My first DEFCON experience (part 1/2) - DEFCON 31 (2023) - Days 1 and 2
DEFCON wall in Caesar's Forum 2023

My first DEFCON experience (part 1/2) - DEFCON 31 (2023) - Days 1 and 2

This was such an incredible experience and I really wanted to document it here. If only for my own records of the event, but also that maybe others may gain something from it as well. I travelled all the way from New Zealand to Las Vegas specifically for this event, and it was thoroughly worth it!

Everyone I spoke to in attendance was incredibly friendly and helpful. People will just randomly speak to you, and even if you are somewhat of an introvert (like me), you will soon open up like everyone else. You are surrounded by like-minded people with a shared passion for cyber-security and hacking.

I also absolutely loved the amazing artwork (some of which you can see in the header image).

I will follow up with days 3 and 4 in a seperate article.

Arrival

I would say that the Flamingo hotel is a great hotel to stay at for DEFCON in terms of being a convenient location and central to everything with a short walk to each venue, not to mention the rooms are spacious and the views are amazing. When asking for assistance with the best way to travel between the various DEFCON venues though, fellow DEFCONers are more helpful than hotel staff, as is the social chat on Discord, or the forums.

Day 1 - Thursday

On day 1 there is not so much happening. Most of the villages are getting set up and registration is happening all day. I found it a good opportunity to get the lay of the land, figure out where the venues are and the best paths between them. This way when things kick off properly, you are not wasting time getting lost! It's worth mentioning here as well for those not so familiar with Las Vegas that the outside air temperature is incredibly hot, and you want to minimise your time spent outside while walking around. I found a path between venues that spent at most 30 seconds outside between Flamingo and Linq - everywhere else was indoors.

Once I found my way to the registration area at DEFCON, it was around 9:30am and the queue for registration was huge! It is affectionately known as Linecon! The vibe there was great though, people make the most of the queueing experience, talking to each other and bouncing balls across the room to each other. For myself, I had pre-ordered, and my line was pretty much non-existent - I was able to go straight through and pick up my goodie bag. Although I'm sure Linecon is a fun experience to some, I'd recommend pre-ordering. Some people were finding that they had run out of the good physical badges by the time they got to registration, and for those that pre-order, your physical badge is guaranteed.

Hackthebox CTF

I'm a regular with hackthebox. It was an essential part of my OSCP journey last year and I've continued with it regularly solving boxes. I am very interested in offensive security of all aspects and strive to learn as much as I can (continuously). I really believe that knowing how to do attacks makes you better at understanding the risks and at detecting them. Hackthebox provides you with several machines that are set up with the express purpose of being hacked, and all you are given is an IP address. You have to figure out what is running on it, and need to find any vulnerabilities in the running software, often exploiting multiple avenues and often going down various rabbit holes before finally getting shell access to the host environment and your first flag. This process is usually several hours long. From there, you then need to find a way to escalate privileges to get the final flag.

On the first day immediately after registration was a hackthebox CTF event running from 10am. Since I got through registration so quickly I was right on time for this, and I found a space at one of the tables to set up my hacking environment and to try and solve the CTF.

My Kali environment ready to start

I spent a couple of hours working through a couple of the challenges. First, one of the boxes and then a binary exploitation challenge. I was pleasantly surprised that my experience and knowledge was not far below all others at the table and I could hold my own pretty well. For sure there were some with a lot more experience, as you would expect at an event like DEFCON. Unfortunately, in the time I was looking at this I wasn't able to solve the challenges. I fell down on the binary exploitation due to it being a 64-bit Linux binary and to this point most of my experience with this has been in 32-bit (finding the EIP offset etc). It was fun trying though. I need to finish off my YouTube playlist from Cryptocat (highly recommend his binary exploitation series).

Day 2 - Friday

Social engineering village - vishing competition

I had heard a lot about this competition from various podcasts, especially Darknet Diaries podcasts, and was really excited to go to this. I had heard it is popular and I was determined not to miss this one, so although it was starting at 9, I made sure to arrive at 7:45. This was a good plan and although there were some already there and queueing, the queue for me was not insanely large and I was guaranteed a good seat.

