This year, I was fortunate enough to attend the DEF CON 24 security conference, one of The State of Security’s top 11 infosec conferences, which took place August 4-7, 2016, at Paris and Bally’s in Las Vegas. Here’s a summary of my experience.
Cyber Grand Challenge
An interesting addition to the unofficial first day of DEF CON this year was the Cyber Grand Challenge sponsored by DARPA. This was a new concept where seven teams created what was called a Cyber Reasoning System (CRS). The CRS not only autonomously exploited software across a network but also performed patching.
I applaud the organizers for their valiant attempt to make the event spectator-friendly. It felt like Monday night football, complete with commentators and live interviews from the pit. The animations and graphical representations were only mildly informative as to what was happening in the competition but overall, it was a unique experience to witness a crude AI play CTF.
In a world riddled with APTs and ransomware, will our future cyber-adversaries be AI? There are dozens of research projects in the AI field. One had disastrous results (Tay the Twitter AI chat-bot) and had to be shut down because it became inappropriately vulgar after learning from its conversations on the internet.
Imagine if a CRS was integrated with another type of AI. This type of software will only continue to improve. Only time will tell if we have just witnessed the birth of Skynet.
At DEF CON, it is impossible to see all the talks but I make a point to see at least three per day. In my opinion, the best talks are the 303 Skytalks. The Skytalks are not recorded, and there is a no-recording policy for attendees, as well. This gives the speakers an opportunity to be very candid and reveal insider knowledge in a setting without the fear of being fired or arrested.
Whether it concerns the details of investors manipulating online conversations for financial gains or the consequences of running a semi-anonymous public email server, these talks have a sort of underground quality to them. This is not to discount the main talks at DEF CON, which feature some the year’s top security research.
Not all talks are technical in nature, either. Some discuss experiences with law enforcement, others the current state of the modern crypto war. Regardless of one’s interests or experience, the sheer number of talks means that there is something for everyone.
DEF CON has an overwhelming amount of villages that cover a variety of interests ranging from InfoSec to social engineering, lockpicking, tamper evident packaging, hardware hacking and in recent years, the car hacking village. I personally spent some time in the crypto/privacy village along with a few visits to the packet hacking village.
During my time in the packet village, I sat down, plugged myself into the network tap that was freely available and turned on driftnet. This allowed me to see any unencrypted images flowing across the DEF CON network. I then used tcpdump to search for plaintext passwords that users may have transmitted, yielding no new results that had not already been found.
In the midst of narrowing down my packet capture filter, I witnessed directory traversal and brute force attempts, along with someone trolling the packet sniffers with his or her political statement. I also detected lots of VPN usage which is to be expected when on arguably the most hostile network in existence second to the internet itself.
There is never enough time at the conference to participate in all the things one may desire but the villages are definitely worthwhile.
DEF CON is a place where most projects have a nefarious intent and where bad behavior is almost encouraged and celebrated in some sort of comical fashion. Outside of all the technology, DEF CON also hires musicians to perform, which provides entertainment in the evenings. Apart from that, there is a movie lounge where hacker-related movies are shown. Then, there are the suite parties hosted by various groups.
I, by chance, was guested into the TiaraCon party on Thursday night. TiaraCon is an organization that promotes women in cybersecurity, and it was great to see them come out and be proactive in the infosec community. They even had a contest on who was wearing the best tiara, and I had lots of fun teaching a few women how to pick locks.
The conference is definitely a place to learn and gain insight, but it is also an amazing place to socialize and network with people who share the same interests.
Did you get a chance to attend DEF CON, Black Hat, or BSides LV? Tell us about your experience below, and check out this recap of some of the fascinating presentations held at Tripwire’s Black Hat USA booth.