Direct iT at the DefCon 26 Security Conference
Hackers and security researchers from all over the world descended on Caesar’s Palace in Las Vegas last weekend for the DefCon 26 security conference. Direct iT’s security and compliance team was onsite to hear about the state of the art in network security, and hear from antivirus vendors, chip designers, penetration testers, as well as representatives from the FTC, the Department of Defense, the Navy, and many major security product companies. There were a lot of hot topics under discussion about the role of security research in a world where hacking has been increasingly influential.
A few of the hottest hacking topics included:
- Microsoft’s WannaCry bug and related exploits – Egyptian security researcher Saif El-Sherei demonstrated techniques for analyzing and reverse-engineering Microsoft patches to identify undisclosed security holes that those patches were addressing, and showed how he used this technique to also identify a new related undisclosed security hole.
- Hardware-level security problems – a lot of new research was presented about the security implications of hardware bugs, including the SandSifter — a program for detecting and analyzing undocumented, hidden, or buggy instructions in x86 CPUs ( which was used to find bugs in Microsoft Azure virtual machines and in virtually all common CPUs). This is a growing field within security research, based on the idea that no matter how secure our software is, that software has to run on hardware and if that hardware is not also secure we will still get hacked. Other research was presented about how simple it is to produce counterfeit or backdoored hardware ( including relatively simple methods for implanting a hidden transmitter inside RSA 2-factor tokens, inside computer mice, and even for making counterfeit versions of special USB password-storing keys).
- Cloud, SaaS, and hypervisor security – there was a lot of focus on a new set of advanced tools for detecting and mitigating breaches that Microsoft is going to be giving free with Enterprise versions
- Counterfeit and backdoored hardware hacks – there was a lot of discussion about how governments around the world place backdoors in computer and networking hardware, as well as how individuals also can exploit hardware. One group of researchers presented a method for doing secure computation on insecure hardware.
- IoT hacking – the takeaway from the IoT security part of the conference was not that hackers using advanced techniques could break into a few IoT devices — more that virtually all IoT devices are designed so insecurely that very standard, well-known security exploits are often all it takes to break into these devices.
- Car hacking – similar to the IoT findings, several groups presented research about car-related security hacks and also brought a few modern cars to the conference for hackers to analyze on-site. What the research revealed was that car manufacturers are using out-of-date components to begin with and not doing any significant security hardening of car systems — for instance, modern Nissan and Infiniti cars were found to use a 10-year-old cellular chip that was used in the original iPhone, which has a number of well-known security exploits that can be used against the cars. Similarly, radio researchers analyzed signals from Jeep wireless keys and found that anyone recording the radio signal from a Jeep key can easily clone that key.
- Voting machine hacking – hackers at the conference took apart and analyzed several different types of common voting machine, quickly finding that many were based on Windows XP and were vulnerable to a number of common security exploits, including one that could be exploited over wireless. In fact, it took less than an hour for them to break into one of the voting machines.