From iPhones to smart grids at Black Hat, Defcon

My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.

I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.

Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few--have led to bans at certain hotels.

"One good thing about the [economic] downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."

In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.

Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)

While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.

The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.

There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.

Despite the recession, both events are expected to be crowded.

"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."

The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.

Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded.

"The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"

Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."

There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.

When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.

"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.

Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.

Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.

"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."