Day-Con X Recap

Just a few days ago I had the pleasure of visiting Day-Con X. I listened to some great talks in the closed and public sessions. Since the first day was the security summit (closed session) I will just name a few titles with some brief words.

Captivating Security – Safety versus Passion (Josh More):
Was quite interesting to compare the IT-World with zoos.

Beyond Embedded (Brittany Postnikoff):
Robots are fun soon :).

The Mirai Botnet (Brian Butterly):
No need to describe the work off my colleague since he already published details of his talk here.

The second day of Day-Con X started right away with the “Inaugural Women in IT Cyber Forum” where my colleague Niki Vonderwell moderated a panel discussion with Kate Kuehn from BT, Dr. Katherine Rogers Davis from the Information Trust Institute (ITI) at the University of Illinois at Urbana-Champaign, Brittany Postnikoff from Mathematics and Computer Science at the University of Waterloo, and  Patricia Vendt who is a former Info Security Officer for Computing and Telecommunications, regarding the current situation for women in STEM careers.  After the panel, Angus kicked off the annual Packetwars battle. 5 Teams found each other in the Battle-Space but in the end only one team (Don’t cry me an Onion) could prevail and received some juicy prizes.

The third and last day of Day-Con X featured public sessions. Hence, I can describe some of the talks more in detail.

Keynote “You Can’t Update Hardware over the Air – Reflections on the Role of Hackers in an IoT World” (Enno Rey):

Since the Theme of Day Con X was “The Internet of Deadly Things” the talk was in the mindset of IoT in the future and how to approach vendors in order to secure their product for a lifetime.

He started his talk with giving a short prediction how the future may look like (e.g. Smart Houses) and the pitfalls of it (If you move into a Smart House, do you know all devices in there?). Further, what will happen when the Proof of Concepts of IoT Ransomeware will be exploited in the wild and you can´t get into your house before paying x amount of Bitcoin to $Account.

All those possibilities will challenge Hackers in the future and since
“Hackers know a bit about trust relationships” – Sergey Bratus
They can help in finding flaws in these devices but they can´t manage patch and control management. This is where the industry need to be educated to perform proper quality ensurance.

He wrapped his talk up with the following points:
– Quality Assurance
– Understanding of Trust Relationships
– Proper Control Mechanism
– Education

Attacking Speaker verification (Graeme Neilson):
In his talk he presented a Proof of Concept in attacking Speaker Verification with different attack vectors. He first dived into the history of “Voice Recognition” followed up by the first Voice verification used by Apple in the late 90s. He then showed some common algorithms for “Speaker Verification” like the “Hidden Markov Model” and presented some tools to play with (Supercollider, Festvox and Mage). Even though vendors are applying their spoof protections, Graeme could bypass them by fuzzing around on the voice file.

The conclusion of his talk was “Biometrics are everywhere and they are especially vulnerable to replay attacks”.