Key takeaways and cybersecurity stories from DefCamp ‘19by Cristian Dima
This year’s DefCamp brought together more than 60 speakers and around 2,000 participants for over two days of everything security. With three speaker tracks, a Capture the Flag competition, and multiple interactive stands that let people hack anything from basic social engineering to car steering systems, the event was a great opportunity to take a deep dive into the latest trends and best practices in cybersecurity.
The overall experience proved to be both lively and enlightening. We had fun finding security flaws in door locks and we even let one of the speakers hack into our Logitech computer mice. We listened to cyber-attack and cyber-blackmail stories that sounded more like Hollywood scripts than real-life incidents and we learned that even notable people use “password” as a password. And although we enjoyed demos of some state of the art hacks on modern devices, the recurrent theme across the entire conference was the classical idea that security is in fact about people, awareness, and protocols, more than it is about clever hacks.
As we’re nearing 2020, the easiest way to get into a system is still by finding vulnerable, untrained, and unaware human operators. Below you can find a few examples that underline practices that still cause a lot of trouble in terms of cybersecurity:
- weak passwords
- lack of two-factor-authentification (2FA)
- unencrypted communications (HTTP)
- sensitive information sharing on social media
- sensitive or personal information shared on social media
One of the most captivating stories was about how a hacker broke into the email accounts of a group of Middle-Eastern embassy officials in Europe. The cyber-attacker tried to extort money out of the diplomats’ accounts, as well as make bomb threats and stir diplomatic conflicts between Saudi-Arabia and Qatar. The hacker simply guessed one official’s 6 characters long password (count to 6 and you’ll guess it too).
Another speaker talked about how he’s breaking into office buildings and gains physical access to sensitive equipment for a living. To accomplish this, he’s using basic social engineering techniques, but also information posted on social media by the employees of the targeted companies. One time, he managed to print his own company access badge, using only the social media pictures he found of employees wearing them. He used further public information to appear knowledgeable and seem like an insider.
None of these attacks are particularly technical but they still work very well in this day and age. To keep oneself and a company protected, proper training for raising awareness about cyber threats and establishing internal security protocols are mandatory. Some useful tactics to deny access to sensitive information include enabling 2FA, and instructing personnel on how information publicly shared can be used against them and the company they work for. On top of all these, security protocols should be updated and tested periodically, for spotting potential breaches and planning future improvements. For example, a company could craft an internal phishing email and analyze how many clicks it gets. The results might be shocking.
From a more technical side of cybersecurity, avoiding a click on the link from a phishing email is good, but what about that email server you run? Your best bet here is to keep your software and hardware up to date. This has been a recurrent idea across all talks. Most cyber attackers prey on poorly maintained software or inadequate hardware.
We heard multiple speakers talk about home grade routers with default passwords being used for industrial communications and remote control. And while that software upgrade you’ve been postponing for a while might seem expensive and of little immediate benefit, it always pays to stay safe than to be sorry. There are both white and black hat hackers out there that work full time on zero-day exploits, yet plenty of sensitive systems run software that’s way past its support expiration date.
At Tremend, we spend a lot of time keeping up to date with the latest tech trends in general and the security best practices, in particular, to ensure the systems we work with are up to date, performant, and protected from recent vulnerabilities. DefCamp was another great opportunity to do so and it’s been very enlightening taking in all the different perspectives, ideas, and trends that are at work today in the field of security research.