DEFCON 2019

DEFCON 2019

August 16, 2019

I am certainly no expert when it comes to DEFCON, I mean this was only my second year at the infamous #HackerSummerCamp.  For those of you who don’t know, DEFCON is one of the largest hacker conferences in the United States.  It is held in Vegas every August, and you’d think this time of year might scare people off - NOPE!  This year was its 27th year, taking place between Planet Hollywood, Bally’s, and the Flamingo.  Basically (and no offense) it’s a lot of really nerdy people (last I heard, roughly 30 thousand) hanging out for a while in Sin City.  There are a couple other cyber conferences happening throughout the week - namely Black Hat (for the C level types), and BSides (good luck getting in to the one in Vegas).  Basically, Black Hat is a little more tame and with more vendor babes, and BSides is more organic but really limited on tickets.  Both are really great opportunities, I went to Black Hat last year and took a really great training on Active Defense for Red and Blue Teams.  

So DEFCON… why go?  Well, have you ever been to nerdy summer camp?  The badges are made from circuit boards (!!), and change every year.  I’ve yet to dive deep into the badges, so I am the last person you should talk to about them, but a lot of people make a really big deal about “tapping” their badges with other folks throughout the con.  Depending on what you’re there for (speaker, vendor, village, black badge, goon, etc.) you get a different badge color.  You have talks upon talks upon talks.  Literally anything you could think of, you could find a talk on - side channel cryptanalysis, encryption, magic, social engineering, etc.  There’s a book you get when you register that details a lot of stuff throughout the weekend, plus an app to download if you’re brave enough that contains all the official talks and events for the weekend.  Plus there’s Twitter.  I’m not personally a Twitter user, but I re-downloaded it for DEFCON, and might actually stick with it because there was a lot of really great information shared on that silly platform. 

  

 

 

 

 

 

 

Let me touch on black badges really quick, because I think it’s a really cool idea.  DEFCON   hosts quite a few different contests and capture the flags - from Blue Team, to Red Team, to Social Engineering, you name it.  If you win that contest, you get a black badge, which means you get into DEFCON free of charge for the rest of your life.  It’s not about the money, but those bragging rights seem pretty darn cool. 

Lol.  Whitney won the Social Engineering CTF black badge last year (2018). 

 

So what did I see and do?  I got to site fairly early Thursday morning, but after the initial rush,  and thankfully didn’t have to wait in line for my badge.  I had already scoped out some of the villages and events, and I knew most things weren’t actually starting up until Friday morning other than the Social Engineering (SE) village.  After some wandering through Planet Hollywood and Bally’s to start figuring out where everything was, I decided to head up to the SE Village to watch some of the capture the flag exercises.  Most of these don’t allow photos or recordings, but basically it’s folks who have spent months doing open source intelligence gathering (OSINT), then get to sit in a soundproof little box and call their targets to see what kind of information they can get.  One rule is that they aren’t allowed to actually talk to anyone during their research.  From there, they had Robin Dreeke on, a former FBI behavioral specialist, and author of the Code of Trust to talk about relationship building and communication in regards to social engineering.  This could be a whole separate article if anyone is interested.  He stood around outside talking to people for a good hour and a half after his talk, I meant to ask him to grab a coffee at Hyperion, a Fredericksburg staple, but it totally slipped my mind.  That’s what Twitter is for, right?  One of his sage pieces of wisdom to remember is that all people want are “sex, drugs, rock and roll, chocolate, and non-judgmental validation”.  From there, you’re set. 

@rdreeke – “all people want are sex, drugs, rock and roll, chocolate, and non-judgmental validation.”

@rdreeke – “all people want are sex, drugs, rock and roll, chocolate, and non-judgmental validation.”

 

The rest of the time was spent exploring villages.  Lock picking tables were full every time I tried, which just gives me motivation to sit and do lock picking while I’m watching movies (hah, like I actually have time to watch movies).  Spent some time in the car hacking village, watched a  Tesla get blown up, and got to do a stint in a Hellcat simulator.  Let me just say, I wish I had a 5 car garage so I could set up a driving simulator like this one.  That’s an awesome hacking job. 

