All Aboard the Hype Train: DefCon 22 Has Arrived

This entry was posted by on .

SCADA is Bigger Than Ever at DefConDefCon 22 is one of the largest and most recognized hacker events of the year, hosted at the Rio in Las Vegas, NV.  In the past few years, the con has brought in 12,000+ hackers, feds and everyone in between to share ideas, tools and new tactics for defeating (and protecting) security measures and controls.  Recently there has been an increase in talks related to control systems.  For example, here’s this years list of SCADA-related talks –

  • Protecting SCADA From the Ground Up
  • Detecting Bluetooth Surveillance Systems
  • Hacking 911: Adventures in Disruption, Destruction, and Death
  • Home Alone with localhost: Automating Home Defense
  • Instrumenting Point-of-Sale Malware
  • Hacking US (and UK, Australia, France, etc.) traffic control systems
  • Elevator Hacking – From the Pit to the Penthouse
  • Just What The Doctor Ordered?
  • Hack All The Things: 20 Devices in 45 Minutes
  • What the Watchers See: Eavesdropping on Municipal Mesh Cameras for Giggles (or Pure Evil)
  • Attacking the Internet of Things using Time
  • A Survey of Remote Automotive Attack Surfaces
  • Learn how to control every room at a luxury hotel remotely
  • Playing with Car Firmware or How to Brick your Car
  • Cyberhijacking Airplanes: Truth or Fiction?
  • The Internet of Fails: Where IoT Has Gone Wrong and How We’re Making It Right
  • A Journey to Protect Points-of-sale
  • Optical Surgery; Implanting a DropCam
  • PoS Attacking the Traveling Salesman

For more info on the talks and their speakers:

Impressive! (Scary?)  Doesn’t have to be.

Brace Yourself: Hype Is Coming!

Or should we say, hype as arrived.  With DefCon there is always controversy, with talks being pulled at the last minute and blog sites playing up the lasted doomsday scenario.  This is just a taste of whats to come:

Hackers take to the skies via airplane Wi-Fi
How Hackable Is Your Car? Consult This Handy Chart

Coming to a news outlet near you

The hype and FUD (fear/unrest/doubt) do not typically originate from the speakers themselves (who are doing great research) but from the media outlets.  There is great information in these talks and if not, the community tends to eat them alive.

Post DefCon Survival Guide

It’s the week after DefCon and emails from your Cyber Director, CIO or CISO are starting to flow.  Here are some things to consider when separating the hype from the substance:

1)  Know Your Own System
Have the ability to confidentially respond with either: Yes, we have the affected technology in our environment.  Or No, it does not apply to us (and why).  If the answer is yes, prepare to speak intelligently about how it’s implemented, what business processes it contributes to and what mitigation processes are in place.  This requires that you know in detail the technologies used in your own organization.
2)  Read/Watch the Talks
Go beyond the blogpost or article hype.  Go straight to the source!  Often times speakers will post their slides/papers online after the event, with videos on  Context is key here!
3)  Use the Opportunity Provided
Carefully use this opportunity to revisit security projects, changes to architecture, or simple control implementations that have been previously rejected.  Been trying to get your org to disable TELNET on a technology being exploited at DefCon?  Now’s your chance to strike while the iron is hot.  Warning: Do not create your own hype train.  Honest analysis combined with timely news articles are enough to get traction

Don’t Panic

Hacker conferences are a wealth of information and should be embraced from both technical and political views.  Technically, you are getting (for free) some of the best research and data available to the public on hacking techniques.  Politically, you have one of the greatest ice breakers in the security conversation.  Only by being informed, both on your systems and the actual context of the DefCon presentations, can you use this opportunity to improve your organizations overall security posture.