Annual Hacker Takeover of Sin City

August 1, 2016 Security, Trends

The time has come once again for the largest gathering of brilliant hackers to congregate in one city. By now folks have started trickling in for the preconference Blackhat USA 2016 training that runs from Saturday the 30th to Tuesday 2nd.

The core event kicks off Wednesday morning with founder Jeff Moss introducing keynote hacker extraordinaire Dan Kaminsky. From that point on, attendees should prepare to drink from the proverbial firehose as presenters drop the latest and greatest findings in the infosec industry. The festivities take a more nefarious turn Thursday evening as the infamous Defcon conference/party gets started. The week wraps up Sunday August the 7th as you’ll see many sluggish nerds making their way through McCarran airport after consuming way more knowledge than anyone should expect to retain in a one week span.

I will not have the pleasure of attending this year as I’m still letting the dust settle around me in my new role at ABS. Instead, I’ll be keeping a close eye on Twitter and Reddit feeds, in an attempt to live vicariously through the internet buzz of the more impactful presentations. For those that haven’t had the opportunity to attend either conference, I’d caution relying on the media’s view of what to expect. If I had to personify the two conferences, I’d say Blackhat is a suit wearing corporate elite info sec professional and Defcon would be the defiant grey hat hacker that you want as a friend because the alternative is not pretty. The two conferences each have their appeal, especially for someone such as myself that makes a living offering solutions to help businesses stay ahead of the growing cyber threat that they all face day to day.

Blackhat is corporate driven and you can expect to see one of the most extravagant vendor pits of any conference out there. Any third party that can be remotely tied to security will be represented, so it’s a great time to talk directly to system engineers about new products that could solve whatever security challenges you’re facing. From a macro level it helps to identify where the industry is focusing by looking at the trends of where vendors are driving the conversation. Last year, I noticed an increase in cloud and virtual east/west security solutions. The presentations are top notch and tend to focus more on solutions and risks facing corporations. If there is a particular product (commercial/open source) that attendees want to have operational exposure to, there is an arsenal track that will show an in depth how-to demonstration. There is no way someone can attend everything that is of interest so I’d advise creating a plan of attack before the plane touches down in Vegas. The nightlife itinerary also needs to be tackled in advance. Most of the larger parties have an online reservation list that fills up very quickly. @defconparties on Twitter has become the de facto tracker of all things party related to the two conferences. Even if you aren’t big into the party scene, I’d recommend attending some of the larger ones just to witness how over-the-top some of these events are. Rapid7 is one vendor that sticks out as they typically spend enough marketing money to make Donald Trump blush. This year it looks like they have a party Wednesday night at the Hakkasan Las Vegas Nightclub. Did I mention I’m really bummed I won’t be there this year?

On the other hand, Defcon never disappoints in dropping 0-days and clever ways of inflicting payloads in every step of the kill chain. I stated earlier that I wouldn’t rely on the media’s depiction of Defcon. Most of the write-ups focus on the mohawks and crazy outfits that you will most definitely see. Attendees shouldn’t let this be a distraction from the genius level content that can be found in both the speakers and attendees alike. Beyond the presentations I’d recommend stopping by the focused villages. I always make a point to stop by the packet hacking village and wireless village as they are the most relevant to my background. Blackhat is overwhelming while Defcon is like 5 Blackhat conferences going on concurrently. There are 15+ things going on at any given time during the day. If attendees are bored, they simply aren’t doing it right. I still have a few things on my bucket list that I’ve not found time to experience in the past few years such as skytalks, badge hacking, social engineering demos, tamper evident contest and hacker Jeopardy.

Speaking of things I hate I’ve missed out on, both Blackhat and Defcon have a few key presentations I’m especially upset that I’ll be missing. After car hacking was picked up by the main stream media due to Charlie Miller and Chris Valasek’s presentation, I’m sure this year’s talk by Jonathan-Christofer Demay and Arnaud Lebrun will be standing room only. They plan to release CANSPY, which is a tool designed to hack CAN buses in cars. Another topic of importance to me of late is cloud security. With AWS becoming the easy button for virtual datacenter operations, Dan Amiga and Dor Knafo are giving a talk titled “Account Jumping, Post Infection Persistency & Lateral Movement in AWS”. The title alone gets me excited about what these guys will unleash. Blackhat’s website allows the presentations to be sorted by topic. When I sort by Enterprise and Network Defense, the results are where I would be spending my time if I were attending this year.

Defcon has a slew of awesome talks and ground breaking events scheduled this year. DARPA has gone all in on the Cyber Grand Challenge, dropping $3.75 million in total prize money with $2 million going to the winning team. For those not in the know about Cyber Grand Challenge, teams will be judged on how well their fully autonomous systems can discover, prove, and fix system vulnerabilities. This contest will surely bring in a lot of press and attention from outside the typical infosec channels. However, hands down, the most interesting talk that I’ve read up on is being presented by SensePost engineers. Rogan Dawes and Dominic White are scheduled to release a tool that by all accounts will exceed the capabilities of current USB pentesting tools on the market. The talk is titled “Universal Serial Abuse: Remote Physical Access Attacks” I’m particularly excited about this topic as it closely relates to the presentation I was fortunate enough to give last year at Defcon 23.  I’m anticipating the SensePost tool will be capable of significantly reducing the forensic footprint while exploiting the victim in a similar method as I demonstrated last year. For raw thought provoking content, attendees should be sure to listen to Jay Healey’s talk “Feds and 0days: From Before Heatbleed to After FBI-Apple”. His resume is unprecedented with time being spent starting the first Cyber Command, working in the White House, and is currently a Senior Research Scholar at Columbia University. This one will likely not disappoint. In reality there are always hidden gem talks which completely over deliver my expectations.

This week is an exciting time in the infosec world. There will be more hacks, defensive tactics, and products released this week than any other week of the year. The vendors and speakers at Blackhat will surely set the bar as it always does to remain the pinnacle corporate security conference. The halls of Mandalay Bay will be full of value proposition talks and strategies to mitigate the latest threats.  Later in the week, a few blocks down Las Vegas Blvd, the party really kicks into high gear as Defcon 24 launches. The brightest whitehats, blackhats, and greyhats will descend upon Paris and Bally’s casino for the greatest hacking event in the world.


Jeremy has built his career around protecting assets in the most critical IT sectors.