Let the linecon commence! In typical DEFCON fashion it seems, time went by quickly as we all chatted about various topics from security (obviously) to our interests, and eventually to D&D (turns out a lot of hackers like D&D!). I also helped out some newbies to the security scene who were interested in my experiences and the best way for them to get in to security - I explained the numerous security roles that are out there, including the one we were queueing for around social engineering.

Once we got in to the hall and took our seats, we were introduced to the panel of judges sitting up on the stage. There was a pod in the corner of the room that was fully soundproofed, and that is where each of the contestants sits to make their vishing phone calls. For those that don't know, vishing is like phishing but with your voice (aka phone calls). Sadly, this is an incredibly successful technique for stealing information from unsuspecting victims, or getting them to open malicious website or run malicious executables on their machines leading to exploits.

Vishing competition (contestant on the screen and inside the booth on the right). Photos were allowed (no audio recordings or video allowed), but I've pixellated anyway except for the panel member as they are well known and of public record

The contestants had to qualify to attend this session and are experts at what they do. It was really fascinating to see them in action. It was made clear that we were allowed to take photos, but no videos or sound recordings as that is illegal. The contestants were given a real target and various flags that they had to obtain from them. They made very sure that the flags were not anything dangerous such as passwords, but were things that would not be easily discovered by other means - such things as what web browser the victim uses, what software they run, what antivirus they use. There were also more humorous flags to make see how well the contestants could handle outrageous questions.

The contestants would play to the audience and made us laugh with some of the questions they asked. I would say that about 70% of the people easily fell for the vishing - which is scary! The last contestant even explained to the person he was calling (he was pretending to be the IT department at the time) that he should be careful of vishing calls and to never disclose sensitive information to random callers - the person on the other end of the call never once considered that he was in a vishing call at the time!

This is an interesting area with a lot of ethical boundaries and considerations. The contestants were very careful not to get anything like passwords from the people they were calling, although I am pretty sure some of those called would have disclosed them willingly. Usually, professional social engineers like this would be using their craft during things like red teaming engagements, where they would have been asked by the company to make these calls in order to see how vulnerable they are and what training is required. The competition stretches that a bit and adds some entertainment that in hindsight makes me a little uncomfortable, but it was an amazing experience and really helped us all to understand risks better - which has to be a positive outcome. All in all I think this is an important event that helps to make the world a safer place. It wasn't explained at the time, but I hope that the organisers of this event will talk to the companies vished and provide them with advice to help them for future.

Some key take-aways from me observing the sessions and hearing the feedback from the panel of experts:

  1. Research your target - knowing key things about your target helps with the next stage (establishing trust). Here the contestants would know things like the internally used store number (it was a well-known franchise being called and I guess the internally used store number must be available somewhere), or the name of the wifi (which is easily found by just visiting the site before-hand). The contestants would throw in these little bits of information during the phone call to sound more believable - "I know your wifi is called 'blah'"
  2. Establish trust - have a believable back story that puts you in a trusted position
  3. Jump straight in to questions - once you have done your introduction, do not give the person on the other end of the call time to think about it
  4. Acknowledge they are giving you valuable time - repeatedly
  5. Let the conversation flow as things progress - do not make the call only about what you are trying to get from them. Try to engage them and get them to open up more. This makes the person more comfortable with you and open to sharing more
  6. Drop breadcrumbs to what it is you want them to do - let them think it was their idea
  7. Be agreeable - by agreeing with everything the person you are talking to is saying, you keep the conversation moving, but also ensure you are forgettable. It was explained that conflict is more memorable than agreement, and you want the person to have a positive experience talking to you, but to forget about you as soon as possible afterwards
  8. Take on a character that is not you - the panel of judges explained that in order to be agreeable, you can at times be put in situations that might make you uncomfortable. Experiences were shared by the panel where they had in past engagements been talking with, for example, racist or misogynistic people and agreeing with them went against their core values and beliefs, but that by playing a character that is not yourself, you can get through that much more easily as it is not you agreeing with them - it is your character

