The last week of July is special for those enthusiastic about information security as it hosts the biggest events in information security technology, solutions, services, cyber threats, and hacking in the United States.
Thousands of people migrated to the “mecca” of cybersecurity: Las Vegas. The week began with BSidesLV, a nonprofit conference organized to develop information security knowledge with open discussion forums for professionals in the field.
In parallel, it happens alongside Black Hat, which is the largest forum for researchers, experts, vendors and ethical hackers. The week ends with DefCon 25, which promises to bring the latest security holes discovered in computers, mobile devices, software, cars and IoT devices. The two share many topics, but while Black Hat is more corporate, DefCon has a festival feel.
The saying goes, “You never know if anyone is interested in drinking water or milk,” well I do not even remember meeting anyone drinking one or the other. Joking aside there are several ways to take advantage of a safety convention and one of the best is to meet people.
My schedule started with a special event. I joined a collaborative security group with long time, trained security technicians, managers and analysts from around the world with a single goal, to make life easier for each other.
In the group, we network, share non-public information, and helpful content related to information security. My first Vegas commitment was to personally meet the organizer of the group and some of its participants. We met at Ri Rá Irish Pub to talk about the events, staff, market and desert climate, in addition to tightening the relationship and drinking a good beer. There were no offices or companies there, only people with the same interests sharing good times.
The famous “sin city” never sleeps saying, was not the case for us. The meeting ended around 10:00 pm because at 5:00 am the next morning was marked World Run by Hackers. The fourth edition of the race (which includes routes of 4, 8 and 12 km) aims to promote health and well-being in the hacker community and jog through the places where the conferences are held.
I found about ten people at the Tuscany Suites & Casino Hotel, where it happened to BSides Las Vegas, and we ran down the side streets to Mandalay Bay Resort & Casino, where Black Hat was held. I ran 4 km and despite finishing the race still By 06:30 the sun and the heat of the desert were already very strong.
There was no commitment to win or lose, control points, test times, etc. The goal was simply to be there and be part of it. Normal people were doing normal things, although running in the desert can not be classified as ordinary.
Black Hat started, and more than 7,000 people were expected for the conference. Below, we will tell you all about it.
Fernando Amatte, is Director of CIPHER’s Intelligence Lab and traveled to Las Vegas to attend the security conferences that take place in the city this month.
Day 1 – BSides Las Vegas, DefCon 25, Blackhat USA
Blackhat – Multiple suppliers, in a show of lights and colors, dictate the trend for new security solutions
The day begins in one of the most exciting cities in the world with the opening of the Information Security event most awaited by professionals and enthusiasts. My first impression was that a real barbaric invasion of the city, thousands of people, from all over the world with a single goal, share knowledge.
Upon entering the event, after a thorough check of badges, we are faced with a true festival of colors and lights in the hundreds of booths of technology manufacturers that work within information security. The first day was for exploration, research of news, trends, and networking.
We were able to visit the booths of countless companies that presented their products and solutions and presented the visitors with the most unusual gifts. Knowing each new solution, I was able to identify a common trend for the solutions presented at the event. There is a new generation on the way, where user behavioral analysis and the visibility of incident response is more related to “how” and not to “when.” The addition of event correlation and alerts under this new aspect allows security teams to act more effectively and immediately, and also allows future events to be predicted based on behavioral analysis of users and systems.
Blackhat is the supreme example of North American eccentricity and grandiosity, a veritable overproduction of information and trends presented in miles (literally) of booths and conference rooms that will give many blisters on visitors’ feet.
At the end of the first day, we recorded a funny photo with Kiss band look-alike. What a great way to close the first day!
By Rogério Malgor
DefCon 25 – Great expectations and an amazing reality
The first day of DefCon, the largest and most “infamous” hacker conference in the world. It’s amazing how Las Vegas becomes the world’s center of information security during cybersecurity week here.
You meet people from all over the world, listen to multiple languages, know different specialties, but see a common goal of this new community: to improve knowledge of hacking and information security. This is the first time I’ve been to the event, and I can say for sure, I am impressed by the size and magnitude of the encounter.
DefCon 25 happens at Ceasars Palace, one of the most iconic casino hotels in Vegas, we start the day in the queue for tickets that are sold only on opening day, a tradition. Thousands of people queued up to buy their tickets, and while I waited I met a group of Russian pen testers! We talked about new vectors of attacks that are demonstrated on the first day. We then entered the main hall, and an incisive voice echoed from the audio system “turn off your cellphones, DefCon 25 will start.”
By Rafael Souza
Rogério Malgor is a manager of Managed Security Services at CIPHER, and Rafael Souza is a security specialist at CIPHER’s Intelligence Lab, both of whom traveled to Las Vegas to attend cybersecurity week.
