Share with your network!
Hitting 21 in Vegas meant a bit more than just blackjack this year. For some 15,000 people visiting Vegas this summer, card games were secondary to the 21st annual DEF CON at the Rio. Vegas also played host to several other similarly themed events this past week. With a much larger crowd and more laissez-faire attitude, DEF CON is the rowdy half-brother (or sister) to Black Hat.
Not surprisingly, mobile was a big focus at both conferences, with talks ranging from hacking femtocell base stations, building a cellular IDS (both on Android and using a femtocell), taking over Google Apps domains, plus writing and surreptitiously installing SIM apps (SIM botnet, anyone?).
Ironically, one of the more blandly titled talks at DEF CON, Business logic flaws in mobile operators services, proved to be a highlight of the mobile presentations. In it, security researcher and IT professional Bogdan Alecu was met with laughter and applause as he demonstrated various ways in which mobile services could be easily exploited to overcome data threshold limits, spoof cellphone numbers, and even force unwitting targets into sending SMS messages to premium rate numbers.
Another particularly interesting talk dealt with defeating the anonymity of alt.anonymous.messages through statistical relationship analysis. The heart of alt.anonymous.messages privacy lies in not being able to determine the recipient or sender of a particular message. The presenter, Tom Ritter, demonstrated how he was able to backtrack from a handful of easily-broken encrypted messages by graphing relationships, and statistically correlate senders with receivers.
Black Hat hosted General Keith Alexander, Director of the NSA. General Alexander asked listeners to examine the facts of NSA surveillance and to help find a better solution. He presented a graph attempting to show a correlation between an increase in NSA activity in Iraq and Afghanistan with a reduction in US troop casualties without mentioning that the withdrawal of US troops from Iraq may also have been a contributing factor. The end of his speech was punctuated by a heckler loudly shouting "B******t," and attempting to engage the general in a debate on US policy.
"You lied to Congress and you're lying to us," said the heckler.
"I didn't lie to Congress," replied the general. (Technically, this is true. It was Director of National Intelligence James R. Clapper who lied to Congress.)
"Read the constitution," said the heckler later.
"I have read the constitution. You should read it!" said the general. This got the biggest applause of the event. It's clear that the many of the crowd supported the general's claims that 9/11 and the threat of terrorism justified massive collection of phone and Internet records of all US citizens, but that a large group were highly skeptical.
Despite Gen. Alexander's rather serious talk, humor poured into other areas of the conference. Playful talks such as "Java Every-days" used a bit of tongue-in-cheek wording to affect. Meanwhile, Brian Krebs gave a hotly-talked-about presentation regarding another popular topic this year, DDoS services. Unexpectedly, criticism of DDoS protection service CloudFlare was met with CEO Matthew Prince giving an impromptu, mic-snatching riposte during Krebs' Q&A session. As well as debating Brian Krebs, Prince also challenged presenter Allison Nixon, after she had demonstrated how easy it was to bypass the free CloudFlare service, to see if she could successfully attack the CloudFlare paid service!
Nothing is sacred this year, not even your bedroom TV. In order to allow the apps to do cool stuff, Samsung's engineers built an API for their not-so-smart Smart TVs that gave Javascript full access to the hardware and file system. Apparently, they have never heard of cross site scripting attacks. Using this oversight, we saw how it is possible to compromise a smart TV via a malicious URL. Then, attackers could take over the camera and microphone to broadcast live streaming video on the Internet, even when the TV is apparently turned off. As one presenter put it: if you must have a smart TV in your bedroom, invest in a Post It note to go over the lens.
In addition to learning about new developments and emerging techniques, Black Hat and DEF CON were a great venue for socializing with colleagues in a relaxed atmosphere, meeting other people in the industry, and, yes, even playing a little blackjack. Fortunately, Black Hat and DEF CON were more rewarding than the cards proved to be.
Oh, and apparently you can brick your Prius.