If you pay attention to any technology news websites you’ve probably heard all sorts of horrible news involving four horsemen and a valley in the Middle East. Let me reassure you that all the news you’re hearing is overblown but with some kernels of truth. So here is your official Defcon news roundup.
First Wired has a nice assortment of pictures from the event. The first one you see are a sample of some of the badges. Unlike most lamer conferences Defcon doesn’t use paper badges (for those who get there early). For the last five years they’ve used electronic badges that were custom made and have all sorts of nice built in features. This year’s was no exception. If you look at that first picture the silver badge that says Defcon on the screen was the one given to most attendees. There were quite a few neat little features packed into that thing. First the screen is a new technology similar to e-paper in that it doesn’t require power to maintain the image. Of course its refresh rate is 1.7 seconds making it painfully slow. The badge also has a USB connector and a place to solder on a JTAG interface for debugging. A good overview of everything dealing with that badge can be found here.
GSM “security” is dead. One of the demonstration at Defcon 18 was a device that can intercept phone calls made from GSM phones. It’s not quite as apocalyptic as it sounds since the device only works for outgoing phone calls (at this point). The device also doesn’t work for phone using 3G but with a little ingenuity a device can be used to overpower the 3G towers in the area causing the phone to drop to 2G again.
A rootkit was released for phones running Android. From what everybody has been reporting you would thing this vulnerability was in the wild. Truth be told the only way to get it installed onto phones at this point is to trick the user into downloading and installing the rootkit. In other words it’s the same “vulnerability” that exists on all PCs, you can install software. Either way this will become a big deal when it’s tied with an actual vulnerability in the Android operating system allowing for remote installation of said rootkit.
At the conference I also learned that people are still stupid in regards to security. One of the competitions at Defcon 18 was the Social Engineering contest where contestants contacted people working for companies and attempted to gleam information that would be valuable in a attack against said company. A surprising amount of information was obtained through simple phone calls simply because people don’t realize how important seemingly meaningless information is.
No security conference would be complete without tutorials on lock picking. The Lock pick Village was the place to go to learn how to pick locks and obtain tools to practice your new found skill. The staff there held seminars ranging from introduction to lock picking to the inner workings of high security locks. Anybody was free to attend (for free) any of the seminars and sit down with staff and learn how to turn those picks into lock bypassing devices. A competition was also held titled Gringo Warrior where contestants had to pick through a series of locks as quickly as possible. I was not allowed to partake in the competition as my lock pick is a .45 auto.
These are just some of the highlights from Defcon. Much more information was presented and made available to attendees. I learned quite a bit in my short few days there. Of course everything I learned didn’t make me feel much better about the current state of security as a whole.
When I saw the Kwikset Smartkey lock, my first thought was this can’t be secure, and apparently it isn’t.