Day 2 – BSides Las Vegas, DefCon 25, Blackhat USA
And the second and final day of one of the most important security conventions in the world, Blackhat USA 2017. We started our marathon along the same route on the first day until we could be sure that nothing was missing.
To be honest, it is impossible not to let something pass here. There are hundreds and hundreds of manufacturers and booths. Today we made it to leading manufacturers to be able to check trends in solutions and approaches to digital threats. Each one in their way tries to achieve the same goal, as my dear grandmother used to say, “there are several ways to Rome.”
Terms like “next generation,” “visibility” and “threat intelligence” become almost a cliché, and are indispensable for any solution, whatever its purpose. The fact is that all manufacturers want to be one step ahead of digital threats with technologies that learn and communicate autonomously to evolve continuously. The focus of this learning is the user, the perimeters of networks and even the data traffic.
In one of the lectures that I attended here, they even mentioned the legendary “Skynet,” the computer network that acquires artificial intelligence and revolts against the humans described in the film “The Terminator of the Future.” Well, the idea is really this, machines that learn with everything and everyone around you, that has the power to identify and classify events, besides making decisions, without the action of the system administrator. The solutions include monitoring with cognitive capacity for this purpose, which ensures that a company in Shanghai automatically receives intelligence generated in another company there in Brazil without the intervention of users.
The goal is, of course, to reduce response time regardless of the event: an incident, malware, best security practice and standards to maintain compliance, all so desired by companies today.
More interesting is that technology is not restricted to large manufacturers, sharing knowledge in the security community allows small businesses with an excellent idea to launch advanced products and compete equally for the market. Who benefits from all this is the user, it is interesting to see the rapid evolution of the solutions, not long ago “machine learning” was a theory and is now available in shelf products.
“Malware Hunting” no longer differentiates solution provider companies, as I heard in another talk, which makes each competitor unique is their quick reaction capability combined with surgical accuracy in mitigating digital threats. The role of solutions is to give administrators the ability to act immediately (or even proactively) when an incident is detected.
This sum of factors raises the level of security maturity across the mute, but it also makes cybercriminals specialize and create more sophisticated and evolving threats. Perhaps the box-office success of the 1980s is not so fictional. Battles in the information security arena will increasingly be waged by machines to eliminate human error in attack and defense tactics. What will be the next step?
Day 3 – BSides Las Vegas, DefCon 25, Blackhat USA
DefCon is a very different event from Blackhat, a mix of “normal” people and stranger types, all eager for the same reason, knowing the latest hacks and exploiting flaws.
The day’s schedule began with the massive queue for registration badges. Badges are real collector’s items, every year the organization chooses a different look and format, and in most editions, the badge is an electronic device that brings with it logical challenges and hacks.
After the registration badges, more queues. There were thousands of people searching for the exclusive promotional material of the event. I met another colleague who traveled with me in this queue and something curious happened because I did not have my badge on my neck. I was approached by one of the security guards who interrupted me sharply to check If I really should be there.
“The badge is for the neck, not the pocket.” A little bit of frustration and irritation took hold at that moment, but it was all cheered up with the opportunity to be in one of the biggest security events in the world. However, the security staff at Caesars Palace did not seem to be so excited.
On the morning of the second day of DefCon, we arrived early, scheduling lectures, workshops, and networking sessions that were extensive, and we had little break time between one and the other. This was a major downside of the event. With more than 25,000 people trying to get around the hotel corridors, it became a true logistical nightmare. At various times we met in the middle of a corridor, standing, waiting for the crowd to move, the scenery looked like Rua 25 de Março in São Paulo, famous for its popular commerce, in the middle of Christmas Eve.
We watched two extremely interesting lectures in which the presenters addressed the exploration of absolutely all types of devices that use wireless data communication, preparing their phones and equipment that use radio frequency to execute the next wave of attacks that will target the invasion of connected televisions and drones. We saw the presenters compromise these devices in less than 5 minutes during the presentations!
Between one presentation and another, we went through another unusual moment. We were approached by a hotel employee who accused us of creating confusion with other participants of the event. We explained that we had just left a presentation and even thought that it might be some social engineering to get our identifications, after all at one point the employee asked for our badges and wanted to take pictures of the badges. We did not allow it because at DefCon “all cats are gray in the dark.”
Following the odd approach, we went to the “Packet Hacker Village.” DefCon 25 is organized in “villages” and content tracks. “Packet Hacker” was an overproduction like the whole event, we felt like we were in a blockbuster movie production. This was the place where hackers attempted to compromise mobile devices from the hackers themselves and published the data collected on a huge screen called the “Hall of Sheep,” a veritable wall of shame for users who did not care about security at all when entering the event. Believe me, the rule in DefCon is not to use any wireless network of the event, to stay off the Wi-Fi and Bluetooth, and to distrust even the mobile networks of the operators, without any doubt, the recommendation is to use airplane mode everywhere.
