It’s that time of year again: Black Hat and Defcon are upon us! That means your systems are all in danger, and your applications should be afraid. Not only will there be (and has already been) an endless stream of new exploits dropped at the shows, but the weekend of Defcon is, effectively, open season on the Internet.
If you’ve never been to Defcon, it hosts a bevy of black leather-clad goth types at a Vegas hotel, all of them attempting to climb the unseen ladder that is the “scene.” Black Hat, on the other hand, hosts a crowd of collared shirt-wearing security professionals, all of them attempting to climb the unseen corporate ladder.
Thing is, whether you’re a pro or a teenager in a basement, the best way to climb either of these ladders is to produce exploits. Thus the summertime, right as August meets July, is a period when exploit releases peak. For Black Hat types, this typically comes in conjunction with a major talk at the show. For Defcon folks, the really good exploits tend to come out during Capture the Flag.
Digital Capture the Flag involves breaking into a system and pulling out some specific files. CTF at Defcon is a real hoot, and can involve all manners of systems, both new and old. Sometimes phone systems have been involved. In some of the very early years, the organizers of the show learned quickly that the CTF routers were also fair game, according to participants.
Additionally, Defcon features a large hall where visitors often set up their laptops so they can go crazy, both on the Internet and on the intranet. If there were ever a time and place from which you could attack a server and never be found, it’s Defcon. It’s the equivalent of pickpocketing in a busy subway, or shooting someone at a gun show: The culprit vanishes into a sea of potential culprits.
That is, if the Internet is even working at the show. With all those hackers in one place, you can imagine the mess they make of the wireless.
As we are very near these twin shows of hacking, the exploits are already coming out. This month we’ve already got a QEMU heap overflow and Jduck’s Stagefright exploit, which promises to compromise 95% of Android phones through a texted image file that needn’t be even opened to take over the device.
And this is the world we now live in: Security exploits are having release parties. Check out Zimperium zLabs’ blog entry on Jduck’s exploit. It’s teasing a full reveal of the Android bug at Black Hat while advertising the corporate party for the show! Things have indeed changed from the days when releasing an exploit was done so that the defenders could patch and everyone could be safer. These days, exploits are your resume.
So be prepared to patch up, folks. In two weeks, this will all be over, and the bad guys will have a lot of new ammunition. Be prepared!