Experiences from Black Hat and Defcon conferences

In August, I took part as Nixu's representative in the largest information security events in Las Vegas: Black Hat USA 2015 and Defcon 23. Black Hat is smaller in terms of the number of attendants and clearly more commercial of the two events. As the event has a massive program, attendants need to heavily prioritize where to go because it is not possible to participate in everything. Luckily, presentation materials, white papers, and even a number of presentations are available to all on YouTube and the Black Hat website. I recommend you to check the availability of the presentations and explore the topics of interest through the available material.

This year's seminar focused on privacy and the freedom of the Internet, which the ongoing Crypto Wars are associated with. The keynote speaker was Jennifer Granick, a renowned lawyer who has also defended hackers. She explained how the Internet has changed due to regulation and monitoring, and speculated whether the Internet as a media will be as controlled as the television in the future. This can, of course, be seen as a positive or negative development path but I can personally subscribe to her concern and consider the current trend to be largely negative. Granick also presented a few interesting anecdotes about the early days of the Internet and the birth of the hacker movement. You can watch the presentation here (YouTube 1h11m). Even through many seminar topics revolved firmly around the privacy and surveillance debate launched by Edward Snowden, he was rarely mentioned as an individual in the presentations.

Jeep hacking and much more

Another highly popular theme was hacking in the physical world, i.e., matters related to the industrial Internet and, in particular, vehicle hacking. Charlie Miller and Chris Valasek offered an entertaining presentation about Jeep hacking; an incident which eventually led to the recall of more than one million cars. We can learn at least two things from this incident: Two separate systems can, in actuality, be interconnected, and a system should not be called breakproof, unless one wants to end up looking like a fool in front of media. What is more, the incident caused significant recall costs and also had an impact on the company's stock price. The presentation is available on YouTube, and related news is available here.

In addition to cars, the industrial Internet and any associated information security risks were high on the agenda: How can damage be caused to production plant processes by, e.g., increasing pressure in pipelines and how it is possible to attack against the infrastructure of an entire city. When reviewing all the presentation topics in order to plan my own agenda, I noticed that there were many, about a dozen to be exact, Android-related presentations. This means that Android remains an interesting subject among security researchers, offering plenty of areas to explore.

A particularly good presentation was offered by Matthew Prince, CEO of CloudFlare. In practice, CloudFlare provides its customers with a reverse proxy which protects customer websites against DDoS attacks. Because basic protection is free, many parties operating in the grey area have sought the protection provided by the CloudFlare service (hacker groups, escort services, etc.). This, in turn, has upset other customers and many other parties who tend to feel upset for various reasons, such as dinosaur fantasies of others.

This presented a problem to CloudFlare. Who should have the right to decide which websites are permitted and which are not? The solution was a fairly simple one: Websites will only be removed from the scope of the service through a court ruling and, correspondingly, special protection is offered to websites that are supported by any of predefined non-governmental organizations, such as EFF (in Finland, a similar body could be Effi). I believe others could also adopt a similar practice.

After two days of Black Hat presentations, it was time to move on to the next conference – Defcon. Defcon is rather an event built by hackers and enthusiasts, even though it has much in common with the more business-minded Black Hat, e.g., identical presentations.  In addition to good presentations, Defcon offers a diverse range of other activities, such as picking locks and beating tamper resistant controls. I was particularly pleased when a representative of TOOOL (The Open Organization of Lockpickers) said that Abloy locks are among the very best ("They are amazing, I love them, I only use Abloy"). When traveling abroad and looking at local locks, I often wonder why Abloy is not one of the world's largest corporations. The same goes for Oras and their taps. We do make innovations in Finland, but the problem is whether they end up in the global market or somewhere else entirely (see the picture)?

Taking advantage of psychology

One of the most popular competitions at Defcon was Capture the Flag (CTF), where the purpose was, through social engineering, to obtain as much information about the target company as possible, such as its used operating system, antivirus product, the name of its security company, etc. The best score was given if the target company was persuaded to enter a specific URL in their browser. The competition was arranged so that a competitor was placed in a phone booth, and the audience was able to hear what both the competitor and the target said. The target was typically the customer service person of a major corporation, such as Verizon.
 
I thought that the information obtained by the competitors was mostly useless because those who answered their calls did not usually possess the information the competitors were after, meaning that their answers were highly uncertain and, therefore, unreliable. Even entering a URL in the browser would not have led to any significant damage in an actual situation because many companies had restricted the use of the Internet. How many Finnish companies have done the same?

However, the competition had one particularly interesting feature, that is, how competitors were able to persuade the target to give out information and open a specific website. Some competitors were highly skilled, whereas others seemed to lack even basic skills in this area. Some consciously used a tactic which, according to textbooks, would not persuade people to act as intended; this was also proven by the competition. For instance, do not act like you are sick and slow – instead take a leading role and abuse the position of authority.

All in all, I witnessed two excellent information security seminars that I can honestly recommend to other professionals. The seminars had a lot to offer, and a lot remained unseen. Fortunately, I am able to return to both events through freely available material.