Missed DEF CON 32? Don’t Worry, We’ve Got You Covered! 

If you couldn’t make it to Las Vegas for DEF CON 32 and braving the sweltering 110+ degree weather wasn’t in the cards, don’t sweat it—literally! The Sayers Engineering team has all the highlights for you, and no SPF 50 required. 

What is DEF CON? 

DEF CON is not your typical cybersecurity conference. Unlike Black Hat, which focuses heavily on enterprise cybersecurity, DEF CON is a creative hacking conference that brings together a broad and diverse community. Here, the content is more accessible and geared towards the curious mind—individuals who enjoy delving deep into how things work and figuring out how to compromise them, not out of malice, but out of a sense of curiosity and the drive to prevent potential threats. The emphasis at DEF CON is on responsible disclosure and collaboration to enhance security, rather than causing disruption. 

The Venue

This year, DEF CON moved to the Las Vegas Convention Center’s West Hall, a stunning and modern facility. Although not the originally planned venue, it turned out to be the best location yet. Having all sessions and events under one roof made the experience more streamlined for the 30,000+ attendees, with shorter lines (LineCon) and ample seating in most sessions. 

Unique Features of DEF CON

Unlike other conferences, DEF CON doesn’t have a traditional vendor expo hall. Instead, it offers a variety of “villages” that cater to specific interests, ensuring there’s something for everyone. These villages provide hands-on workshops, contests, communities of similar interest, workshops, and much more where you can dive deep into learning, collaboration and putting your skills to the test.  For those who thrive on competition, DEF CON’s extreme Capture the Flag (CTF) events offer challenges in various areas and skill levels, keeping participants fully engaged. 

Car Hacking Village

One of the standout villages this year was the Car Hacking Village, which featured not only a Tesla but also a Rivian and a Freightliner Semi-Truck, provided by Sayers client Saia. This village highlighted a growing trend: companies collaborating with the hacking community to rigorously test their business systems. This cooperative approach is a win for both sides, leading to more secure outcomes. More organizations should adopt this proactive stance. 

Our Top Talks 

Below is a sample of our favorite talks, categorized by topic: 

Cloud   

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources 

Aqua Security hosted a great presentation around what they are dubbing “Bucket Monopoly”. The concept is surprisingly simple but affected the following services: CloudFormation, Glue, EMR, SageMaker, ServiceCatelog, and CodeStar. When using these services, a “shadow” s3 bucket is created automatically, who’s naming convention is predictable. The fascinating part is the service interaction when the bucket is already created. This could be by the organization, or a nefarious actor. If an attacker were to create the bucket following the predictable naming convention for CloudFormation and open it publicly, then an organization’s service would in fact place a CloudFormation template in the bucket which then could be altered in whatever way an attacker wanted.  

Links:  Aqua Security’s Blog Post  

Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access 

Nick Frichette at Datadog highlighted vulnerabilities that deal with AWS’ AssumeRole that can lead to nefarious cross-account access. The more recent expansion on this is through Cognito Identity pool and AssumeRoleWithWebIdentity. An attacker can generate their identity token that is necessary in the AssumeRoleWithWebIdentity API call, then by utilizing a misconfigured role trust policy be able to provide the ARN of the role in the victim account. The result would be that an attacker would have access to all the resources with which the role had privileges. It is important to add Condition Keys such as aws:SourceArn or aws:SourceAccount among others to tighten down AssumeRole. 

Links: Presentation |  Amplified Exposure | Confused Deputy Vulnerability 

General Security 

Atomic Honeypot: A MySQL Honeypot That Drops Shells 

Alexander Rubin and Martin Rakhmanov from AWS delivered a talk on MySQL honeypots that are capable of dropping shells on attacking systems. By using a fake MySQL server, the researchers were able to utilize MySQL client RCE’s CVE-2023-21980 and CVE-2024-21096 to gain access remote access that can attack and stop bots/attackers. 

Links: Presentation |  CVE-2023-21980 | CVE-2024-21096 

Breaking Secure Web Gateways (SWG) for Fun and Profit 

SquareX founder Vivek Ramachandran highlighted and demonstrated attacks that can bypass even the most popular Secure Web Gateways.  Utilizing Last Mile Reassembly attacks, even the most common malware can slip through to an end user’s computer undetected. According to SquareX, “a Last Mile Ressebly Attack refers to a type of cyberattack where the malicious components are assembled directly in the victim’s browser from seemingly non-malicious data”¹. Vivek even showcased a site where Organizations can test their current security against this style of attack at https://browser.security/ .  

Links:¹ https://sqrx.com/lastmilereassemblyattacks | browser.security | Session Overview 

The XZ Backdoor Story 

One of the most famous security stories of 2024, revolving around the XZ Utils and subsequent research surrounding the project. Thomas Roccia a Senior Threat Research at Microsoft highlights his journey from the discovery and timeline to what it means for the security industry.  

Links: Presentation  

Miscellaneous Talks 

Bioterrorism with Maxael Swan Laufer – Standing Ovation! 

Links: Presentation 

AI Hacking at a Casino with Harriet Farlow 

Links: Presentation 

Laundering Money From Laundry Machines with Michael Orlitzky 

Links: Presentation Recording     

The Pwnie Awards – Most Epic Fail goes to Crowd Strike – Professionally accepted! 

Links:  N/A

Behind Enemy Lines: Going Undercover to Breach the LockBit Ransomware Operation  

Author and Chief Security Strategist John DiMaggio gave a fantastic firsthand account on infiltrating the LockBit crime syndicate. LockBit was the most deployed ransomware variant in 2022, going so far as to operate as a Ransomware-as-a-Service(RaaS) model. John went on to publish Ransomware Diaries series that is well worth the read.    

Links: Presentation | Ransomware Diaries Vol 1 | Understanding Ransomware Threat Actors: LockBit  

Smishing Smackdown: Unraveling the Threads of USPS Smishing and Fighting Back 

One of my personal favorite talks of DEF CON this year, Grant Smith highlights how he hunted down the Smishing Triad network that sends up to 100,000 texts per day globally. In total, over 438,000 unique credit cards were identified through Smith’s research. The journey from a simple USPS phishing text to uncovering a massive operation is well worth the read/watch.  

Links: Presentation | Wired Article