DEF CON 23—Part I: Hackers highlight evolving cyber threats

By Cordero Delgadillo on September 10, 2015

Faces lit by computers, the hackers’ objectives were clear — attack and defend. At this year’s DEF CON, the largest hacker convention in the United States, pre-qualified teams of hackers from around the globe faced-off in a network-security simulation that combined network sniffing, cryptanalysis, programming, reverse-engineering, and other tactics that would make Lisbeth Salander blush. Back in 1993, the first DEF CON had roughly 100 participants. This year, badges dangled from the necks of nearly 20,000 attendees, including hackers, lawyers, academics, journalists, and government officials.

DEF CON has an edgy narrative — it’s notorious for criminal exploits, wild parties, and Mohawk-fitted outcasts. But that story line is much too simple. And “too simple” is what security researchers—or hackers, depending on your sensibilities—proclaim after they expose the vulnerabilities in products and infrastructure we rely on daily.

Below are highlights and insights from presentations at DEF CON 23 that illustrate the evolving cyber risks and policy dilemmas facing governments, individuals, and the private sector.

“Working Together To Keep the Internet Safe and Secure” (Alejandro Mayorkas, Deputy Secretary of U.S. Department of Homeland Security):

I’m just here to talk: Mayorkas didn’t prepare remarks. He simply expressed the U.S. government’s commitment to gain the security community’s trust. Hackers make up a talent pool that the Department of Homeland Security doesn’t want to isolate – Snowden’s revelations did just that.
Insight: Governments have strong interests in recruiting individuals and companies to share cyber threat intelligence. DOD contractors must report cyber incidents, and pending legislation would mandate such sharing for all companies.

“Bugged Files: Is Your Document Telling On You?” (Daniel Crowley and Damon Smith):

These aren’t bugs, they’re features: Crowley and Smith expanded on prior research that demonstrated how office documents and other file formats include features that allow attackers to alter the files leading to data loss, de-anonymization, and compromised credentials.
Insight: Features that offer efficiency can create vulnerabilities – this applies to business process efficiencies as well (e.g., vendors).

“Stagefright: Scary Code In The Heart Of Android” (Joshua J. Drake):

950 million devices affected: Drake demonstrated the weakness of mobile operating systems. He explained how an attacker can compromise a user’s device without user interaction (e.g., by sending and recalling a text message). The attack can provide access to the camera feed, external storage, and other applications.
Insight: Mobile computing is on the rise and, with reports of 291,887 new malicious mobile programs in Q2 2015, hackers will continue to target mobile.

“Drive It Like You Hacked It: New Attacks and Tools to Wirelessly Steal Cars” (Samy Kamkar):

Dude, where’s my car? Kamkar demonstrated how a Mattel children’s toy can be used to unlock fixed-code garage doors, and how low-cost tools can unlock more secure garage doors and even car doors.
Insight: It’s not just your data that’s at risk. Property and profits are vulnerable too – researchers caused Fiat Chrysler to recall 1.4 million vehicles vulnerable to hacks that wirelessly control and shut down vehicles. Congress is stepping up too: SPY Car Act of 2015.

“Looping Surveillance Cameras Through Live Editing of Network Streams” (Eric Van Albert and Zack Banks):

Ready for Hollywood. Albert and Banks demonstrated (live from start to finish) how to hack and loop a surveillance camera with a raspberry pi, physical access to the Ethernet cable, and some Python coding prowess.
Insight: Security is only as good as the weakest link or, in this case, the security of your Ethernet cable. Are access points to your security systems properly controlled?

“Are We Really Safe? – Bypassing Access Control Systems” (Dennis Maldonado):

No need for a keycard: Dennis demonstrated how he created his own access code, tampered with access logs, and wirelessly controlled access points for a common commercial access control system.
Insight: Commercial acceptance doesn’t guarantee reliability. The exploits demonstrated by Dennis suggested that security was an afterthought for this manufacturer – all too often the case. For example, 70 percent of IoT devices are reportedly vulnerable to attacks, including a “smart” sniper rifle that was hacked to change the target.

“When The Secretary of State Says, ‘Please Stop Hacking Us…’” (David An, Former U.S. Diplomat):

Cyber diplomacy is gridlocked: David discussed the roadblocks in senior dialogues on cyber diplomacy, namely, the attribution problem and the disclosure dilemma.
Attribution problem: The U.S. government won’t attribute an attack to another nation unless it is nearly 100 percent certain. But once Uncle Sam points the finger, the accused nation wants the U.S. to prove attribution, which creates the disclosure dilemma.
Disclosure dilemma: If the U.S. provides the information to verify attribution, the other nation will use that information to obfuscate their next attack, or worse yet, eliminate the asset.
Insight: Despite the 2014 indictment of five Chinese military officials and a 2015 executive order that may result in economic sanctions against companies and governments for hacking, nation-state campaigns continue to target U.S. companies. Thus, companies should strive to remain aware of evolving nation-state tactics (and criminal tactics) in order to establish proper defenses.

Next week, Part II of this series will share DEF CON lessons on how to improve execution of your cyber risk management strategy.