“Our Uber driver told us to turn off the Bluetooth and WiFi on our phones while we’re out here this week. He said not to connect to anything or we’ll be hacked.” Two women shared this with me as the three of us waited to ride the SlotZilla Zipline in downtown Las Vegas late Friday night. I told them I was in town attending DEFCON and that their driver gave them good advice. In fact, this was the first time I brought a “burner phone” with me – that is, a prepaid cell phone with a number that is not connected to any of my current contacts, email, social media, or bank accounts. The previous two years, I used my personal smartphone’s SIM card in an old Samsung flip phone to keep in touch with friends back home. However, with all of the media coverage about the still-unpatched SS7 vulnerability and how German hackers recently used it to circumvent two-factor authentication and drain unsuspecting victims’ bank accounts, I opted to play it safe and kept my personal cell phone far away from the Las Vegas strip.
As far as WiFi was concerned, I refused to connect my burner phone to any hotspots, even though DEFCON offers its attendees a supposedly secure wireless network to use. One security vendor displayed a live map of both the DEFCON and Caesars Palace wireless networks and pointed out rogue devices connecting the two, opening the door to all kinds of vulnerabilities, exploits, and hacks. One attendee even took it upon himself to go "warwalking," strolling through the halls wearing a large, heavy contraption reminiscent of the proton packs worn in the movie Ghostbusters. He called his creation the "WiFi Cactus," a tool he designed by daisy-chaining 25 Pineapple Tetras together to detect and record suspicious activity on wireless networks. His goal was to raise awareness of the dangers of connecting to public WiFi hotspots and to study the types of attacks that were taking place at DEFCON. You can read more about his unique and attention-grabbing project here.
Since this was my third time attending the conference, I couldn't help but notice that the event's popularity has grown exponentially. According to at least one source on Twitter, 25,000 people were in attendance, making this another record-setting year. Fortunately, the organizers chose a larger venue this time making room for more talks, villages, activities, and attendees. But besides the expanded opportunities for learning and networking, I took note of another positive change - the sheer diversity of the crowd. For the average person, the word "hacker" tends to conjure up stereotypical images of basement-dwelling, socially-awkward young men intent on causing digital destruction. And, even though there will always be some who embody that stereotype, this conference was filled with people from all walks of life, from young children who are just beginning their journey in cybersecurity to old sysamins who can probably teach the rest of us a thing or two. There were people from different backgrounds and cultures with varying levels of education, career success, and skillsets. What surprised me the most, however, was the noticeable increase in the number of women in attendance. Now, it certainly wasn't a 50/50 split by any stretch of the imagination, but there were definitely more women this year attending talks and participating in some of the hands-on hacking villages than I've seen previously. Even the nonprofit organization Women in Security & Privacy had a presence there to encourage women to pursue a career in technology. The face of InfoSec is changing for the better and, as a woman in cybersecurity myself, I was happy to see more women involved and actively engaged in all that DEFCON had to offer.
The event organizers went out of their way to make everyone feel welcome and create a culture of inclusivity, especially for newcomers, or "n00bs" as they're playfully called in the hacker world. They encouraged the n00bs to make new friends and invited seasoned veterans to share stories of their first experience at DEFCON. Staff members were always available to answer questions, help people navigate the convention, settle minor disagreements, and offer support when needed, even providing a separate space for recovering alcoholics who may be struggling with the temptation to drink while in Las Vegas.
As I walked among the crowds, I detected a different vibe in the air than in previous years. It felt as though there was more of a collective focus on making a positive impact and improving security than hacking for fun and profit. One presentation in particular exemplified this feeling. As I popped into the Social Engineering Village, Chris Hadnagy, security expert and owner of the website Social-Engineer.org, was unveiling his new non-profit organization called the Innocent Lives Foundation, created to help unmask online child predators and bring them to justice. As Chris spoke, his voice was filled with both passion and sorrow as he explained to the audience why he decided to start this project. Through the course of his work he has, sadly, come across many websites and online groups filled with people participating in, and profiting from, child trafficking and exploitation. He has assisted law enforcement on a few cases in the past, but he felt driven to do more to help the innocent victims ensnared in this sick and disturbing trade. After Chris finished speaking, I felt compelled to shake his hand and offer him my business card as he sought to establish connections with law enforcement agencies across the country in an effort to combat human trafficking. If you or anyone you know works these types of cases, please consider reaching out to Chris Hadnagy and his team through the Innocent Lives Foundation website.
With so many thought-provoking lectures and impressive demonstrations, DEFCON never disappoints. I certainly encourage anyone with an interest in cybersecurity to attend next year. In the meantime, information about this year's conference can be found at defcon.org and PowerPoints from the presentations can be downloaded for free from the DEFCON Media Server.