 

 

And how could I be a Rogue and not stop at the Rogue’s Village?!  Saw some pick-pocketing techniques, and how to apply them with a social engineering mindset.  They did a talk on verbal stenography, which is just as it sounds - talking in code.  While interesting in theory, it’s nothing new, but now has a sexy new name for code.

This is Francesca.  Good luck picking her pockets.

Next to Rogue’s village was the lock bypass village.   How do you break into something without the typical lock picking tools we’ve become so accustomed to, or without the human element to simply let you in through the front door?

It really is summer camp for cyber kids.  One of the biggest downsides with DEFCON is that’s there’s almost too much going on.  A lot of people complain about the lines (it is kind of ridiculous), about the amount of people, about the sun in Vegas (in summer…), whatever.  All valid.  My complaint, and this isn’t actually a complaint, is there are just so many cool things to do.  Want to learn how to solder and make your own badge?  There’s a village for that.  Drones?  Yep.  Cloud?  Yep.  They even have a separate track of talks called Skytalks which are no photos, no video, no nothing.  All off the record from some of the top people in the field.  Want a USB cable that charges a phone and pushes out an exploit while it's at it?  Want tutorials from expert locksmiths on how to pick locks?  Want to practice your red teaming skills?  Want to learn how to hack a car?  DEFCON quite literally has something for everyone, even if you’re not super techy. 

And while it’s not necessarily recommended (it is Vegas), if you have kids that are interested in this world, you can absolutely bring them.  The Social Engineering village has contests just for kids and teenagers, which was really cool to see. 

Oh yeah, and you can get cool little toys like this (check back later for more information).

If you know what you want, you can make DEFCON exactly what you want.  My suggestion, and something I haven’t done myself in the past two years, is to just focus on one or two areas and dive deep into those.  I spent too much time wandering around from village to village, and to be fair - that’s how my brain works.  I just want to learn and do it all, but I’m sure there’s a better way to do it. 

 

So there’s your thirty-thousand foot overview of DEFCON.  I’m going to keep going back as long as work will let me, and maybe next time I’ll be able to play a little more instead of watching from the sidelines.  Happy to answer any questions that might come up, I’m trying to be on Twitter more since it seems like that’s where the world still lives (what? I know) - @A11Ynb02

 



Leave a comment


Also in Rogue Dynamics

6 Tips for Managing Dynamic Human Growth
6 Tips for Managing Dynamic Human Growth

June 06, 2019

I know I've learned a lot of ways I would never want my soldiers lead from this organization. In an effort to find the positive I wanted to illustrate a few methods I personally feel lead to team success

Read More

Return on Human Investments
Return on Human Investments

May 23, 2019

Recently in a DoD organization, someone asked a soldier what the return on investment was for them in exchange for sending that soldier to advanced training.  The higher command wanted a storyboard template block, asking again what the return on investment for any event was.  I immediately cringed.  Not only is it shortsighted with a fundamental lack of human and organizational development, but it’s simply poor leadership.  Let’s break down some of the failures in a small minded leader, and their leadership to illustrate why it destroys trust, cohesion, and productivity.  We may even dive into some of how it impacts unit and organizational retention while we’re at it.  

Read More

Death by 1000 Cuts
Death by 1000 Cuts

March 08, 2019

In roughly 900 CE until its outlaw in 1905, the Chinese developed a method of execution called Lingchi.  This form of execution served as torture, public embarrassment, and punishment that continued well after death.  The practice was reserved for severe crimes -  treason, patricide/matricide, and mass murder.  Its continued use is reported through the Vietnam War, even after it was outlawed several years earlier.  While it may conjure images of just 1,000 cuts, the practice of Lingchi was a brutal and drawn-out process.  Executioners would deliver justice through a series of cuts to the skin, removing pieces of flesh intended to see how many cuts a person could withstand before dying.  The practice was generally followed by amputation, a stab to the heart, or decapitation.  

Read More