Internal DEFCON 23 Presentation

Transcript

1. DEFCON 23 Overview A little bit about what I learned

   from a hacker convention

2. My Goals for DEFCON • Identify skills that would be

   useful for participating or leading future security audits. • Figure out skills for presenting so that the information that I have can be communicated back to other members of the office. • Find gaps in my current understanding of infosec. • Network with other groups in Infosec • Figure out scenarios for testing, ctf, and red and blue teams.
3. None
4. None
5. None

6. Lingo • People – DT – Dark Tangent – 1o57

   – Lost • Goons : Staff that work for DEFCON • Casino : Security that work for the Hotel / Casino. • 3-2-1 Rule : 3 hours of sleep, 2 meals, and 1 shower per day. • CTF : Capture the Flag, activity of using various skills to capture or recover data as a competition.

7. Culture of DEFCON • DEFCON is Americas Largest Hacker Convention

   (including White, Gray, and BlackHat) this year it was estimated as 17k hackers. • DEFCON is a cash culture • There are no real names at DEFCON • Paranoia... There really is a spy(hacker) behind every tree.

8. Cultural things I learned • Phones – iPhone out number

   android phones 6:1 – Everyone hates iPhone – Most android phones – Android phones mostly attached to SDRs • People – Male to Female ratio seems close to 60/40 – Heavy emphasis on edge groups: LGBT, AA, Deaf

9. Cultural things I learned (cont). • Technology – Windows is

   very common, or at least more so than I thought. – The Split seems to be about 33% Windows / Linux / Mac

10. Black Badge / Uber Badge

11. The Badge Challenge • Two Types of Badges – Mechanical

    / Board Badges – “Fancy” Badges (this year) • [Insert Audio] • The Badge is a competition that is solved has to be solved as a group, winning could mean scoring an uber badge.

12. THE DEFCON WIFI • THERE ARE 2 WIFIS @ DEFCON

    – OPEN – SECURE (?!?!?!?) • DONT CONNECT TO THE DEFCON WIFI • IT IS BEING ACTIVELY HACKED • USING PRACTICES TO KEEP YOU SAFE WILL GET YOU KICKED • THERE ARE 0 DAY ATTACKS THAT ARE LAUNCHED ON BOTH • I TOTALLY CONNECTED TO THE WIFI

13. Packet Capture Village / Wall of Sheep

14. Groups of People Represented • Hackers • Press • Vendors

    • Artists • Goons

15. Talks • Tech Talks • EFF Talks • Village Talks

    • Research Talks

16. Villages • Biohacking Village • Car Hacking Village • Crypto

    & Privacy Village • ICS Village • IoT Village • Lockpick Village • Social Engineering Village • Tamper Evident Village • Wireless Village • Packet Hacking Village

17. Registration: 22K People All Cash ($230) 2:35 min start to

    finish

18. DAY 0 • 7 a.m. - I got in line

    • 9:30 a.m. - I got registered, this year the badge was a “fancy” badge. • Day 0 only had two tracks DEFCON 101, and Track 4. • Introduction to SDR and the Wireless Village • DEFCON 101 : The Panel (Must See for Attendees) • Beyond the Scan: the value proposition of vulnerability assessment • CRASH! • DEFCON Movie Night

19. Day 1 • Welcome to Defcon 23 – Opening Ceremony

    – Wassenaar – Uber Badges • Crypto Village – Peerio • CTF • Crypto Village Challenge • Hacker Jeopardy Qualifiers • Chellam – a Wi-Fi IDS/Firewall for Windows (Defeating Pineapples) • LTE Recon and Tracking with RTLS-DR (Good) • I Will Kill You (Hacking issues with Birth and Death) (Scary) • Net Ripper: Smart Traffic Sniffing for Penetration Testers (Technical) • Hooked Browser Meshed Networks with WebRTC and BEEF

20. Day 2 • Workshop: Security Auditing Mobile Applications – WOW...

    – I'm not going to go too far in-depth, because I want to present this material separately • Crypto Village: Antisocial Networking (meh) • Hacking Quantum Cryptography (Good, sciencey) • Abusing XSLT for Practical Attacks (Skip – unless you don't know about IEEE Float) • Let's Encrypt – Minting Free Certificates to the Encrypt the Entire Web (EFF) • NSA Playset

21. Day 3 • Car Hacking Village • Tamper Resistant Village

    • Lockpick Village • IoT Village. • Hijacking Arbitrary .NET Application Control Flow (we have a problem) • RFIDiggity: Pentester Guide to Hacking HF/NFC and UHF RFID • Closing Ceremony

22. Grayfrost / Graystorm  http://www.tophertimzen.com/blog/dotNetMachi neCodeManipulation/

23. Themes • Wireless Band Attacks • Legislation (Wassenaar) • RoboCall

    • BioHacking • Car Hacking

24. Things to Do • Challenges • Scavenger Hunt • Capture

    the Flag • Crash and Compile • Hacker Jeopardy • The Sky Lounge • Kali Dojo

25. Cool Tools and Sites • http://www.gameofhacks.com/ • https://www.hackthissite.org/ • http://www.securitytube.net/

    • https://peerio.com/ • https://ctftime.org/ • https://samsclass.info/ • https://letsencrypt.org/ • http://www.nsaplayset.org/ • http://www.opensecuritytraining.info/Welcome.html • https://dc23.crashandcompile.org

26. What I learned • I feel like I've gotten 3-4

    years better just by exposure to all of these technologies. • DEFCON is really geared at teams. • A LOT about tech and security • I’ve already registered for next year.