Using these techniques, the contestants were able to easily get the target to go to their computer, open websites, provide information on running software and I'm quite sure a whole lot of other information if they had been asked for it. This is why security awareness training is so important, people need to know how easy it is to do these things and the sorts of techniques employed by adversaries so that they do not fall victim to it themselves. It honestly had me questioning phone calls I have had in the past and wondering whether they were genuine or not. I am suddenly even more cautious of all external engagements than I was before (and I was already pretty cautious I think). For this reason, I really do believe that understanding the advice above so that we can help people protect ourselves and others against these techniques is a positive thing - know your enemy. This is why I really support this village and all that they do, and why I wanted to share their advice here

Car hacking village

I had been really looking forward to the car hacking village at DEFCON. One person had brought in their Tesla to demonstrate some attacks, but also was inviting others to hack it (under guidance). Unfortunately, this did not end so well for him. On the last day he turned up to find that the charging point flap randomly kept opening and the tires were not reporting their air pressure anymore. It seemed someone had managed to update the software - I would love to have found out how. The Tesla owner was not pleased though.

The owner demonstrated packet interception through Wireshark on a physical connection (not wifi). He started by collecting packets, then ran the Tesla Light Show manually to get the car doing lots of things and sending lots of packets through for interception. After this, he was able to take some of the captured packets and replay them, demonstrating a replay attack - allowing some of the actions to be re-performed by packets alone.

Tesla for hacking!

I then moved on to another display showing internal wiring for a car connected to an infotainment system. I took the opportunity to talk to the expert there and question them about CANBUS dangers. There is a great deal I can say on this subject, which I'll reserve for another time - needless to say at this point to remember there is no inherent security built in to the CANBUS (very much operates on a system of assumed trust and the messaging system is extremely low level and basic) - the most typical attacks being DoS and spoof attacks.

Tabletop demonstration at blue team village

Pretty much D&D for security. This is a well practiced technique in use in many organisations and highly recommended. The idea is to run through scenarios and practice incident response. This particular session was run for a hypothetical system of ICS devices at a plant. There was a facilitator and a panel of experts. The facilitator took us through the scenario piece by piece and asked what actions we wanted to take along the way. The panel would occasionally provide advice on what they would do in this situation, or inform us of the result of our actions. For example, if we stated "we review our network flow logs", they would come back with what we found from that review. The facilitator might then throw in that suddenly the ICS devices are reporting a temperature increase - and what do we want to do next?

This was an interesting session and good to see how different people respond to situations. It was also an important reminder to not spend so long triaging and being certain that this is a security incident that the attack has gone too far to easily contain. This is a useful exercise to practice with your teams and learn where your weak spots are, what gaps you have in your processes, and what systems are lacking that you should have been able to rely on.

Next article

I'll post days 3 and 4 soon. Those cover areas such as social engineering improv, quantum computing, 2FA bypass techniques and physical lockpicking. I hope my write-up so far was in some way informative and you managed to get something out of it!

Dean Marris

Co Founder of Coretex an EROAD company | Industry Fellow Harvard D^3 - Core Advisor AI Startup Labs

1y

Great summary!

Sam Ransara, PhD

IoT | GNSS | Telematics | Electronics | Embedded Software

1y

Excellent stuff. Thanks for sharing 👍

To view or add a comment, sign in

More articles by Jeremy Peaks

  • My first DEFCON experience (part 2/2) - DEFCON 31 (2023) - Days 3 and 4

    My first DEFCON experience (part 2/2) - DEFCON 31 (2023) - Days 3 and 4

    This is the second and final part of my DEFCON experience. If you didn't read the first part, you can find it here:…

    2 Comments
  • Shift-left security

    Shift-left security

    Shift-left? Sounds like a buzz phrase..

    12 Comments
  • Security Development in Agile

    Security Development in Agile

    “We do security” Talk to any software development company and they’ll tell you that security is important to them. Many…

  • Agile Practices at Accordo

    Agile Practices at Accordo

    I have been asked a few times now by people from different organisations about our scrum practices and advice on agile.…

    10 Comments

Insights from the community

Others also viewed

Explore topics