As the dust settles from the back-to-back BlackHat, BSidesLV, and DefCon conferences referred to as “Hacker Summer Camp,” the Information Security community has a lot of cutting-edge information to digest as we collectively work toward a safer digitally connected world.
Trends always emerge around challenges at the forefront of our minds. Things like election security, privacy & surveillance, vulnerabilities in critical systems, and IoT and medical device safety were the source of much conversation this year. The overall theme of DC27 was Technology’s Promise, imagining “a future where we have tamed some of the more intractable problems that plague us in the present, where technology supports and inspires instead of controlling and surveilling.”
In between trying to avoid the hundreds of open wireless access points with common names like DeltaWiFi or Starbucks, and remaining off the Wall of Sheep while connected to the DefCon network, there is a lot to do! The sheer breadth of information presented at DefCon simultaneously throughout 4 Las Vegas resorts requires some planning ahead for attendees.
With so many interesting workshops and talks, here are a few highlights that stood out for me as noteworthy.
The Biohacking Village along with I Am The Calvary hosted talks and demonstrations on a variety of topics related to biotechnology, including a medical device hackathon where researchers were encouraged to find vulnerabilities in a simulated hospital environment.
Hackers working alongside device manufacturers, hospitals, and government regulators shows how far the community has come. Alongside the hackathon the Village also ran a Capture-the-Flag (CTF) allowing hackers to respond in real-time to an adversarial disruption of service attack on a hospital designed by Mayo Clinic and CalPoly.
In addition to the Village, healthcare security received attention in the Main Tracks including a panel discussion entitled: “D0 N0 H4RM: A Healthcare Security Conversation”. The focus on healthcare security at DC27 is also near and dear to Critical Insight’s mission of protecting the systems that keep our communities safe, and I was glad to see it receive so much attention at the Con.
The Hack the Sea Village brought attention to the fact that maritime ships are basically one big IoT device, run by Operational Technology (OT) and Industrial Control Systems (ICS), and are therefore very much hackable. Presentations such as “Pwning a Mobile Drilling Rig” and “Finding Flaws in a Satcom Terminal” demonstrate that while technology has enabled significant advancements in our capabilities, it is not without both human and economic risks when that technology is attacked.
Issues of privacy also received a lot of attention, whether at the Crypto & Privacy Village or scattered among the many Main Track talks. Privacy-oriented organizations such as the Tor Project and the EFF maintained a notable presence in the vendor space as well as throughout the conference. A few of the topics that I enjoyed listening to include “How You Can Buy AT&T, T-Mobile, and Sprint Real-Time Location Data on the Black Market”, “TLS Decryption Attacks and Back Doors to Secure Systems”, and “Scrubber: An open source compilation to protect journalistic sources”.
Running alongside DC27 for the 16th consecutive year, Queercon held its annual conference at DefCon’s original home, the Alexis Park. In addition to providing a welcoming community space for LGBT attendees, Queercon hosted a program of talks bringing attention to important issues of diversity and inclusivity in Tech. Researchers Alex Lomas and Alan Monie demonstrated a tool they developed that pinpoints the location of dating app users, including at sensitive locations such as the White House. They won’t be releasing their tool to the public, but it serves as a strong reminder of the risk smartphone apps present to our privacy.
DefCon badges have been notoriously designed to delight attendees every year. Since this is not your typical conference, the typical lanyard has been thrown out in favor of collectable badges that come complete with bragging rights.
If you couldn’t make it this year, keep an eye on DefCon’s homepage, r/Defcon, or YouTube for the publicly available talks that should be released in the coming weeks.