Technology

Posted on October 2, 2017 by staff

DEF CON’s secrets revealed: From tin hats to new hacks

Technology

Imagine attending an event with thousands of hackers from around the world where the fear of being cyber attacked is so real no-one uses public Wi-Fi, fewer people still wear name badges and some delegates take to wearing tin hats.

If this sounds like a script for an Arthur C Clarke novel then you’d be wrong. Welcome to DEF CON 25 in Las Vegas, the largest gathering of underground hackers in the world.

Founded in the early 1990s by American hacker Dark Tangent (real name Jeff Moss) the convention is now in its 25th year and is a magnet for everybody from hackers to law enforcement officials, security analysts and tech journalists.

As well as sharing the latest security threats, the big pull is the contests where delegates can pit their wits against some of the best hackers in the world to put security systems to the ultimate test.

It’s the reason why British cyber security firm Secarma sent a 10-strong team – which included a competing team of five hackers – over to this year’s four-day DEF CON 25.

The company provide penetration testing and consultancy services to clients around the world and managing director Paul Harris described it as the “Olympic Games for the hacking community”.

Secarma’s technical director Mark Rowe is a veteran of the event, having first attended DEF CON 6. He’s seen it grow from a few hundred delegates in a small motel to this year’s convention in Las Vegas’ iconic Caesars Palace, which was attended by up to 30,000 people.

“The attendees for DEF CON 25 now are probably different to the ones that were there when I first went,” recalled 47-year-old Rowe to BusinessCloud.

“When I was there it was probably hardcore security people, some hackers and people from government agencies that were interested to keep track as to what these hackers were doing.

“Over the years, the cyber security industry has grown. You now have lots of companies that have their own pentesting teams, ethical hacking teams, so there’s people attending from the commercial side.

“You’ve still got the mix of hackers, the guys who are just interested in hacking, and the government spooks who attend, it’s just grown massively.”

So what was it really like at DEF CON 25? The event came on the heels of Black Hat, a conference and trade show for cyber security professionals.

Unlike Black Hat, which can cost several thousand dollars to attend, tickets for DEF CON are bought in cash for $250 without the need to leave a name and people have to queue up from 6am.

Rowe says you simply don’t know who you’re standing next to so security is the name of the game.

“For example you’re advised not to have any details about the company you work for,” he explained. “We didn’t take any work laptops, we took completely clean ones. We didn’t put Wi-Fi on or use Bluetooth. Some of the delegates even wore ski masks so they couldn’t be identified.

“Representatives of the US government are there but that side of things is probably overhyped. When I first went to DEF CON, there were 200 people there and you’d have government guys taking photos to find out who the people were.”

Harris added: “For people who operate on the wrong side of the law, they do get very paranoid if people suddenly pull out a camera and start taking photos.

“There’s a tin foil hat competition, so you’ve got people walking around in tin foil hats. It’s an industry based on paranoia so everyone there is slightly paranoid anyway. It’s the nature of the beast.

“DEF CON is the only conference I’ve ever been to where the presenters are getting hacked as they are presenting. They can see themselves being hacked as they’re talking and they’re very aware of it.”

It was the first time Harris had attended the event and he offered this advice to fellow DEF CON virgins. “I was told don’t wear a nice watch, don’t wear an expensive pair of shoes and don’t do anything that makes you stand out so you look different and it was good advice.”

Caesars Palace reportedly even closed its business centre for the duration of this year’s event in case hackers attempted to take control of its networks.

DEF CON 25 took over four floors of Caesars Palace, with the conference broken into ‘villages’ which focus on different aspects of security. For example there was an Internet of Things village; a car hacking village; and an industrial controlled system (ICS) village.

Set against a tacit acceptance that everyone is trying to hack you there were lots of parties, live music and merchandise. “It’s a bit like Glastonbury,” joked Rowe.

Harris says in their industry DEF CON is the one event an ambitious cyber security business like Secarma can’t afford to miss.

“We are an international team of more than 55 cyber security specialists, operating out of 20 cities in 10 countries around the world,” he explained. “Attending DEF CON is vital to our credibility.

“There are lots of small companies in this sector offering a basic level of testing but Secarma has got a very broad and deep specialisation in ethical hacking. We’ve got very talented people that operate in the top tier of hackers globally.

“One analogy would be that we’re a bit like the SAS to the army. We’re incredibly agile so we can swoop in and do this very clever stuff that normal businesses can’t.

“A lot of our customers have their own security teams but we bring a different perspective and skillset to validate and enhance their capabilities.”

Harris says the challenge facing the industry is trying to keep up with the cyber terrorists. “You’ve got some very smart people targeting businesses, particularly large organisations,” he said. “If you want to be vigorously tested yourself you need people that are better than the best bad guys.

Big companies are being hacked all the time, several times a day if you’re big enough. That’s why you bring in the experts to try and find all the vulnerabilities that could be exploited before hackers come in and shut you down.

“Attending DEF CON enables a company like Secarma to showcase itself at the biggest hacking event in the world against the best of the best. By taking part in the competitions and doing well we can position ourselves as the best in the world.

“Think of it as the Olympics for hackers and our intention was to go out and win gold. We picked an Internet of Things competition because it’s a huge booming sector that’s notoriously insecure.”

Explaining how the competition worked, Rowe said: “We were provided in advance with a list of Internet of Things devices that would form the competition, including electronic padlocks, home routers, wireless routers and smart batteries.

“The competition was to find as many vulnerabilities in those devices as we could. Each vulnerability had a score. We bought four of the 20 devices before we left.

“Bear in mind that these devices are out there being sold with no known vulnerabilities in them so it’s a tough competition.”

Uniquely, the Secarma hackers were able to completely compromise all devices tested, finding a number of very serious vulnerabilities that surprised even the judges. Rowe added: “Our findings have been reported to the vendors to be fixed before further details of this competition can be released.”

Secarma entered a second competition to identify known vulnerabilities in a number of products. Harris said: “The second competition was a race to the finish and we entered it late because we were focusing on the first contest. A total of 92 teams took part and only 37 teams found one or more vulnerabilities. Only two teams had maximum points and Secarma was one of them. We were able to find all of the vulnerabilities in the limited time provided.”

Secarma’s success at DEF CON has already helped the company win a six figure contract from a US-based customer.

Harris said: “If an American customer is asked why they’re using a niche British company they’re able to justify it to their bosses because we’re among the best in the world.

“We can go to these global competitions and win. This is a great springboard for Secarma going into the end of 2017 and the beginning of 2018.”