By Hans-Petter Fjeld and Abel De Kat Angelino, Information Security Engineers at Basefarm
Cyber security is increasingly important to companies. We went to DEF CON to see what the hackers were doing.
DEF CON is one of the oldest and largest hacker conventions in the world. Held annually in Las Vegas, Nevada, it is the place to meet security professionals, researchers, government employees, students and every kind of hacker. Here are a few things we took away from DEF CON 26.
1) Why attend DEF CON?
We are a member of many cyber security organizations and attend many such events, but DEF CON has a pure focus on security. Many commerce-driven security events want to sell solutions, while at DEF CON it is all about real-world security and how things are hacked. They have everything you can think of, ranging from cryptographic attacks to hacking cars.
2) What trends were everyone talking about?
Connected devices and the internet of everything was a big topic. Bicycle locks, pacemakers, traffic lights, police body cameras, industrial control systems and voting machines are all connected and vulnerable. Even old technology is at risk: one good example was how someone targeted a fax machine and was able to get into the corporate network.
The attackers keep getting better, and they are currently attacking architectural issues deeper in the core of computers than many specialists have ever experienced, such as speculative execution, BGP internet routing, and SS7 mobile phone routing.
Another hot topic was the people behind the machines. Social engineering remains a major risk.
3) What did we enjoy the most?
We attended many presentations and workshops which could help us broaden our horizons and think about security in different ways. Hacking devices was fascinating, but we focused a lot on application vulnerabilities. It was a good experience to really think about what is going on in the background and what information you are sending when you use an application.
Another interesting topic was ethics. When you work in computer security you get to know flaws. Both the disclosure and the non-disclosure of these might directly impact the health and wellbeing of other people and sadly it is sometimes not obvious how to handle these situations.
4) How can you learn more?
DEF CON has an interesting book list and VulnHub has a list of resources. Look up local hacker spaces. Some are more Maker-oriented than others, but you should be able to find a productive environment with knowledgeable people. Talking to like-minded people and broadening your mental horizon is important. Naked Security publishes the latest information. The Basefarm blog from our SIRT is also a good way to see what is happening and what we are doing.
5) Do you want recommendations on attending DEF CON?
The DEF CON FAQ provides a lot of helpful information, and we also recommend you read their rules of behavior. You can spend the entire time behind a computer, but you will probably get more out of the event by going out and talking to people. You can watch the presentations on video later. Take lots of notes so you don’t forget anything. If you work in information security DEF CON is definitely something you should experience at least once.
Hans-Petter Fjeld and Abel De Kat Angelino, Information Security Engineers at Basefarm