Tuesday 15 August 2017

What I Learned at the World’s Largest Hacker Conference

Posted by at 1:12 PM

A few weeks ago, I stepped off a plane in Las Vegas. I barely noticed the 107-degree heat. The real “hotbed” that day was DefCon 25, the largest international hacker conference in the world.

Preregistering was not allowed. Identities of 25,000 attendees were kept anonymous. Warnings from conference organizers said, “Anything that can be hacked will be hacked, so trust no one.” I listened. My laptop stayed home and my phone stayed off Wi-Fi. In the conference area, it would remain in airplane mode with everything disabled.

While in my room, only my tablet was used to access the internet.  Though the hotel Wi-Fi was “supposed” to be a safe zone from hacking, indications came early that my tablet may have been compromised.  Programs started crashing and programs that rarely updated were automatically being updated.  This was only the first hour, red flags were already being raised.  It was going to be an interesting weekend.

DefCon hackers revel in hacking.

Why would EO Johnson Locknet® send a Senior Engineer to attend this event?  Security professionals, like me, are more like “gatecrashers” at DefCon—grabbing front row seats to watch the hackers gorge on all things hackable and for us to learn how to prevent them from doing this.   And learn I did (some specific lessons later). What was it like?

A hackers’ conference held in a Vegas casino brought odd optics. It was “Driving Miss Daisy” meets “The Matrix”. People who could barely turn on computers were mingling with hackers who could break into their bank accounts within minutes.

It was a competitive atmosphere with lock-picking contests, cipher challenges, and technical pranks. This is my fourth DefCon and I can safely say, hackers come in all personality types.

For some, it’s a hobby. They get a thrill out of the challenge and don’t cross the line to cybercrime. Others have a much darker side and use their “talents” to attack countries, businesses and institutions—even putting lives in danger. Last spring’s ransomware attack, coined Wannacry, shut down European hospitals creating serious concerns for patients. Petya, the latest malware attack that affected computers in U.S. hospitals, continues to be a growing problem with hacking of vulnerable medical devices.

DefCon revealed both physical and system vulnerabilities.

Peeling back the DefCon onion isn’t easy. Take-aways are buried in a world of acronyms and mind-numbing tech talk. Workshops and “Villages” (real-time hacking events) were mostly focused on social engineering, hardware exploits and physical security. Here are a few highlights that created a lot of discussion among the attendees.

Physical security infrastructure dangers:

One speaker talked about his efforts to exploit technologies that impact the physical world like Control Systems typically used in industries such as electrical, oil, gas and data. To hostile governments, these are the “holy grail” of cyberwar because of the widespread damage to the nation’s grid and infrastructure—resulting in catastrophic damage to human life without firing a shot.

IoT business vulnerabilities:

Off the security radar for many businesses, but on our radar as a Managed Security Service Provider (MSSP) for hundreds of companies,  are “Internet of things” (IoT) devices like refrigerators, thermostats, lights, smartwatches, smart cars and Echo technology.  DefCon hackers use these commonly placed “things” to show how easy they are to breach. Some were hacked in a matter of three minutes allowing hackers to steal data, conduct espionage on enterprise activities, or even cause physical damage.”

Individual risks:

In other demonstrations, vehicles with smart technology were hacked. Also, security flaws were exploited in computers by hijacking the wireless mouse. (A hacker needs to be about 656 ft. away from the computer to pull off taking control of your mouse—so your home or office may be safe. Public areas like coffee shops and airports put you more at risk.)

New smartphone options were also on view. Attackers remotely accessed smart phones by sending specially crafted wireless packets to the victim’s phone. It tripped the vulnerability and gave the attacker full control of the device.  This vulnerability also displayed a self-replicating worm that infected “one” smartphone—and went on to repeat attacks on other vulnerable smartphones. (Tip: Keep your smartphone up to date and avoid joining open public wifi networks.)  There was a flaw in the wireless firmware.  There has since been an over the air patch issued to correct the issue.

DefCon’s bright side: Research discoveries are often well ahead of cybercriminals.

Hackers aren’t foolproof. DefCon coughs up plenty of their vulnerabilities and allows us to forecast future trends to adjust our security measures to guard against attacks.

Useful information gained from DefCon 25 included:

  • Discovering greater protection options for IoT devices.
  • A better understanding of protocols used by smart buildings and how attackers might hack those buildings.
  • Future predictions on how hackers would leverage machine learning to improve their attacks. (This information can be used for defenses as well.)
  • What spammers are doing to improve their phishing campaigns.
  • Vulnerabilities of networking equipment and how attackers can gain complete control.
  • SHA1 certificates are not terribly difficult to exploit.  Majority of internal certificates are still using SHA1.

One urgent DefCon takeaway — know your hacker vulnerability

Sitting in countless hours of presentations and workshops confirmed, once again, my professional security experience at EO Johnson that hackers look for vulnerabilities across your entire business. There are many ways to get “inside” your system and today, everyone in your organization should be part of your security team.

When EO Johnson works with customers, our focus is on your whole company and all positions inside. If you’re not confident in your current security posture, there are companies like ours strategically positioned to help reduce your threat landscape and make sure you’re prepared to handle any new threats as they’re discovered. As I clean my devices used at DefCon, I can assure you hackers may be closer than you think.