August 28, 2024

The CISO Global Pen Testing Team

Earlier this month, a group of our intrepid pen testers from our Readiness & Resilience team at CISO Global ventured into the heart of the hacking world at DEFCON 32 in Las Vegas. This annual pilgrimage to the mecca of cybersecurity (and more importantly, hacking) is more than just a conference – it’s a hands-on deep dive into the cutting edge of hacking techniques and defensive strategies. Our team immersed themselves in this unique environment, absorbing knowledge from some of the brightest minds in the field. Their mission? To stay ahead of the curve on the latest trends, tools, and tactics in the ever-evolving landscape of cyber threats. By sharpening their skills and expanding their expertise at DEFCON, our pen testers are now better equipped than ever to simulate real-world attacks and strengthen our clients’ digital defenses.

Linecon 2024

“Linecon” is a term lovingly and frustratingly coined to describe the long, slow-moving lines that have become synonymous with DEFCON for the last few years. In a change from previous years’ events, DEFCON 32 was held in the West Building of the Las Vegas Convention Center. This venue was off the strip which changed the overall feel of the convention, but its size made up for that by providing ample room to house the entire convention and villages in one place. The selection of the Las Vegas Convention Center as the venue proved effective at minimizing Linecon. The venue had enough space to more effectively manage lines and coordinate and organize the attendees. Although this reduced the lengths of the lines, the overall confusion about where to go, and the wait time experienced, Linecon was still noticeable in several places such as registration (Thursday morning), the official DEFCON Merch store (Thursday morning and afternoon), the AIxCC (Artificial Intelligence Cyber Challenge), the Vendor merch area (specifically Hak5 and Hacker Warehouse) and the Policy @ DEFCON Village to name a few.

After going through the infamous LineCon for registration, the team met up with a few friends and colleagues to play around with this year’s badge, a cat-shaped Gameboy emulator. There wasn’t much to do at the con the first day – in fact, the con got off to a slow start due to downed internet at the convention center (Coincidence? Or something worse… we still don’t know!). The team enjoyed finding all kinds of secrets, QR codes, and figuring out the undocumented settings with hacker friends and strangers alike. It’s a great way to warm up the hacker mindset in preparation for the con!

Cons Within the Con

Several small “*CONs” occur at DEFCON each year including QUEERCON, GOTHCON and VETCON as well as several other groups that are designed to provide inclusivity and a place to gather with others that share your mindset, interests, lifestyle, etc. VETCON provides a place for Veterans of the Armed Forces to gather, interact and network with one another and this year they brought in guest speakers. I had the privilege to listen to a talk by Chris Cleary (formerly Principle Cyber Advisor for the Department of The Navy) entitled “The Next Fight… Are You Ready?” that outlined what Veterans with cyber security skills can still do for our Nation even without serving directly. It further elaborated on the risks posed to the United States by individual hackers, threat actors and nation states alike and the potential impact on our country, neighbors and family.

It Takes a Village

There can be some confusing terms used at DEFCON for the uninitiated. One such term is “village”. There are several locations identified as “villages” at DEFCON such as Red Team Village, Social Engineering Village, HAM Radio Village, Hardware Hacking Village and many more. A “village” is a location set aside for a narrow focus within the hacking and cybersecurity community for specialty topics, workshops and challenges to be discussed, enjoyed, learned about, etc.

Our pen testers visited several villages with varying levels of interaction with hosts/attendees:

1. Hardware Hacking Village – This village is set aside for assembly, disassembly, modification of existing circuits or designs, hardware repair, electronic badge hacking, and much more. They provide tools and assistance/knowledge to anyone that needs or wants it. The team utilized this village’s available tools to assemble this year’s Darknet badge and several SAOs (add-on circuits that generally only provide additional blinky lights or cool customization to existing electronics that support them).
2. Car Hacking Village – This village is exactly what it sounds like it would be. They host a CTF (Capture the Flag) competition that involves a set of challenges that test your hacking capability. This year’s CTF was performed against a Rivian Smart Truck. The first-place winner of this competition won a Tesla.
3. Artificial Intelligence Village – This village is based around the constantly evolving topic that is Ai: its many forms and uses, its future, and the responsible use of this ever-emerging technology. This village hosted an intricate competition that immersed competitors in a futuristic technological world that had come under attack. This “world” was a simulated utopia in which technology was embedded in everything and it was all 100% “secure”… Until it wasn’t. The competitors were dropped into this environment and tasked with writing their own AI constructs designed to secure the various vulnerable technologies/software that existed in this environment. While the competition itself was handled over the web, a physical environment was constructed to be representative of this simulation and was available for walkthrough at DEFCON while the competition was underway.
4. Biohacking Village – This village is dedicated to Hacking and Cybersecurity within the medical community. This is of particular interest to our team, as we have performed real-world penetration tests against surgical robots for one of our clients. The competition in the Biohacking village involved such a test. Not unexpectedly, there was a lot of interest in this competition!
5. The Aerospace Village – the team spent some time here and learned about the DICOM and DICOS standards for medical and TSA imaging/screening data, and how different algorithms (potentially with AI?) are being developed to detect abnormal objects. In the packet hacking village, I got to see the classic Wall of Sheep and attended a workshop where I learned how to build my own botnet with open-source tools!

