The DEF CON experience

07 September 2017

I recently returned from DEF CON, a security conference held annually in Las Vegas, where I was selected to present a talk. This was the third time I’ve attended this particular conference, but my first time speaking - which made the experience very different!

DEF CON is one of the oldest, most prestigious, and biggest hacking conferences in the world (about 20,000 attendees), and as far as I know, PwC has never presented there, so it was a huge honour for me and the firm to have my talk accepted.

On the opening day of the conference I presented a talk called “See no evil, hear no evil: Hacking invisibly and silently with light and sound”. You can read the talk abstract here. If you’d like to see the talk itself, I’ll be presenting it at 44Con, BruCon, and the ISF Annual Congress too – so lots of chances to catch it!

The talk itself went really well and I got some positive feedback. It was great to share some of the research I’ve been working so hard on with other members of the security community.

Since my talk was on the first day, I was able to relax and enjoy the rest of the event. As well as going to lots of talks, I also wandered around some of the brilliant hacking villages. Of particular interest this year was the voting machine village; voting technology has been under a lot of scrutiny recently, and concerns about its security were proven to be well justified when the voting machines were fully compromised within hours.

A common theme began to emerge from many of the talks I attended - the issue of raising awareness of security weaknesses. Andrew Robbins and Will Schroeder included a quotation in their talk which summed it up:

“As an offensive researcher, if you can dream it, someone has likely already done it…and that someone isn’t the kind of person who speaks at security cons.” - Matt Graeber

There’s often an ethical debate about whether security researchers should publicly reveal vulnerabilities, especially in cases where the vendor or manufacturer does not, or cannot, address the problem for whatever reason. And at DEF CON, a lot of vulnerabilities are publicly revealed for the first time.

I think Graeber is absolutely right, and with many of the vulnerabilities shown at DEF CON this year – from illicitly firing a protected smart gun, to biohacking, to finding security holes in cryptographic hash schemes – there are times when it could be irresponsible and unethical of researchers not to say anything. Nothing is gained from security by obscurity – but potentially, an awful lot is lost.

Imagine, for example, that a security researcher finds a vulnerability in a product you own – let’s say a smart security alarm. The vulnerability is quite serious, allowing a hacker to disarm the system remotely and enter your house. But the vendor doesn’t patch the problem (which does sometimes happen).

So should the researcher publish a redacted summary publicly, explaining the issue, so that you’re aware, can react, and take whatever steps you need to? Or would you rather find out about it for the first time after your house has been burgled?

If you’re a defender, responder, or investigator, your first and best weapon is awareness – of what attackers can do, and how they can do it. Attending events like DEF CON is one of the best ways to keep sharp, because it’s where the most interesting and most cutting-edge vectors and vulnerabilities are disclosed and discussed.

The phrase “think like a hacker” is often overused – but if you want to really experience that mindset, go to DEF CON next year, speak to people there, and look at the papers, blogs, tools, and presentations they’ve produced. What you’ll find are people who, when they see a new device or software application, immediately think “does this have weaknesses in it? Can this device be subverted to do something malicious?” More often than not, the answers are yes – and those answers are then enthusiastically and critically discussed by some of the most talented people in the industry.

Ultimately, that’s one of the key benefits of attending. I’ve brought back some great ideas and new techniques to my role, as have my colleagues, which will increase the impact and capabilities of the Ethical Hacking Team here, and the Cyber Security business unit as a whole. And, of course, that means that we can provide an even better service to our clients.

So hopefully I’ll see you at DEF CON in the future – if you see me, make sure to say hello!

Matt Wixey | PwC Threat and Vulnerability Management Team
Profile | Email | +44 (0)7841 468 795

 

More articles by Matt Wixey

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.