If you were to ask me what exactly is DEFCON, we would say it’s a ‘perspective’. For some, it is a playground with “Capture the Flag (CTF)” contests 24 x 7, for others it’s about the talks and learning new attacks, and for most it’s about meeting people whose affiliations and interests vary wildly all in one single place. With over 20,000+ attendees, we have met people who are code breakers, security developers, government agents, and legal advisors, to name a few.
Unlike the previous year, this year’s official DEFCON badge was an electronic badge. The badge had a lot of hidden puzzles put together as a game. The game was interactive – the badge could be connected to a computer and a shell prompt could be used for commands or you could connect badges together. Upon connecting to the laptop, you got to play what felt like an early 2000’s text game. You had the ability to track your progress on the map that makes up the face of the badge – brilliant. Making sense of the blinky LED’s made us challenge ourselves to move through the game.
Moving through the hallways (while dodging the slow-moving streams of people) we were able to get to some interesting talks.
- An Attacker Looks at Docker – Approaching Multi-Container Applications: This talk was intended for attackers, pen testers, and RED teams. It explored the container world and helped attendees become more familiar with the containerized environment. The talk showed how a Linux container exposes various services, describing and analyzing the exploitation of these services in order to gain a foothold in the container. The key takeaway was that an attacker unfamiliar with containerized platforms would still be able to identify and effectively attack them in real-world offensive engagements if the components within the container are not properly protected.
- Last mile authentication problem – Exploiting the missing link in end-to-end secure communication: This session discussed how vulnerabilities inside the computer can cause the security of communication over networks to be useless. The focus was on the security of various inter-process communication (IPC) mechanisms. The vulnerabilities associated with IPC could allow a non-privileged process to gain access to privileged information such as passwords. The key take-away from this presentation is for network administrators and defenders to be more aware of the existence of these issues and protect their environment through additional hardening and patching measures.
- With an increase in the use of and interest in cryptocurrencies, there has been significant growth in the number of people trying their luck with investment in them. Thus, it should be no surprise that crypto exchanges would appeal to attackers. The talk on Protecting Crypto Exchanges aimed to highlight the major issues with crypto exchanges from a Man-in-the-Browser (MITB) perspective. The talk illustrated many incidents where known malware families can attack popular crypto exchange websites. It also discussed currently available defenses such as multi-factor and strong SSL encryption and recommended additional measures that may be needed to limit these attacks.
- Automating DFIR: The Counter Future: this talk successfully planted the idea of automation as the future for DFIR (Digital Forensics and Incidence Response) in all of our minds. It was interesting to hear about the speaker’s experience when it comes to DFIR in the cloud – how to do it in a robust way along using some handy automations and open source tools.
- Cloud Security Myths: highlighted the progress of the enterprise toward multi-cloud/hybrid-cloud and the security challenges that come with it, including security in what is technically a “serverless” world. This presentation debunked common myths starting with the basic shared security responsibility model and going all the way to Cloud Access Security Brokers (CASB) and modern incident response.
- Common myths include:
- The Cloud is not secure
- The Cloud is perfectly secure
- Cloud security is too complex to maintain
- All Cloud Service Providers are the Same
- On-premise systems are so much safer
- However, reality is more like this:
- Perimeter Based Security doesn’t apply
- Distributed Threat Surface
- You will need new tools
- You will probably need new policies, procedures, etc.
- Lots of “Cloud” options means lots of “Cloud Security” options
- Common myths include:
Elsewhere at the conference:
- One of the villages that attracted a lot of attention was the one dedicated to hacking machines used as part of the election process in the US. The same scenarios and equipment were made available to participants during DEFCON and r00tz, the DEFCON event for kids. The results of these hacking exercises were shared with interested government professionals to provide knowledge about how to better protect our election systems.
- Ongoing contests where teams participate in multiple hacking “games” including Capture the Flag and Hacker Jeopardy
The AI village, in particular, had an interesting angle towards security – bringing together the use as well as potential misuse of artificial intelligence in traditional security. The talk Machine Learning for Network Security focused on how to create your own machine learning (ML) model and then test it against other models created by talk participants. It was interesting to take a piece of malware, deduce the features of that malware, and then create a working Python ML model to detect the malware.
Even getting into the parties is a hacking quest. You have to make sense of various clues and solve riddles to get some party locations. Others required you to use social engineering techniques to get your name on to invitee lists.
Overall DEFCON was a great opportunity to mingle with and learn from the broader security community. They help keep our knowledge and skills up-to-date and we in turn share our discoveries and best practices with them. The event also provides invaluable tools and insight to help us better mitigate threats and continue to evolve our own Adobe SPLC (Secure Product Lifecycle) process.
Cloud Operations Security Researcher
Cloud Security Development Engineer