DEF CON 28, aka DEF CON Safe Mode, was clearly unlike any of its predecessors as the whole conference was both a.) free and b.) completely virtual. And as such, DEF CON 28 was arguably the most accessible of DEF CONs to date. Yes, we missed the fraternizing and networking this time around, but we also enjoyed watching talks from the comfort of our homes.
And DEF CON 28’s talks didn’t disappoint either. Below is a recap of eight of the DEF CON talks we found especially interesting – be it for practicality, the ideas presented, or the technical prowess behind the talk.
Can AI make you a faster hacker? Ankur Chowdhary has a possible answer to that question in this presentation. (Note: Chowdhary is a security analyst and Bishop Fox alumnus, so we might be a little biased.) In this talk, he shares ASAP – his framework for providing an artificial intelligence-based attack plan. He walks through how AI can be used in cybersecurity, giving some context before introducing ASAP and how it addresses challenges brought upon by the modern attack surface. This talk will be of interest for penetration testers who are curious about how AI can help them up their game.
Thanks to our Continuous Attack Surface Testing (CAST) platform, we have a special interest in both AI and ML. Read this piece to see how we’ve used ML to help monitor the attack surfaces of our CAST clients.
Why We Like This Talk: Some DEF CON talks are more applicable for day-to-day life than others. Daniel Miessler is a well-known name in the infosec community, and in this talk, he explains how to work smarter, not harder. He focuses on how automation can complement manual testing and shares his preferred methods – namedropping various tools, code, and techniques. A major takeaway from Miessler’s talk is the importance of creating modules when coming across a new concept you want to implement in your testing (but fear you might otherwise forget). “You can go directly from a thing that you saw, that you hadn’t thought of, that someone else had a cool idea – and you can make a module of that that now incorporates that knowledge,” Miessler says, urging the viewer to use automation to create something “tangible” out of their learnings. If you’re looking to optimize your time during time-boxed assessments and eliminate any inefficiencies, this talk is a must watch. Miessler shows you how workflows can be designed to aid manual testing. If it takes you approximately 40 hours to perform an assessment and you spend about five hours waiting for tools to return data, you end up losing time. However, if you can create automated toolsets to help aid manual testing, you’ll be that much more efficient and have more time to dive deeper.
Why We Like This Talk: This talk may prove more useful for those in defensive positions, but offensive security professionals can benefit from it too. Most organizations today are using the hybrid cloud – that is, cloud computing with private and public cloud as well as on-premises infrastructure. The talk covers exploits that affect Amazon Web Services (AWS) and Microsoft Azure. Sean Metcalf has done a few previous cloud security-related talks at DEF CON in recent years, and this talk follows suit. He painstakingly details attack chains that result in gaining global administrator access on both platforms – in approximately a 15-minute window. The attack chains will prove useful for offensive security professionals who are testing AWS and/or Azure environments, and Metcalf provides information on prevention too. Key takeaways include the lack of MFA attached to administrator accounts and the restriction of user roles as needed.
Why We Like This Talk: “Hacking Traffic Lights” is a fun talk from two Dutch security researchers – with some potentially frightening implications. A short and sweet presentation, Neelen and van Duijn found a simple way to mess around with traffic lights – specifically, cycling traffic lights, because the Netherlands has a large biking community. The researchers leveraged a suite of fairly popular mobile apps that integrate with traffic lights to assist bicyclists with their travels. In the end, they found they could manipulate the traffic lights in several Dutch cities by using the apps to spoof a bicyclist. In the wrong hands, the consequences here could have been disastrous. But, the researchers acknowledge in this case that they could – at the very least – simply annoy people. Neelen and van Duijn end their talk with a call to action: Security protocols need to be implemented in smart devices and systems, or we could face more devastating future exploits.
Why We Like This Talk: This talk’s appeal is fairly straightforward – hacking millions of home security cameras is quite the accomplishment. Marrapese explains how he did precisely that by exploiting Peer To Peer (P2P) – the ubiquitous architecture found in countless Internet of Things (IoT) devices. P2P is essentially designed to expose devices, which is not exactly a great idea. Because security is often sacrificed for convenience, though, P2P has become popular in IoT. Not only can you hack these security cameras to spy on other people, but you could use these cameras to spread malware and eventually get remote code execution in someone’s environment. This story serves as a stark reminder of the dangers that come with opting for convenience over security, something we encounter often in our testing and research. Manufacturers, developers, security professionals, and consumers can always benefit from learning more about IoT security and what can happen when it goes awry (or just doesn’t exist). Although Marrapese’s research focuses on a worst case scenario, don’t get too discouraged – efforts are at least underway to push IoT toward improved security.
Why We Like This Talk: This talk is a fascinating crash course through hacker history mixed with some deep technical knowledge. Chris Wysopal’s perspective on cybersecurity stretches back to the 1990s, and in this talk, he recalls the experience of being a hacker in those “early days” – before being a professional penetration tester was a mainstream career choice. The fact that Wysopal is giving this talk is specifically noteworthy, as he was one of several hackers who testified before the Senate in 1998 and explained that they could take down the Internet in 30 minutes. This presentation is especially useful to those new to the cybersecurity industry who want a sense of how things have evolved over the years.
Why We Like This Talk: Similar to Daniel Miessler’s aforementioned talk, watching this presentation from cloud security architect Ryan Ellis will give you more tools for becoming a more agile penetration tester. If you find yourself taking more time than you’d like searching for vulnerabilities, this is the talk for you. “How can I convert my manual efforts that I do on a day-to-day basis?” Elkins encourages viewers to consider during the talk, stressing that adapting automation will allow more time for familiarizing yourself with the latest and greatest technologies. Pen testers of various skill levels can benefit from Elkins’ ideas.
Why We Like This Talk: Hacking satellite communications is interesting enough on its own, but, as Pavur points out, the number of satellites in space is expected to increase to 15,000 by 2030. And that makes for prime targeting material for hackers. Not only is the talk truly fascinating, Pavur does an amazing job delivering it with plenty of examples and some wry humor sprinkled throughout. Even if your understanding of the content is not fully there, he explains it well enough that a beginner can follow along. The case studies he highlights are disturbing – you’ll be … probably not surprised, but a little disappointed to find out what he was able to access. Considering the sensitivity of the information he intercepted, security professionals on both the offensive and defensive side of the coin would do well to watch this talk. It’s also worth noting that Pavur succeeded at this endeavor using only $300 In equipment, so it’s certainly recommended viewing for amateur radio hackers (along with this video).
We’d be remiss if we neglected to mention the Black Hat USA briefing by Bishop Fox Principal Researchers Rob Ragan and Oscar Salazar. Although the recording is not live yet, the two Black Hat veterans spoke about how to detect Internet-exposed assets in AWS environments. To help organizations keep tabs on their cloud attack surface, Ragan and Salazar released the open source tool SmogCloud in tandem with their talk. You can view the SmogCloud slides here.
Although this year’s DEF CON was undoubtedly a break from tradition, the content presented was nonetheless top tier. Catch up by watching the recordings, and let us know if we missed your favorite DEF CON talk – comment below or talk to us on Twitter.