DEF CON 27 Was Hacking Airplanes, Voting Machines, Cameras, Schools

After a full week invading Las Vegas, top security conferences Black Hat USA 2019 and DEF CON 27 have come to an end…or is just the beginning? What a week it was! The conferences proved that nearly everything is hackable:

  • Airplanes. This year marked the first-ever aviation village at DEF CON. According to an article in Cyber Scoop, “when it comes to cybersecurity, the mission is never-ending for the military.” Recently, government audits found flaws in weapons systems. Shannon Vavra writes that the Department of Homeland Security issued an alert that a vulnerability in small airplanes could allow hackers to alter flight data, such as engine readings, altitude, or airspeed.
  • Voting machines. The Washington Post article is saying, ‘Please break things’: Hackers lay siege to voting systems to spot weaknesses in security. Sen. Ron Wyden (D-Ore.) toured the Voting Village to see hackers working to expose weaknesses that could be exploited by attackers trying to interfere with elections. Most machines that are still used in elections across the country have well-known vulnerabilities.
  • DSLR cameras. Multiple vulnerabilities in Canon’s DSLR camera firmware could allow an attacker to plant malware on devices and ransom images from users, according to a ThreatPost recap
  • High schools. Eighteen-year-old hacker, Bill Demirkapi, presented his findings from his after-school hacking. Over the years, he has found serious bugs that would allow a hacker to gain deep access to student data, according to a Wired article.
  • Wi-Fi. We know Wi-Fi networks can be hacked, but security researcher, Mike Spicer, has been actively collecting and monitoring network traffic and web activity onsite at DEF CON for the last three years. He roams the halls with “Wi-Fi Cactus” hardware strapped to his backpack, made up of 25 Hak5 Pineapples, devices made to monitor, intercept, and manipulate network traffic. A complete write up is in C/NET’s article. It’s no wonder attendees tend to bring burner phones and leave their laptops in their hotel rooms!
  • Microsoft Azure? Microsoft is pushing for enhanced security for the Azure cloud computing service with the launch of increased bug bounty rewards, according to a ZDNet article. Financial rewards of up to $300,000 are available for Azure security challenges offered by Microsoft. In fact, Microsoft has awarded over $4.4 million in bug bounty rewards over the past 12 months. In other news, Apple has a huge bug bounty program, that will include rewards of up to $1 Million for a zero-click, full-chain kernel-code-execution attack. According to an InfoSecurity Magazine article, some security experts are concerned that these types of bounty programs could produce new exploits. Luta Security CEO Katie Moussouris says, “There is a logical limit which defensive prices cannot exceed because if you exceed them you start to see perverse incentives emerge. I think the offense market, also known as the black market, will very quickly adjust.”
It was a flurry of activity at Black Hat USA 2019.

Cyber Oregon supporters infiltrated Black Hat and DEF CON

Cyber Oregon supporters — including Crowdstrike, Eclypsium, Fidelis Cybersecurity, Fortinet, McAfee, Palo Alto Networks, PKI Solutions, Splunk, Symantec — had a strong presence at this year’s Black Hat USA, including several featured speakers and sessions, booths, and surprises. Eclypsium, Fidelis Cybersecurity, PKI Solutions, and Symantec, also had a big presence at this year’s DEF CON 27, including presentations and live-hacking demos.

Cyber Oregon sponsor, Eclypsium, saw lots of booth traffic at Black Hat USA 2019.

Cyber Oregon supporter, PKI Solutions enjoyed a lively presence onsite. Mark B. Cooper, president and founder of the company, spoke to a large crowd at DEF CON 27’s Crypto & Privacy Village, “How PKI and SHAKEN/STIR Will Fix the Global Robocall Problem.” In an effort to put an end to the robocall problem, the Federal Communications Commission (FCC) and major telecommunications companies including Comcast, AT&T, and T-Mobile are behind a new global standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited) to combat robocalls and caller ID spoofing. Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed.

Mark B. Cooper of PKI Solutions (left) with a fellow attendee wear #hiptoencrypt sunglasses, a fun giveaway by PKI Solutions.

Beyond hacks: the new culture of cybersecurity

Exploiting vulnerabilities, discussions around the latest threats, and hacking everything were core themes, security transformation in organizations was also a hot and important topic, as outlined by Square’s head of security, Dino Dai Zovi’s DEF CON 27 keynote, “Every Security Team is a Software Team Now.” According to an article in Security Boulevard, the new culture of cybersecurity can be put into practice in these three ways:

1. Work Backward from the Job

This involves identifying the actual job that Dev or Ops (or whoever) is trying to do, and finding out how Security can align itself. It involves listening, cooperation, and integration, and as such it makes security an enabler that can collaborate with other groups on the achievement of shared goals.

2. Seek and Apply Leverage

Zovi’s next principle directly addresses two powerful techniques for making security work:

  • Leveraging Automation: In a world where security talent is scarce and where rapid delivery and release are priority #1, leveraging automation builds in speed, standardization, and the ability to scale securely.
  • Leveraging Feedback Loops: Using feedback loops proactively builds in observability and enables continuous, incremental improvements. Reliability is important, but without observability, its value is greatly diminished. Securing your environments without continuous monitoring is counterintuitive and counterproductive.

3. Understand That Culture > Strategy > Tactics 

Dai Zovi’s third principle emphasizes that “Culture is way more powerful than strategy, which is way more powerful than tactics.” If organizations get the culture part right, productive strategies and tactics will almost naturally follow suit. Dai Zovi advocates for a culture where security is pervasive and is distributed throughout the organization. This way risk and responsibility are owned by everyone in the organization and are not just the purview of security. If you give your people responsibility, you empower them to make a full commitment to security and quality. You’re also taking advantage of a major opportunity to create teamwork among everyone in the organization and to create a reality where everyone is working towards shared goals. 

Cyber Oregon partner blog of interest: