I returned from my second Hacker Summer Camp a few weeks back, Black Hat and DEF CON, and I’m excited to share my observations and notes.
What is Hacker Summer Camp?
DEF CON was started by Jeff Moss (known as Dark Tangent) at the age of 18 in 1993, with around 100 attendees, and it was this event that led to the establishment of Black Hat in 1997. This year (2023) marks the 31st DEF CON event. Both conferences are held consecutively in Las Vegas during late summer. You should check out the 20th Anniversary documentary. The estimated attendance for 2023 is between 30,000 to 40,000 participants.
For comparison, Black Hat has a stronger industry focus, featuring a huge vendor floor with impressive booths, presentations, sales personnel, and swag. The event includes keynotes, sessions, and premium training available for separate purchase. Black Hat hosts vendor-sponsored parties and requires several thousand dollars per ticket (plus more for classes or less for limited access passes). The main event spans two days, with classes commencing several days earlier. Black Hat centers on employee training and enterprise software sales. Many of the Black Hat sessions are in some form repeated at DEF CON.
DEF CON is more community oriented. One might consider Black Hat geared towards defenders and DEF CON catering more to attackers or penetration testers. The ticket price falls in the range of $600. While there are smaller sections for sponsors and vendors, the focus isn’t as heavily on enterprise solution sales. Attendees have the opportunity to purchase pen-testing tools, ranging from lockpicks to keyboard injection dongles. There’s a reduced emphasis on keynotes, with numerous large and small sessions. DEF CON stands out with its industry villages, offering smaller talks and hands-on activities. In addition, various contests, demos, and community parties are held. Attendees should expect to spend more on food and drinks, with fewer vendor-sponsored activities.
At Black Hat, business cards are exchanged, while at DEF CON, people share first names, stickers, aliases, and ‘war’ stories.
Black Hat USA 2023
Maria Marksteder, the founder of Azeria Labs, a German training company focused on IoT security, presented the opening keynote at Black Hat. She discussed potential future security challenges and AI’s opportunities. Notably, neither Maria nor Azeria could be found on LinkedIn. Several mentions of Microsoft garnered mixed reactions from the audience. Her main point was that AI will introduce new risks and opportunities.
The opening keynote at Black Hat also introduced DARPA’s new 2-year AI Cyber Challenge (AIxCC), with an information session later during both Black Hat and DEF CON. The challenge entails creating an AI solution to debug code in a capture the flag competition, aiming to find and fix vulnerabilities without human intervention using innovative AI approaches. Teams, both sponsored and self-funded, can participate, and up to 7 small businesses will receive $1 million each in funding. The first round is set for Black Hat USA 2024, followed by the semifinalist winner receiving $2 million and the final showdown at Black Hat 2025, where a $7 million prize will be divided among the top 3 finalists. This represents more than $18 million in support and prizes.
During an afternoon keynote discussion, Victor Zhora from the Ukrainian information protection service conversed with Jen Easterly, the US CISA director. The interaction highlighted Jen Easterly’s presence and garnered strong community support for Ukraine. Easterly was also available at the CISA booth for part of the event. The CISA booth primarily focused on recruiting and information sharing.
The final-day keynote featured Kemba Walden, the acting National Security Director. With a background as a former Microsoft cyber legal counsel and a Georgetown professor of Information Security Law, Walden delivered an engaging talk discussing the National Cybersecurity Plan, the National Cyber Workforce & Education Strategy, and other relevant topics.
- National Cybersecurity Strategy Implementation Plan (NCSIP)
- National Cyber Workforce and Education Strategy
During Black Hat, I had the opportunity to actively participate in the Microsoft booth, connecting with partners and numerous customers. This provided a platform to network with key figures at Microsoft in DART, MSRC, GBB, and more. The business floor facilitated discussions with both competitors and partners. Predictably, AI, machine learning, threat intelligence, SIEM, and XDR were recurrent themes in every booth conversation. It was intriguing to compare and contrast the various approaches in methodology and UI design. This mix included direct competitors, partners, and companies building on existing Microsoft solutions. Few truly stood out as unique. Many catered to niches where Microsoft had gaps or underserved capabilities and markets, encompassing areas such as API security, DevOps security, gathering and applying threat intelligence, network security, end-user focused solutions, managed service providers, honeypots, antivirus, SIEM/SOAR, and enhancements to Microsoft solutions. Several booths were geared towards recruiting, others showcased training solutions, and some aimed to raise awareness about different programs or groups.
During this event, I discovered and joined the Information Systems Security Association, and explored the possibility of establishing a new local chapter.
At Black Hat, my experience revolved around attending keynotes and engaging with the vendor floor. Here are a few additional highlights and insights:
- Discussed potential career paths with CISA, Los Alamos Labs, Splunk, AWS, and even Blue Cross of Tennessee to gain a better understanding of industry trajectories.
- Explored potential book publishing opportunities with Oreily and CRC Publishing.
- Engaged with various managed service providers to discuss strategies and staffing.
- Gained insights into competing solutions, including Splunk, Trellix, Crowdstrike, and more.
- Interacted with the ISC2 team and attended a member’s happy hour, where I met Black Hat college scholarship recipients.
- Participated in networking events hosted by Slunk, Akamai, and the Microsoft MSRC team.
- The Department of State showcased their bug bounty program, Rewards for Justice.
- Met Nicholas DiCola and a former Microsoft Sentinel developer at Zero Networks.
- Explored Hack The Box’s intriguing enterprise SOC and hunter training program and am planning to delve into the end-user options soon.
- Connected with attendees from Cisco, DuPont, Instagram, Equinix, among others.
- Listened to captivating stories from an individual with a lifelong relationship with Kevin Mitnick.
