DEFCON 2011 follows close upon the heels of Black Hat this week in Las Vegas. Mark Underwood picks out a few talks and workshops of note from the packed schedule.
When the idea of a hacker's convention was born in 1993, in computing terms, we had scarcely come out of the Ada era, and no one had heard of Netscape (except Cisco, who originally owned the name, not the idea). Fast forward 19 years, and you'll see that DEFCON, as it came to be known, is still alive and kicking. Unlike many other such conferences and programs, DEFCON won't break your wallet. A SANS class can set you back a couple thou, and Black Hat 2011— which concludes just before DEFCON 19 and gives the latter a coat-tail boost — costs as much as $2500. Your DEFCON 19 minimalist, no-frills budget will be a mere $150 plus per diem at the Rio Hotel and Casino August 4-7 in Las Vegas. Well, it gets you in the door, at least.
Below are some of the more interesting topics being covered at DEFCON.
Workshops at DEFCON are inexpensive and cover timely subjects. "Car Hacking" will introduce you to car network standards and perhaps let you snoop on the signals that the mechanic has been claiming all these years are the reason your Rav4 Check Engine light is permanently on. Robert Leale (of canbushack.com) explains CAN BUS and ISO-15765-2. Then you'll be ready for the talk by Tyler Cohen, "Look at What My Car Can Do."
A team from 7Safe.com covers the ever popular SQL Injection. While not a new or exciting vulnerability, the era of static content is pretty much history for many sites, and the 7Safe team claims that as many as 30% of websites allow for some sort of SQL exploitation. If you're new to the SQL Injection party, give yourself pretty much the entire day (10:00 to 19:00) to come to terms with this one (only $200). Blake Turrentine of HotWAN offers an equally extensive introduction to mobile hacking. This one should interest all system administrators. While it may be no more likely than other vulnerabilities to be exploited, it is more likely than other vulnerabilities to affect your CEO and C-level personnel. Rob Havelt and Steve Ocepek of Trustwave cover the latest man-in-the-middle attacks, including SLAAC, a zero day vulnerability in IPv6 setup on some Windows 7 machines.
Noteworthy speakers and topics
Here's a short list of talks among many that deserve attention.
- Kenneth Geers of the Naval Criminal Investigative Service proposes "four nation-state approaches to cyber attack mitigation." No, DEFCON isn't just for project hackers. (P.S. IPv6 provides the basis for one approach.)
- Two engineers from GoDaddy suggest some approaches to Voice Data Leakage Prevention. G. Devarajan and D. Lebert will remind listeners that switching to voice communications will not necessarily prevent exfiltration of financial or medical data, and that insider threat risk assessments should consider this channel as well as the usual ones.
- Traditionalists will be pleased to hear that "Deviant Ollam" is reprising the topic of lockpicking -this time, lockpicking for gun safes. Ollam believes most gun lockboxes are easily compromised by a determined adversary.
- As network professionals push out VM's like so many summer cicadas, Nelson Elhage's demonstration of breaking out of KVM, the Linux Kernel Virtual Machine, is a sobering reminder of possible risks that may be hiding somewhere in the thorax of those VM's. Lehage uses "a fully-functioning exploit" to explain some of the challenges for would-be attackers.
- For many organizations, SOA and web services have moved from textbook to "hopefully hardened," yet not all enterprises will have developed practices to support secure web service development or testing. Tom Eston, Josh Abraham and Kevin Johnson will "release an updated web service testing methodology" that can be used for pen testing, and review new Metasploit modules and exploits.
- DEFCON 19 would not be complete if it failed to address some aspect of cloud security. Dell's Ben Feinstein and Jeff Jarmoc contemplate ways in which credentials in Amazon Web Services could unintentionally persist in the cloud and fall into the hands of third parties. They will release their tool "AMIexposed," which can check whether your Amazon Machine Image (a VM) is advertising something better kept under wraps.
DEFCON 19 has many events planned. Even if you can't make it, come back later to catch video archives and participate in DEFCON forums. I'm personally interested to learn the winner of the DEFCON short story contest.