This DEFCON was by far the most exciting DEFCON that I have experienced since my first trip back in 2006. If you aren’t familiar with DEFCON, and you are reading this, allow me to extend a warm welcoming hand to the rabbit hole that you are about to fall into.
This article takes 10 minutes to read
DEFCON can be a lot of different things to different people. For me, it was always the Hacker Conference of Hacking Conferences. Though not THE first Hacker conference, it was however, the most memorable, effectively luring the truest nature of Hacker Culture from their underground and camouflaged existence to out and open convergence in Sin City.
I learned about DEFCON at the tender age of 19 (1999) on my first journey into the Cyber (Information Operations / Warfare) field with the Department of Defence in Guantanamo Bay, Cuba. The DOD framed perspective in which DEFCON was conveyed to me then is quite different from the one I now hold (different frame of mind, different frame of reference and a way, way larger vantage point #nosecrets). Young and very enthusiastic to tackle my new profession, DEFCON was considered to be where “Tech Criminals” come to show off their latest exploits (read crimes). To some, this place was verboten, off-limits. To others, it was simply THE place to be. In my defence, silly, naive ignoramus that I was, I had but a simple worldly mindset of black and white. There were those who worked for the Government and those who did not. Or in simpler terms, those who were indoctrinated into the Cyber Warfare game and the sheep who were not. The word Hacker carried a significantly heavier negative connotation to the ignorant masses back then, well…much more so than it does now.
I didn’t emerge from the technical background which the seasoned practitioners and mentors in my government bubble did (and yes, again, my viewpoint was very immature). So it was through the rabbit hole have I since evolved. My perspective developed, honed and grew to my current understanding and appreciation of the hacker culture.
@DEFCON you will find all shapes, sizes, gender, acumen, race, color and creed. It’s a veritable rainbow of information and experience with lots of shiny glitz. The real jewels, however are the ones you allow your mind to be receptive to. The Empty Your Cup paradigm is vital to your experience at DEFCON. Whether you’re a NOOB (IT, Tech, InfoSEC beginner) or a seasoned practitioner, this is (and never was) an event to bring your ego to. To be absolutely crystal clear, this is NOT and never was an InfoSec conference. You don’t come here to practice organisational defensive strategies, market tools or company agendas. You either come to strut your stuff, or sharpen your mettle. Personally, I go to learn, explore and humble myself. The beauty of DEFCON is that the code pool of hacker brilliance is unmatched. No matter what your level of traditional education is, DEFCON will almost certainly humble you (as it has me numerous times). #PrepareYourSelf
The KIT- Hello Darkness My Old Friend
I’ve never been normal, far from it actually. My Spiritual Cyber-Ronin kit, which is my pre-game pack for DEFCON, is a dead give-away. These are the little things that I never let go of in the “ClockWorkOrange” projection loop-playing in my mind (or in reality… #PrepareYourSelf #zrosig). None of these items are for show, some have evolved over the years of trial and PWND, others nostalgic mementos, and some are absolutely necessary for my sanity. You decide.
My Spiritual Cyber-Ronin Kit:
- Hotel Room Counter-Eavesdropping Solution #zrosig
- Exfil, Evac and Emergency Planning Blueprints. #PrepareYourSelf
- Zero-Sig Silent Circle Blackphone2 (bitsmodded) #zrosig
- 360° Mobile Surveillance Camera (bitsmodded) #nosecrets
- A Clockwork Orange: I enjoy reading this masterpiece over and over
- Just a plain ole SDR with some bits&digits magic – Lets me know when those-we-don’t-speak-of, wants to hear what I speak of 🙂
- Zero-Trace Cell Phone Holder – No Signals in or out (a bits&digits production) #zrosig
- The book I use to cover the other 2 books for those seeking to understand my brain #zrosigbookvrsn
- The Book of Changes – For my daily dose of peace and sanity #innerpeace #namaste
- Mr. Invincible / “That Guy” glasses – No Social Engineering engagement face to face goes wrong when these are in play. #TrustThat #namastedontpay
- The PwnPad – ‘Nuff Said (bitsmodded)
- Negative Energy Spacial Jammer – (My Himalayan Singing Bowl) When peace is needed for the next phase #innerpeace
- Next Generation Ball of Confusion: Ask in person – Special toy for Special People
- The Pick Kit and HandCuffs – What you do when you’re bored in First Class, dressed the #DEFCON part, but still a business owner 🙂
99 Problems but a Breach Ain’t 1
This year’s conference was particularly exciting for bits&digits because it was our first trip as “Civilians” so to speak. We were purely interested in gleaning what could be gleaned and to shake hands with people that I’ve “known” for years (although arguably many never really “knew” me) – But, as this isn’t a write-up on my background or journey from one side of the mirror to another, I digress. We also decided to visit DEFCON out of respect and to pay the highest homage to the industry in which we found ourselves intrenched. The core to our mission: seek the truth, and aim to serve its singular representation to the masses (those who have yet come to the realisation that this playing field is anything but level).
