written by Chris Griesemer

My alarm sounds. Time to get ready. Big day. Vegas. DEF CON. What’s DEF CON? Only the biggest hacking convention in the world held in Vegas every year.

I get up and go through the normal routine. Shower, brush my teeth; I don’t want to do too much. I mean the idea is to blend in. Not totally but I definitely don’t want to be misidentified as a FED. These conference goers tend to be a little wary of the FED. More on that later.

Should I wear all black, pierce my nose, ear and lip? Should I dye my hair lime green? Not this year. I’ll just go with the normal shorts, t-shirt and sandals.

I arrive at the Riviera around 8:15 a.m. but before I walk in, I go through my usual pre-DEF CON checklist. First, make sure I am wearing my DEF CON badge. Can’t get in without it, plus it looks cool. Second, make sure Bluetooth is turned off. And Third, make sure wifi on my iPhone is turned off. Ok, I think I am ready.

DEF CON ID Badges, photo by Dave Bullock

I walk into a sea of black t-shirt wearing geeks…I would never say that out loud. You don’t want to be on the bad side of one of these hackers. And to be honest, I don’t really look at them as geeks or nerds. Some of the smartest programmers and computer threats are walking these hallways. I show them nothing but respect.

It looks like a strong turnout this year. The cost to attend DEF CON is $140, cash. Credit cards and checks are not accepted here. Anonymity is very important to DEF CON’ers, which is why most of them use nicknames.

I decide to do some exploring and find the room with the Wall of Sheep.

The infamous Wall of Sheep, photo by Dave Bullock

In hacker terms, a “Sheep” is an individual whose online habits allow his or her information to be hacked. Five hackers sit at a long table, using sniffer programs to pull unencrypted packets out of the air and find the usernames and passwords of people logging into Gmail, yahoo or hotmail (basically any account) wirelessly. After capturing a user, they post his or her username and the first three characters of a password on a huge screen on the wall. It’s always fun looking at the names scrolling across the screen.

Next, I decide to look through the presentations over the next 3 days. Here are some that stand out:

  1. Exploiting Digital Cameras
  2. Hacking Facebook Privacy
  3. How I Met Your Girlfriend
  4. You Spent All That Money And You Still Got Owned
  5. We Don’t Need No Stinkin Badges: Hacking Electronic Door Access Controllers

I decide to choose my first session. I narrow it down to: Build a Lie Detector/Beat a Lie Detector or How To Get Your FBI File. I go with the latter.

I walk into a room that seats roughly 300 people. There’s already 350 to 400 people in here. Remember when I mentioned the FED and the importance of blending in? The FED is a DEF CON’er term for an FBI agent. At the beginning of every session, a DEF CON’er can raise his hand and, point out an audience member he suspects is a FED. The presenter will ask them to come on stage and the questions begin:

DEF CON’er – Do you have a Job?
Guy – Yes
DEF CON’er – Do you ever leave the country because of your job?
Guy – No
DEF CON’er – Are you carrying a badge?
Guy – Yes
DEF CON’er – Do you carry a gun?
Guy – Yes
DEF CON’er – Are you a FED?
FED – Yes

The crowd goes crazy and the DEF CON’er and the FED both receive t-shirts. Unfortunately, there are no takers in this session.

Basically, this session is a rough overview of your right to get your FBI file and tricks that will help you accomplish this faster. Of course one of the main points this presenter explains is that when writing your request letter, be as specific as possible. Explain the time frame you are looking for and the exact information you are requesting. If not, your request might be too vague and require more time be spent on gathering your information. Plus, you don’t want the FBI looking over your file for any reason.

Something might spark their interest and they may investigate further. This is never good, according to the presenter, and the crowd agrees with a cautious chuckle.

This is the way it went for 3 days. 3 to 4 presentations every hour from 10:00 a.m. to 5:00 p.m. Friday, Saturday and Sunday.

DEF CON volunteers, photo by Dave Bullock

Unofficially, around 8,000 people attended the conference. On the first day I noticed a substantial amount of security walking the hallways. I asked if this was normal for the Riviera. To my surprise, the security lady said she was not giving any information because she knew there was some kind of contest going on. And in fact there was; a social engineering contest to see what these DEF CON’ers could find out and she wasn’t giving any information. Social engineering is a trick hackers use to manipulate others into sharing confidential information, which the hacker then uses to his or her advantage.

I saw 20 security personnel walking the hallways; not the usual amount on staff but probably a good idea. DEF CON’ers have not always been kind to the hotel housing them. One year they hacked into the air conditioning system; another, the phone system. I was talking with an employee at the Riviera and she said they hacked into the phone system again this year using the phone in the elevator.

Most presentations were very good – two were exceptional and very well attended. The first was the GSM vulnerability presentation. This was basically a presentation on GSM insecurities (or, how to listen in on cell phone calls). I knew this was going to be an interesting presentation because of the 50 or so information sheets that were posted everywhere that read:

WARNING: Cell phone calls may be intercepted or disrupted in this area between the hours of 1 p.m. and 2 p.m., Saturday 31st July.

Poster with cell phone warning, photo by Chris Griesemer

I wanted to see this presentation, but when I arrived 300 people were waiting in line and another 400 were already in the presentation hall. On a side note, waiting in line was very entertaining. If you didn’t know you were at a computer hacking convention, you definitely would by the end of any long wait. “Hey, Cyberstud, use your Jedi mind trick to get us in there.” They would all laugh. “Oh yeah, if Scotty would just beam us in there, we wouldn’t have to wait.” Again, laughter. I decided to get in on the action. “I don’t know why they just don’t follow the white rabbit.” I was a big hit.

Although I was unable to attend, I later found out that during this presentation, they captured around 20 phone calls.

The best presentation was, in my opinion, Barnaby Jack’s Jackpotting Automated Teller Machines. One of the descriptions of this presentation said the following: I’ve always liked the scene in Terminator 2 where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I’ve got that kid beat.”

And he did. He basically explained how he was able to hack into a standalone ATM machine both physically and remotely. How could someone learn that much about an ATM machine unless they had one in their house? Did I mention he had one in his house? After a mishap and a call to a certified ATM technician, he was able to learn enough about the ATM that allowed him to hack it. When the presentation was completed, he had physically hacked into the machine, he had remotely hacked into the machine and finally, he had programmed a key sequence that when pressed, would display “Jackpot” on the screen and spit money out. It was truly one of the most amazing presentations I have ever seen.

What should you take from all of this? These people think differently. Most people look at a phone in an elevator and think “Don’t pick that up! It’s not an emergency.” They look at that phone and think, “It has to be connected to a regular phone system and if it is, I should be able to make long distance calls with it.” Make sure physical controls are in place. Doors to closets, data rooms and storage should be locked and controlled at all times.

Make sure social engineering training is done at least once a year. It’s more subtle than other security breaches, which is why social engineering may be one of the best ways into a business.

Finally, wireless technology is very convenient but can also be very vulnerable. Implement standards for how and where your employees may access wireless devices such as smart phones and notebooks. And for those of you who have policies, make sure you include these new standards in your policies.

What did I take from this? First, these guys are good. If they find a weakness they can exploit it. Take the time to thoroughly examine the security of your business, or hire a firm to do it for you. You can never assume your business is safe from outside threats. And secondly, if you are ever in Vegas the last part of July and are looking for something different to do, go to DEF CON. It is truly an eye opener.

By Chris Griesemer, IT Security Specialist

All photos by Dave Bullock found here: Hacker Wonderland: DefCon 18 in Photos