Attendees work on computers at an event during Def Con 25 at Caesar's Palace in Las Vegas, Nevada. (Photo: Courtesy of Def Con Communications)

Editor’s Note: Welcome to my weekly column, Virtual Case Notes, in which I interview industry experts for their take on the latest cybersecurity situation. Each week I will take a look at a new case from the evolving realm of digital crime and digital forensics. For previous editions, please type “Virtual Case Notes” into the search bar at the top of the site.

Back-to-back Las Vegas cybersecurity/hacker conferences Black Hat (July 22-27) and Def Con (July 27-30) have packed the last few weeks with buzzworthy cyber news, perhaps the most notable being the successful hacking of voting machines at Def Con and the arrest of Marcus Hutchins—the British security researcher lauded for helping stop the WannaCry ransomware attack, and now accused of creating his own malware—by U.S. authorities after attending both conferences.

With dozens of talks, presentations, demonstrations, workshops and hacking contests, the two events—sometimes collectively called “hacker summer camp”—have become a knowledge and networking boon for security professionals, researchers, hackers of all varieties, law enforcement, hobbyists and even actors researching hacker roles.

This week I spoke to two industry professionals recently returned from the events—senior digital forensics investigator Jamie Levy and malware researcher at Endgame Amanda Rousseau—about their roles and experiences at Black Hat and Def Con this year, and their perspective on what “hacker summer camp” has to offer to all those involved in the vast world of cybersecurity.

2017 Black Hat Attendee Survey: Portrait of an Imminent Cyberthreat

A survey was taken of 580 Black Hat USA 2017 attendees to gain insights on the perspective of those within the cybersecurity industry. Key findings included:

  • 60 percent of respondents said they believed a successful cyberattack on critical U.S. infrastructure would occur within the next two years
  • Only 26 percent of respondents were confident that U.S. defense forces were equipped to respond to a major cyberattack
  • Two-thirds of respondents said their own organizations would be likely to face a major security breach within the next 12 months
  • 36 percent of respondents cited ransomware as the most serious new cyberthreat faced by cybersecurity professionals, more than all other new threats

The full survey report can be read here.

Black Hat USA 2017

Despite its name, the speakers and attendees at the 20th Black Hat conference wear all kinds of hats, and the event’s talks covered a broad range of topics from AI, to cloud security, to ransomware and even the potential to hack turbines at wind energy farms.

“This research is based on an empirical study of a variety of U.S. based wind farms conducted over a two year period. We explain how these security assessments reveal that wind farm vendor design and implementation flaws have left wind turbine programmable automation controllers and OPC servers vulnerable to attack,” states the description of the July 26 briefing hosted by University of Tulsa researcher Jason Staggs.

This was just one example of some of the research announced and vulnerabilities exposed throughout the conference’s nearly 120 briefings that occurred over a two-day period during the six-day event, following tracks such as cryptography, malware, internet of things and network defense.

Other highlights and items of note included a CISO summit which brought together over 150 security executives from top organizations to trade insights, knowledge and strategies; a briefing by a Google-led team of researchers showing how ransomware Bitcoin payments can be tracked through machine learning; a presentation by security firm Kryptowire showing security problems with Blu brand smartphones, leading Amazon to halt the sale of the phones on their website; a briefing explaining how internet-connected car washes could be hacked to physically harm vehicles and their passengers; and a keynote address by chief security officer of Facebook Alex Stamos, in which he encouraged security professionals to do more to fight the real threats facing internet users today, and announced that Facebook will be putting $1 million into its Internet Defense Prize fund to encourage more practical defensive cybersecurity research.

In addition to the two-day period for Black Hat's main briefings, the conference started off with a three-day period for attendees to take a variety of training courses in skills ranging from offensive security, to reverse engineering, to the use of machine learning, to digital forensics. Levy, who has instructed the forensics course at Black Hat for about seven years with fellow incident response handler Andrew Case, said she’s encouraged to see students “always eager to learn” and that the conference has grown in size over the years.

“Black Hat outgrew the previous venue a few years ago, and this year was the largest crowd I have ever seen,” she recounted. “The crowd itself has also matured a lot over the years. People tend to take things more seriously, including the students taking training classes.”

She says she sees a variety of people in different roles coming to learn about digital forensics, including “people who have worked in the digital forensics/incident response (DFIR) field for years, those who are just starting out, and those who work in IT and similar fields.”

This year, she said she was impressed to see a combined area for networking, hiring and the “arsenal” where attendees can pick up a range of cybersecurity tools.

“There were a lot of people hiring, which is always a nice sign. The arsenal is always interesting since people can learn about open source tools that they can use immediately and modify to fit their needs,” she said. “I think overall this whole area was great for people who are wanting to explore possibilities, either career-wise or code-wise.

“(The conference is) a great way to meet people and learn about their research first hand, or bounce ideas off of them. In general it’s important to venture out to such gatherings just to keep yourself in the loop,” Levy concluded.


A poster on display at Def Con 25 at Caesar's Palace in Las Vegas, Nevada. (Photo: Courtesy of Def Con Communications)

Coming right after Black Hat was 25th Def Con hacker conference, which produced more eye-catching and eyebrow-raising headlines with its gaudier and more festive atmosphere, as well as its “red team” focus.

“A lot of the talks are mainly red team talks which means they’re more offensive security, exploitation, hacking things—rarely do you see blue team talks, which are about defense,” explained Rousseau, who attended both Black Hat and Def Con, and served on Def Con’s 101 panel to help new attendees get situated at the four-day event.

One of the biggest differences between Black Hat and Def Con, Rousseau says, is that Black Hat is becoming more “corporate” while Def Con remains more casual, although there is still a lot of overlap between the back-to-back gatherings.

“As far as Def Con goes, it’s much more of a ‘wear your jeans and T-shirt and shorts’ kind of place,” she explained. “Def Con is a lot less formal—you have people drinking on stage, and speaking their minds. It’s much more relaxed than Black Hat.”

With session titles like “Jailbreaking Apple Watch” and “Hacking Travel Routers Like It’s 1999,” a major theme of Def Con is putting a variety of devices and systems to the test, exposing vulnerabilities that defenders should be aware of and offenders—cybercriminals—could take advantage of.

But Def Con is not the underground criminal gathering that the phrase “hacker conference” might suggest—among the presenters were anti-abuse research lead at Google Elie Burzstein; principal security architect at Microsoft Lee Holmes; senior information security engineer for LinkedIn Luke Young; and representatives from the U.S. Federal Trade Commission, Department of Justice, Department of Commerce and Office of the Inspector General, speaking on two panels titled “Meet the Feds.”

In addition to talks, demonstrations, workshops and contests, the conference also hosted “villages,” the most notable being the Voting Machine Hacking Village that made the news after hackers were able to take over several of the machines in as little as 90 minutes. Also notable was the Car Hacking Village, where teams competed to compromise computerized vehicles; a presentation demonstrating dangerous security vulnerabilities in a smart gun; and the demonstration of a robot that was able to crack a safe with a million possible combinations in about 30 minutes.

Rousseau said she enjoyed seeing those involved in the cybersecurity world exchanging knowledge and learning from each other’s research and demonstrations. She said she hopes to see a change Def Con’s negative reputation as a potential breeding ground for cybercriminals, and for its potential benefit to the world of cybersecurity to be recognized.

“It’s mainly about highlighting security flaws so that everyone can fix them and do something about it,” she said. “A lot of us see it as a way to learn and grow.”