Hacker Summer Camp Recap

Hacker Summer Camp Recap

Every August, thousands of hackers, security professionals, law enforcement agents, and computer enthusiasts flock to Las Vegas to attend a series of security events known collectively as the hacker summer camp. The events include the two long-running conferences Black Hat and DEFCON, along with the recently established BSides Las Vegas event.

The three events spanning nine days in mid-august present a unique opportunity for security people to learn new things, catch up with the latest developments in the security world, get acquainted with great research and network with their peers and future employers.

At a time when the world is becoming more concerned about security and privacy, conferences like DEFCON and Black Hat are important and needed for the advancement of the security work. There are very few events around the world where you can find tens of thousands of people gathered in one place with the same goal, exploring weaknesses and improving defenses.

Given the number of attendees, their popularity and the level of content quality they provide, it’s not surprising to find briefings on important trending topics featured during the events. Election security, deep fakes, cloud security, 5G security, Kubernetes, software supply chain security, GDPR, and vulnerability handling were among the many topics presented and discussed during Black Hat.

The schedules were packed with briefings, training, activities, and while we won’t list all of them we want to highlight some of the headlines that caught our attention. We recommend watching as many talks as you can as soon as the videos are up but in case your time is very limited, may we recommend the following talks?!

· We are huge fans of the shared responsibility philosophy when it comes to software security and that’s why the Every Security Team is a Software Team Now briefing by Dino Dai Zovi caught our attention. We wholeheartedly agree with the sentiment of security being everyone’s job nowadays.

· Industrial security is one of the hot trends in the security world nowadays and there is a lot of misinformation around various aspects so it was nice to see the briefing on Attacking Electric Motors for Fun and Profit presented by Matthew Jablonski and Duminda Wijesekera which offers great insights into the state of security of electric motors.

· Everyone was stoked when WPA3 was released given the various security improvements it added but it didn’t take long before Mathy Vanhoef and Eyal Ronen managed to identify multiple security issues affecting the new standard, their talk Dragonblood: Attacking the Dragonfly Handshake of WPA3 offers an extensive overview of their work and valuable insights into the security of WPA3.

· GDPR is there to protect users’ privacy but it is not 100% fault proof as you can see in James Pavur presentation GDPArrrrr: Using Privacy Laws to Steal Identities in which he explained how Subject Access Requests can be abused to gain access to people’s information. The talk provides valuable information for both companies and individuals who need to protect against these types of malicious actions.

· Ivan Krstić, the head of security engineering and architecture at Apple, held a great presentation titled behind the scenes of iOS and Mac Security in which he talked about the security aspects of iOS and Mac in great detail. The talk is a great resource for those interested in the security of Apple devices.

DEF CON was packed with interesting talks as well, these following talks caught our attention and might make for a good afternoon break activity:

· Breaking Google Home: Exploit It with SQLite (Magellan) by Wenxiang Qian, YuXiang Li, and HuiYu Wu.

· API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web by Joshua Maddux.

· Imagine taking an elevator and while it’s going up or down, the speaker suddenly starts speaking to you, scary isn’t it? Well in the Phreaking Elevators talk WillC explains how he found and called a lot of elevator phone numbers.

· If you are a Windows administrator, you might want to check the Relaying Credentials Has Never Been Easier: How to Easily Bypass the Latest NTLM Relay Mitigations talk by Marina Simakov, and Yaron Zinar.

· Everyone loves good cameras that can take the perfect profile picture for their Facebook profile but few think about what Eyal Itkin presented in his talk Say Cheese—How I Ransomwared Your DSLR Camera. If you are a lover of photography, you might find this talk interesting and a bit worrying.

We barely scratched the surface of the packed schedules of hacker summer camp. We encourage you to visit the conferences’ websites, watch the talk recordings and check out the presentations when they are released, the information you find is highly valuable.