While Black Hat and DEF CON overlap on Thursday, this mostly involves registration and setup activities. This day is ideal for registering and obtaining early access merchandise without missing a significant portion of Black Hat’s events.
DEF CON 31
DEF CON doesn’t have an official keynote, but the main stage commenced with a compelling call to action from Alejandro Mayorkas, the Secretary of Homeland Security. He urged the cyber community to support government agencies, emphasizing the real-world consequences of online activities and encouraging participation through feedback, reporting, and bug bounty programs.
A panel discussion, including representatives from Microsoft, Google, DARPA, and others, focused on the DARPA AI Cyber Challenge announced at Black Hat (described above).
Dr. Craig Martell, the Chief AI Officer for the DoD and a Northeastern professor on Machine Learning, delivered a captivating talk on Machine Learning models. He emphasized the importance of improved data labeling, model effectiveness monitoring, responsible use of large data models, and addressing AI hallucinations. Dr. Martell encouraged cyber professionals to scrutinize large language models for vulnerabilities, introducing Project Lima, the DoD’s new Generative AI Task force and feedback gathering project.
Kemba Walden returned to DEF CON to reiterate the messages shared at Black Hat. Her presence and her staff’s presence were notable, with an appearance at one of the villages.
Jen Easterly from CISA also participated in a panel on “Secure by Design” and was interviewed by Scott Shapiro, the director of the Yale Cyber Security Lab.
One of DEF CON’s great aspects is the unique experience each attendee gains. With villages, contests, CTFs, demo rooms, vendors, and sessions, there are many paths to explore, from social activities to hands-on experiences, small and large talks, and more. At night, official parties, gatherings, and insider events enhance the experience.
Admittedly, my DEF CON experience revolved around larger sessions and official events this year. Following Black Hat, I had limited energy to attend sessions in other hotels where many smaller sessions and villages were held. Nonetheless, the sessions I did attend were educational and entertaining, often following a pattern of exposing an exploit, detailing the discovery process, providing a demo for proof, and explaining how to detect the attack. More often than not, references were made to CVE codes since the vulnerabilities exploited had already been patched. I found the insight into the process of identifying and reporting these vulnerabilities particularly enlightening. I eventually made it to the Red Team and Blue Team villages for a final roundtable on threat intelligence.
Regrettably, the Saturday night parties were unexpectedly cut short around 10 PM due to the discovery of a suspicious package, likely one of the tech devices brought for display. This could be attributed to the heightened security measures, including armed military-style personnel and uniformed security guards patrolling the halls.
Some notable sessions included the welcome session, which is great for first-time attendees and enjoyable for everyone else as well. DEF CON had over 25 villages covering various topics like voting, IoT, aerospace, car hacking, social engineering, red and blue teams, and more. A new addition this year was the AI Village. Additionally, there were around 30 social events or parties, catering to diverse interests.
Here is a summary of just a few talks that I found interesting:
Olivier Bilodeau and Andreanne Bergeron presented research on RDP attacks based on data from a honeypot system using RDP interception, highlighting tools and methods utilized in attacks on RDP.
Omer Attias and Tomer Bar dissected a previously patched exploit in Windows Defender Antivirus that allowed them to deploy fake updates to mask IOCs and potentially delete legitimate files by AV.
There were also engaging sessions by R. J. McDown on exploiting legacy services like Mailslots to compromise user logon sessions, even when they appear to be disabled.
David McGrew and his team demonstrated ways to identify weak digital certificate keys at scale using scans and certificate authority logs to derive corresponding private keys.
“Stok” delved into weaponizing plain text by injecting ANSI escape characters to vandalize log files, causing log analysis tools to behave unexpectedly.
Maxime Clementz showcased methods to bypass enforced or always-on VPN clients by tricking them into assuming they were on a safe network.
Ben Nassi illustrated how keys could be extracted from smart card LED lights (unfortunately, I was unable to attend this session).
Bill Demirkapi, a young member of Microsoft’s MSRC, delivered an educational talk on the susceptibility of partial digital certificate validation practices to forgery.
Dr. Nestori Syynimaa (Dr. Azure AD) provided insights into potential vulnerabilities in SharePoint and Teams, demonstrating the ability to alter file metadata with low privileges, such as renaming, changing creation dates, or author names. Although this finding remains unpatched, Microsoft is aware of the report.
Numerous other sessions took place that I wasn’t able to attend due to my focus on larger stages. There were many excellent talks in smaller village venues, along with various village activities like CTFs that garnered excitement. There’s truly so much to do and so little time.
Sessions related to widely-used services like Microsoft Azure, Windows, Android, and iOS attracted substantial attention.
Attendee Tips
For future attendees, be prepared for most transactions to be cash-only, including food and merchandise. Some vendors selling high-value items might accept credit cards. Packing your lunch, snacks, and drinks is advisable if you’re on a budget. You can conveniently purchase tickets for both Black Hat and DEF CON simultaneously. Collecting your DEF CON badge at Black Hat is a significant convenience. I recommend arriving early for registration on Thursday, grabbing your badge, and heading straight to the merch line for the best selection and shorter wait times.
If you’re attending both Black Hat and DEF CON, most of the sessions and events start on Friday, so Thursday’s overlap doesn’t lead to major missed opportunities. Many activities and events have initial lines, but you can usually join later if you’re willing to forgo some of the early swag offerings. For Black Hat vendor parties, register early and aim to arrive early for parties if possible. Unfortunately, many attendees have to miss the last day at DEF CON to head back home. While the sessions’ crowds are smaller, it appears that some of the best talks are scheduled for Friday and Saturday. The event remains enjoyable, and the closing ceremonies are typically entertaining. However, for many, the event winds down on Saturday.