We finished the second day with more than 20 hours at the event and, despite the discomfort caused by the organization and the security team, we enjoyed every minute. It is no easy task to go to DefCon. It is a real city within the city of Las Vegas, maps and event agenda are indispensable to locate.
Rogério Malgor is the manager of CIPHER’s Managed Security Services and traveled to the company’s call for security week in Las Vegas.
Day 4 – BSides Las Vegas, DefCon 25, Blackhat USA
From automation testing to intrusion, Apple Watches’ commitment to meeting with Kevin Mitnick.
DefCon 25 is an event with technical lectures and innovative content, with the best specialists in the market, but also a unique moment for networking, exchanging experiences, finding friends and learning.
The “Hacking the Cloud” lecture addressed the thinking outside of the box that pen testers should have when conducting cloud intrusion tests, it was fascinating and useful to me personally because I am a CIPHER Intelligence Lab team member. Although the content of the talk has been focused on Microsoft’s Azure, the methods and concepts can be applied to almost all cloud solution providers.
The “Real-time RFID Cloning in the Field” section surprised me, at first it seemed more of the same since some time ago the subject of RFID cloning is behind the scenes in the security scenario. The innovative differential was the display of a new method of cloning in real time. The speaker showed a demonstration video with proof of concept that surprised the whole audience. In my analysis, there is a real risk of exploiting the failure since many companies use RFID (radio frequency identification) to allow employees to enter.
The convention is a grandiose event, crowded rooms, queues in the corridors, some turmoil and the organization working frantically to keep everyone on the line. Due to the volume of content, there is a division into tracks with multiple presentations happening in parallel.
The lecture “From Box to Backdoor: Using Old School Tools and Techniques to Discover Backdoors in Modern Devices” was very appealing for those who are pen testers. It explained the ways of exploring the devices of industrial control systems (ICS) and Internet of things (loT), something seldom tackled in our day to day and that is certainly worth studying. The speaker addressed a number of “exploitation” techniques and how to discover backdoors in these environments.
In the lecture “Where are the SDN Security Talks” the speaker approached the topic of Software Defined Networking (SDN) and its security in a fantastic way. Software Defined Network (SDN) is an approach to computer networking that allows network administrators to dynamically initialize, control, change, and manage network behavior through open interfaces and the abstraction of low-level functionality.
The “Jailbreaking Apple Watch” lecture, as its name suggests, demonstrated a thorough jailbreaking process, which is how to make the device run functions and unauthorized applications to manipulate important user data, accessing previously blocked resources.
The second day of DefCon started to really thrill me, after all, I participated in the official agenda of the event with a lecture. Before entering the room, I kept reading the lecture material repeatedly and mentally reviewing what I was going to say, the staff of the conference organization was very kind and left me the ability to start. In my lecture, “My dog is a hacker and will steal your data” I presented the exploration of a new technique called “dog in the middle,” in which I explored the sympathy created by the dog in the man to explore security flaws.
The dog was used as an attack tool while carrying a cell phone hidden in its breastplate collar that could exploit various tactics including false Wi-Fi, evil twin, karma, DNS spoofing, packet injection, denial of service, and more.
I learned a lot with my DefCon talk. Many people liked the content and came to talk to me after the end of the presentation. Some of them even suggested tips that would improve the exploitation of the hack and this is the purpose of the event, sharing knowledge to perfect the technique.
You can check out the entire presentation in my Slide Share profile here.
The third day of the event, for me, was the most anticipated. I attended a presentation about the area of security I like most: web security. Jasson Haddix, one of the most respected names in the bounty bug scenarios, presented “Introducing HUNT: Data Driven Web Hacking & Manual Testing.” This lecture introduced the Hunt extension to the Burp Suite tool, one of the most respected among web application pen testers that will allow complex Proof of Concepts. The new application helps web application security professionals find bugs more effectively by identifying multiple parameters on websites for later exploitation of vulnerabilities.
I had one more surprise; I met the legendary Kevin Mitnick, one of the most famous black hat hackers in history. He is responsible for invading various organizations including technology and communication giants. For those who do not know him, Kevin was one of the FBI’s most wanted hackers, who was actually arrested for cyber crimes. He wrote books about his exploits and became a reference for professionals and enthusiasts, even despite the foggy past. There is a saying advising “do not know your heroes,” but in this case, I was delighted with the casualness of our conversation, in which he talked about his new book “The Art of Invisibility.”
Rafael Souza is a member of CIPHER’s Intelligence Lab team and traveled to Las Vegas to attend cyber security week.