessons here can be replicated on more sinister applications, such as news media account — WaPo, NYT, YouTube — and has huge implications on messaging and shaping the political platform, particularly on state-funded server farms to serve bots as a tool of disinformation for the masses.⁴

2. All 30 voting machines were p0wned.

This is the first year the Voting Machine Village open at Defcon 25. It takes 2 mins, a researcher found a network vulnerability and gain remote access to the WINVote machine.³ To be fair, the task was known beforehand to be technically, on the lower-end of the technical spectrum. I mean, for gawd’s sake, the OS on these machines can run Window XP!

The point really was to get the Feds and the public to take voting machine security more seriously. I honestly think it was just for PR, but the Voting Machine Village is in its infancy. Wait in the next couple years. “U.S. Voter registration database hacked” are four words we do not ever want read in the news. The task to hack a centralized server is much more difficult, since votes from these machines are not connected to a network. Data are physically transfered.

You got to admit, listening to Rick Astley’s “Never Going To Give You Up” on the WINVote was a great throwback Friday song.

And the ghost of Astley also casted his vote.

3. The only conference where you can learn about “DIYBloweapons” while also learn to defusing an explosive.

It’s the Ying and Yang, the id and superego, or whatever else you may want to look at this. No I didn’t get into the DIYBloweapons session — the line was too long. I have to admit, the thought makes me a bit nervous. Biohacking for me, is making kombucha at the local hackerspace or grow a glow-in-the-dark plant.

4. Even a 17 years old have the potential to break the system.

At one of the talk a representative from the NENA.org, the 9–1–1 association, presents how a 17-years old iOS developer crashes the 911 system by exploiting a bug in Safari. Code posted below, and no, it will not work, since iOS patched the bug. The lesson here is to review the current status of our archaic 911 and intercom infrastructure. The 911 association were surprised that the attack was not a single-origin DDOS attack but from multi-origin. Desai kid plant a shorten link of the malicious code — using bit.ly — and posted it on a Youtube music video’s comment section. The attack snowballed because of almost stupidity — since reputable artists clicked on the link and shared it on Twitter.

5. Don’t be afraid to try new things.

There free workshops, or as DefCon calls it “Villages,” for all age level and skill level to learn new skills. Learn how to analyze packets with Wireshark, lockpick, or learn a bit of soldering to make your first badge. There is a delicated Village called Rootz Asylum, a safe and creative space for kids to learn white-hat hacking from leading security researchers.

6. Defcon, like the tech field, is a sausage fest.

Tech has a gender problem, but the InfoSec field, a subset of tech, the gender disparity is even more noticable. As a women in tech, this can be intimidating, especially with examples such as Susan Fowler’s reflections on navigating as a female software engineer at frat-bro Uber culture and leaked Google memo on anti-diversity reveal how tech can be such and inhospitable space. And we all thought biological determinism was a thing of the past. All I need is some examples of intersex software engineers to debunk this essentialist idea. Furthermore, the idea of a biological basis for IQ and gender roles has been questioned extensively.⁵

The good news is, there are national organizations like Women in Security and Privacy to provide mentorship and support. After talking to their rep at the vendor booth, I cannot wait to join the local chapter.

7. DefCon Beijing 2018 is now official.

Unlike its more corporate twin convention, Black Hat Conference, DefCon limits itself to the United States. Jeff Moss, aka The Dark Tangent, officially announced at DefCon closing ceremony that DefCon will follow the same track as Black Hat Conference — which has international events — and branch outside of the States. Moss has chosen Beijing, China to host DefCon’s first international location. This really surprises me since I thought he would have selected a safer place like Scandinavia or even Latin America, when Brazil also as a vibrant tech culture. Not to mention the logistical redtape of dealing with the Chinese government. However, China also has an explosive hacker culture. The question is whether these hackers are willing to show up in person to this event, and how Moss and the organizers can guarantee their anonymity.

8. Keep on exploring after DefCon 25.

The biggest takeaway for me is to continue learning more about security. I return to my local community and join local meetups, go to more workshops. Ultimately, the goal is to repackage what I learn in a more accessible way to all users. How to communicate the urgency and severity of our new infosec landscape to social workers, non profit sectors, and even my 10 years old cousin on his Instagram.

Sources:

1. Do Tinder Bots Dream of Electric Toys? by Inbar Paz. Video presentation on the sample topic another conference here. Excellent slides on presentation here.
2. Game of Chromes: Openning the Web with Zombie Chrome Extensions by Tomer Cohen. Cohen explains bots to automate malicious distributed attack using Wix and Facebook.
3. To Fix Voting Machines, Hackers Tear Them Apart. Wired Magazine.
4. Russian Bots and Where Are They Now. Think Progress.
5. The Roots of Biological Determinism: The Mismeasure of Man. Jay Gould. Journal of Biological Science.
6. Complete archived defcon learning resources.