DEF CON in the news

ACLU leads the development competition, which seeks to address security on smartphones
...
a competition for mobile application developers to address privacy concerns about mobile phones and other portable devices.
...
Contest submissions will be received at the Develop for Privacy website until May 31, 2011. A contest winner will be announced in August at an event in Las Vegas coinciding with Defcon and Black Hat security conferences. Whoever makes the best overall submission will be given the opportunity to discuss the application with the audience and judges at the ceremony.
...

Hackers at the Black Hat and DefCon security conferences have revealed a serious flaw in the way Web browsers weed out untrustworthy sites and block anybody from seeing them.
...
The attack was demonstrated by three hackers. Independent security researcher Moxie Marlinspike presented alone, while Dan Kaminsky, with Seattle-based security consultancy IOActive Inc., and security and privacy researcher Len Sassaman presented together.
...
Jeff Moss, founder of the Black Hat and Defcon conferences who this summer was appointed to the Homeland Security Department's advisory council, said the fact a hacker has to actually break into a victim's network for the attack to work can limit its usefulness.
...

New Un-Hackable System, (c2) Will Provide U.S. Cyber Command with a Solution to Escalating Cyber Attacks
...

“Through (c2) we will be able to offer a permanent solution and nuke the problems related to cyber-attacks once and for all," said Ferenc Ledniczky, co-founder and President of Hun Technology Inc.

...

“Because the current software architecture is hackable by design, it simply cannot be made completely safe,” said Ferenc Ledniczky underlining what other industry experts have already confirmed.

...

“...original programs and operating systems were not designed with today's security and confidentiality issues in mind,” noted Jeff Moss, founder of Black Hat and DEF CON during the organization’s computer security conference in Las Vegas, Nevada earlier this year.

Posted by John Sawyer, Sep 24, 2010 04:41 PM
...
One of the always-popular areas during DEF CON is the lock picking village where attendees can try their hand at picking locks of all types.
...
There has been an entire community that has sprung up from lock picking into what is called "locksport,"...
...
The first was the release of "Practical Lock Picking: A Physical Penetration Tester's Training Guide" by Deviant Ollam...
...
The other project was by Schuyler Towne who created the Kickstarter project called "Lockpicks by Open Locksport."
...

...
This week at the Usenix conference ... researchers discussed their work on balancing the needs of high-speed event processing and information security. They call their system "DEFCon," for "Decentralized Event Flow CONtrol."
...
A goal is to avoid event unit objects that have references to each other. Instead they have reference only to objects "controlled by DEFCon."
...
It is hard to do the secure process isolation, have a quick system, and use basic Java skills. Enter the DEFCon API.

The U.K researchers did not have to call their system DEFCon, but who can blame them? "DEFCON," among other things, happens to be the U.S. DoD's designation for the defense readiness condition of the U.S. military. It is not for sure that DEFCon 1 has ever been used, but it is certain that many a feature film has "gone to DEFCON 1," just before a few thrilling bits where Martians, Vin Diesel, or Steven Segal blow up or save the world. Also for certain: a few more APIs will come this way to enable the event processing tools for wider use.

...For the first time, this year's Defcon gathering in Las Vegas will feature a contest in which participants will compete to gather nuggets of information from unsuspecting target companies...
....
Social-Engineer.org is partnering with Defcon to present spotlight social-engineering techniques in the form a new capture-the-flag (CTF)-style contest.
....
CTF hacking tournaments have long been a staple at Defcon, with teams working against each other both to protect their systems from attack and to penetrate the systems of opposing teams.

In a twist to the popular "capture the flag" game played by hacking teams every year at Defcon, the hacker conference is hosting a contest that aims to test participants' social engineering skills ...
....
They score points for the reconnaissance information gathered as well as for the plan of attack, all of which must be submitted one week prior to Defcon in a dossier format.
....
Each contestant gets a 20-minute window to perform the attack live at Defcon...
....
Hacking contests are all the rage at Defcon...
....
But given that it's Defcon, it's still likely to stir up a little trouble somehow.
....
The "flag" in the contest is basically a list of the specific information the contestants must get during their phone call at Defcon...
....
The social engineering contest runs from July 30 to Aug. 1 at Defcon in Las Vegas.

They have recently announced that they came up with a proof-of-concept kernel-level rootkit in the form of a loadable kernel module, with the help of which they will demonstrate an attack on a Android smartphone at the DefCon conference next month.

This past weekend was the return of the wildly popular Defcon Capture the Flag qualifiers. "Quals," the commonly used nickname, is an entire weekend of non-stop online security challenges that test everything from simple trivia to advanced reverse engineering and exploit development.
....
Wondering what the teams get out of competing? Well, for starters, the top nine go on to compete in Las Vegas during Defcon against the previous year's winning team.
...

This morning I was flipping through the slides security researchers Tom Eston, Kevin Johnson and Robin Wood cooked up for the "Social Zombies: Your Friends Want to Eat Your Brains" presentations they gave at DEFCON 17 and ShmooCon.

The further in I got, the more I was hit with an uncomfortable realization. As careful as I am on these platforms, I still put my privacy at risk all the time.

Video System Attack

Last year at the DEFCON conference, which describes itself as "The Hacker Community's Foremost Social Network," a network research firm (people who do network penetration testing for a living) hacked a brand-name system and fed back copied video into its video display and recording stream. They picked up an object off a table, but the video system showed the object as still being there. This type of attack is called a "replay attack," where data recorded earlier is played back later and fed into the system.

A sophisticated version of this attack would involve injecting captured video data of the object removal several hours later in time from when it actually occurred. The system's time-stamped video would then provide "evidence" of the object's removal at a time when the attackers were several hours away, establishing a solid alibi. The recorded video would be properly watermarked by video management software, thus falsely "authenticating" the fact that the attackers "could not have done it."

You can download the 50-minute video of the presentation from the DEFCON home page (www.defcon.org), under the heading "Advancing Video Application Attacks with Video Interception, Recording, and Replay."

Marcus said Americans are the "bad-asses" of cyber warfare because of organisations like the SANS (SysAdmin, Audit, Network, Security) institute, which teaches people "how to be a cyber-warrior". He also called the DEFCON conference "a combination of performance art plus computer security".

Another common physical weakness in the data center is the door lock: Jones says he sees many weak locks and unprotected door latches at the data center threshold. "Lock-picking a well-known and understood trick," he says. "It's almost a sport now."

Free lock-picking kits distributed at Defcon and for sale on the cheap on line make it easy for most anyone to crack the standard door lock, he says.