The journey began this year in meeting with a company that has one of the strongest claims I’ve heard in a while: “We cannot be hacked, and if you can – Prove It”.
SecureWebApps presented a 20k reward to any DEFCON attendees that was up to the challenge. The unique potential capability of providing Unreachable Technology to the world, is interesting in that only time can tell. It’s not a matter of if, it’s a matter of when.
The Right To Freedom #nosecrets
DEFCON is more than a conference, but a conference of conferences with conferences within them. It’s conferen-ception. Having had the opportunity to attend some of the “offline” conferences (whose names I will keep off the books), I noticed a massive awareness movement concerning Digital Suppression in countries who wish to maintain their citizen’s continued compliance with their regime (see 1984, Fahrenheit 451). Fortunately, there are Ronin: cyber warriors out there, working on some very unique solutions to pierce the veils and break through walls. Providing what some initiatives like the EFF (Electronic Frontier Foundation) constantly do to preserving our rights, the “#nosecrets” tag serves only to underline how engaged we are with some of these operations and that we openly look forward to working with such organisations.
Viva La Resistance
No Spoilers #2
Do you Git it? (Github Exposed)
In my Baz Luhrmann – Everybody’s Free (to Wear Sunscreen) voice, “Ladies and gentlemen of the class of 2017, protect your GITs. If I could offer you only one tip for the future, GitHub Security would be it.” Ok, maybe I’m exaggerating a little, but one of the presentations I attended really blew me and the entire room away. Leveraging a few open source tools and a few python scripts, the ability to scrape some very sensitive, brand damaging and compliance penalty-laden information was effectively demonstrated. No “hack” was involved with this demonstration (per-se), insecure configurations of GitHub repos from companies all across the world were simply illuminated. If you have not trained, assessed or placed your development team’s GitHub footprint within the scope of your risk matrix, I urge you to do so TODAY. This is not new, but in today’s world of data breaches, data spills and hacks, it would be interesting to hear how you explain this to your Cyber Security insurer.
Again, this isn’t anything new: GitHub users warned over security risk
All your Votes Belong To Us
Unless you’ve been living under a rock for the last year, you might have heard the chatter about the US Election Voter System. Well, let’s attempt to remove the buzz and add some concrete BANG to this. I was luckily able to attend a very revealing VotingVillage talk that demonstrated how ridiculously easy it is, was, and will continue to be, to hack US Voter Electronic Systems. It was incredibly revealing, and I have very little humour for this topic. As the “news” agencies point fingers at certain Nation States interfering with the elections, perhaps it’s time we take a peek under the hood at how open these systems actually are before throwing the figurative stone (or warhead): Hackers descend on Las Vegas to expose voting machine flaws
A Social Engineering Dream
Train, Protect, Repeat
There is a special place in my heart for Social Engineering. The science behind this craft has always been a focus of mine for a variety of reasons. Attending the SE-Village talks really showed (again) how underprepared the human terrain of organisations are against Social Engineering. Veterans of the Social Engineering gambit revealed their superpowers on many occasions from (name drop warning) Jason E Street @PwnieExpress, to the powers behind the https://www.innocentlivesfoundation.org/ Chris Hadnagy. It’s truly about time that organisations understand the importance of training their employees to STOP OPENING attachments. I’ve most certainly oversimplified the mitigation plan of spear phishing attacks in these statements, but if you need to understand more about it, feel free to google it. We are in 2017, it’s time this domain is taken much more seriously than it currently is.
—Sent from my iPhone (lol)
Exploitation At the Gates
DEFCON was action-packed with different exploits, TTPS as we used to call it (tactics, techniques and protocols), pivots and “plays” (if one takes the time to absorb them). But the core of these talks aren’t to give people the upper hand to peruse into your organisation’s technical backyard, they are presented to level the playing field. This year, we learned a lot of things, but core to my client space, I thought I would spotlight these 4:
- CISO Catalyst have some very interesting vulnerabilities that need to be addressed sooner than later.
- Just In Time targeting within Active Directory environments is not a Jedi Mind Trick, but a very relevant and important attack-surface-system that admins should really be locking down.
- SQL Injection is NOT just a security problem, but a development issue that needs to be addressed by the right departments. This is something we should know, but the social perception of its importance may have been a bit off (to say the least).
- RF (Radio Frequency) exploration is no longer a “play” for those with deep pockets or James Bond movies. From Cellular Communications to your Wifi, the exploitation game is now available to the masses.
Keys to the spirit of these writings? Sure, anyone can draft problems, illuminate issues, and articulate pain points. Give me solutions or give me nothing at all! Part Deux of this post will go into expanding on these Pandoras Boxes and critical hazards with the respect they deserve. Do not fret, stay tuned.