DEF CON is known as a hacker conference, and it’s the place where researchers and security enthusiasts come to demonstrate and discuss different attack techniques and vulnerabilities. While offensive security operations have long been a focus for DEF CON, the larger goal of much of the event in recent years has been about raising cybersecurity awareness for various issues.
At the DEF CON 26 event, which ran August 9 -12 in Las Vegas, multiple groups of researchers provided insight into new and existing attacks, as well as methods and best practices that organizations can use to help defend themselves.
Among those speaking at DEF CON 26 were members of the Department of Homeland Security (DHS) National Cybersecurity Assessments and Technical Services (NCATS) Red Team. Among NCATS’ services are penetration tests (conducted by the Red Team) of government and private sector critical infrastructure.
Across all sectors, Robert Karas, Director of the NCATS Office of Cybersecurity and Communications, said there are several common vulnerabilities. Among the top are basic cyber-hygiene; that is, many organization continue to run older, unsupported versions of software — an argument in favor of patch management.
Lesson: Don’t run old, unsupported software — it’s an easy attack vector for a hacker.
At the IoT Village at DEF CON 26, David Tomaschik gave a talk about exploiting network controlled door locks. Those are the type of locks that employees are able to access with a key card or other electronic device, an important IoT security concept.
Tomaschik discovered that the door locks could be remotely opened by getting access to a patch panel within an organization. With that access, he discovered that encryption was not properly implemented and he was able to gain control, with the ability to open or close doors within a vulnerable company.
Tomaschik had several recommendations, including advising that devices should only be able to communicate with trusted systems, and all individual messages in a system should have confidentiality and integrity.
Lesson: Software security matters for physical security systems.
Another popular area at DEF CON 26 was the Social Engineering Village, where speakers provided insight into how they were able to gain access to environments using social engineering techniques.
Among the speakers was Billy Boatright, who must carry around oxygen to help him breathe, as he has had a tracheotomy. Boatright detailed how he was able to carry unauthorized items into secure locations as people considered his condition.
Related article: Designing Employee Security Awareness Training That Works.
Lesson: Never underestimate the human factor, trust but verify.
Researchers from the Fraunhofer Institute for Secure Information Technology (SIT) detailed 37 vulnerabilities?across 19 different mobile tracking apps at DEF CON. Not one of the vulnerabilities however was a zero-day and the researchers repeatedly emphasized that all of the issues could have been fixed with common, well-known security best practices.
Among those best practices is to not put configuration data in the SharedPreferences common directory in Android. That directory can be easily accessed by users and manipulated. Additionally the researchers advise that mobile developers properly implement cryptography, by using the TLS libraries that Google provides.
Lesson: Make sure that configuration data is secured properly.
Twenty years ago, seven hackers from a group known as L0pht Heavy Industries testified before Congress, warning that they could take down the entire internet in 30 minutes. At DEF CON 26, members of L0pht were on a panel taking a retrospective look at that landmark testing and what has or hasn’t changed in the years since.
Chris Thomas, aka “Space Rogue,” warned the DEF CON audience to be careful, as there are a lot of companies that don’t like security researchers and plenty of laws that don’t like security researchers either.
“Keep doing what you do,” Thomas said. “Do research but don’t cross the line and stay out of jail.”
Lesson: Love what you do, but stay on the right side of the law.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.