Challenge Accepted

On the second day of the con, the team had more time to try their hands at Capture the Flag challenges like 5N4CK3Y (“Snackey” in layman’s terms, which was a hackable vending machine), phreaking (phone hacking), ICS (industrial control systems), and more! The highlights for the team were hacking a compromised HMI device to disrupt the bad guys and pump water back into the “city tank” and hacking point of sale systems for fun and for profit – at least in terms of stickers and goodies – in the payment village.

DEFCON leadership announced a partnership with pwn.college. This provides free hacking/cybersecurity training to anyone regardless of skill level. It is designed to not assume anything about your knowledge and starts you out at the beginning/entry-level topics and eventually works you up to performing complex attacks and writing exploits for use against custom vulnerabilities. This training is available through an online portal and has no time constraints.

Don’t Sleep on Talks

One of the main purposes of conferences is to share relevant information by way of unidirectional communication (ie. Talks). Although DEFCON does host a multitude of talks, many of which are generally meaningful or useful regardless of experience level, there is so much that can be learned from such a variety of sources, that talks are not always a priority. The team took the time to sit in on a few talks during the CON. One stood out as particularly interesting because it was a controversial topic for some people. Daniel Messer gave a talk entitled “A Shadow Librarian in Broad Daylight: Fighting Back Against Ever Encroaching Capitalism”. Messer spoke about his efforts as a “Shadow” Librarian which involves scanning Reddit for people that are looking for books or other information that is either not available digitally or is protected by DRM (Digital Rights Management – meant to protect copyrighted material from being copied without permission). He then makes the requested information available whether by scanning in physical copies, locating existing digital copies, or removing DRM protections from existing media and sharing it without protections. He explains that he does this because he believes that Capitalism has encroached too heavily upon the free availability of information to the public and because he firmly disagrees with current policies and legislation being established in various places in the United States that would restrict information (of any kind) from being available to the public (of any age). Regardless of the stance we might take on controversial topics such as this one, I think it demonstrated the mentality of the DEF CON community and hackers in general. They are willing to make a stand for what they believe to be right and have the skills that allow them to do so. 

Final Thoughts

DEF CON is considered to be the “less professional” of the two big cyber conferences held in Las Vegas each summer. But despite its ultra-nerdy appearance, our pen testing team’s experience at DEF CON 32 proved to be highly valuable. While it was a slow start to the conference (downed internet and Linecon made for an interesting kickoff!), the event ultimately delivered a wealth of knowledge and hands-on experience. Our team immersed themselves in the latest hacking trends and techniques, gaining insights that they can directly apply to enhance our security practices. The conference not only provided a platform for learning but also offered in-depth, practical experiences that are difficult to acquire elsewhere. As our pen testers return to their roles, they bring with them a fresh perspective and cutting-edge skills that will undoubtedly strengthen our cybersecurity posture. This investment in our team’s professional development at DEF CON has equipped us with the tools and knowledge to stay ahead in the ever-evolving landscape of information security.

About the Authors 

Several of CISO Global’s pen testers and SOC analysts attended DEF CON 32 and provided their firsthand accounts of their experience at the convention. We are excited for the team to bring back new knowledge from the conference that they can use in their daily operations to help protect our clients!

The post Badge Life: The CISO Team Takes on DEF CON appeared first on CISO Global.

*** This is a Security Bloggers Network syndicated blog from CISO Global authored by hmeyers. Read the original post at: https://www.ciso.inc/blog-posts/badge-life-the-ciso-team-takes-on-def-con/