DEF CON 25 has come and gone, but the cybersecurity world is still reeling from some of the research and advanced threats demonstrated at this annual convention of the world’s foremost hackers. Security professionals are more aware than ever of the increasing number of threats targeting everyday devices—from smart appliances to voting machines. Keep reading for insight into DEF CON from Webroot security experts.
Wreck the vote
Voting machines were hacked in about 90 minutes at DEF CON. Advanced Voting Solutions (AVS) WINVote was one of the 30 voting machines available to be hacked. The password was… wait for it… “abcde”. These are the same machines that were used for the 2004, 2008, and 2012 U.S. presidential elections. AVS went out of business years ago and stopped supporting the machines in 2007, yet Virginia was still using them in 2015! The implications are huge; not only does this confirm that voting machines are definitely hackable and voting tampering is entirely plausible, but also that government oversight for the security of these machines is grossly negligent.
DEF CON also displayed its notorious “Wall of Sheep,” where experts analyzed unencrypted network packets to show usernames and password, perfectly readable in plain text. We saw some IoT devices using unsecure protocols like FTP, POP3, IMAP, and HTTP, which were practically handing out the credentials people used to log into them. In particular, I saw more than a few smart doorbell devices on the Wall of Sheep while I was in the room. Makes you rethink your sense of home security.
– Tyler Moffitt, Sr. Threat Research Analyst
A CISO’s perspective
Hacking #ICS and #IoT @defcon tell me it’s not that easy? #Webroot #CISOapproved pic.twitter.com/OGQ4S9DNxu
— Gary Hayslip (@ghayslip) July 28, 2017
This year, I was amazed at the size of the crowds. DEF CON is truly becoming a must for security professionals to educate themselves on new threats and get hands-on experience in areas such as physical security, hacking and defending SCADA/ICS systems, and penetration testing on wearable devices.
One event I found especially interesting was by the company NXT Robotics, which offered up one of its security robots for hackers to attack. The bot withstood over 96 hours of continuous testing. When I questioned the founder of NXT, he said the robot was designed with a secured version of Linux from its initial design phase—their whole product life-cycle is focused on “security by design.” That impressed me. Given the growing number of IoT devices on the market today, the security of the device, its data, or how it integrates into larger infrastructures is not always accounted in the prerequisites for design. You can see that clearly in the large number of IoT devices that were on display at DEF CON, including cars, which were being stress-tested by many of the conference attendees.
One last point: many of the discussions centered on new attacks or new vulnerabilities enabled by our increasingly intertwined infrastructure. I hope to see more presentations on unique ways to defend and manage risk for organizations that have disparate networks and technologies. As DEF CON proves, hacking isn’t just for attacking; it can be about being creative in defending as well.
– Gary Hayslip, Chief Information Security Officer
Fresh threat research
Every year, without fail, security researcher Chris Domas of Battelle Memorial Institute has something really cool to share. At DEF CON this year, he presented Sandsifter, a project focused on fuzzing the x86 processor to reveal hidden processor bugs and undocumented instructions. Thanks to Sandsifter, a number of secret processor instructions have been uncovered in x86 chips from every major vendor, revealing both benign and security-critical hardware bugs.
Researcher Dimitry Snezhkov, a senior security consultant for X-Force Red at IBM, presented a tool that can offer command and control to penetrated environments via webhooks. In this way, hackers can use approved sites for communication, perform data transfers, and more without detection. (The idea is that HTTP accesses to GitHub are not likely to be filtered and will probably fly under the radar of network administrators.)
– Eric Klonowski, Sr. Advanced Threat Research Analyst