DEF CON 2021: Deobfuscating the security industry with constructive discussion
After a panic-induced hiatus, DEF CON returned for a hybrid in-person and virtual event this August in Las Vegas. The theme? "Can't Stop the Signal" a fist-pumping message to the world that passionate people are still hard at work keeping our networks and computers secure.
The strength of the message was well-received at the world's largest security conference with 45,000 cybersecurity and IT enthusiasts joining the conversation. There were 10,000 in-person attendees with the rest participating virtually. My personal expectation for the hybrid event was that it would be treated as two conferences running at the same time, and in some ways that expectation was met.
Despite the feeling of two separate conferences, DEF CON was able to enhance the hybrid event experience and successfully facilitate collaboration between the virtual and in-person attendees. People had the opportunity to video conference into the debates, discussions, and presentations to express their points and/or respond to questions from other attendees.
In terms of the presentations both in-person and virtual were quite good. You can watch the talks on YouTube.
Hardening system security but softening discussions at DEF CON 2021
As in previous years, the conference sessions included the old favorites: topically focused talks called "villages," technical presentations and new tool releases. But this year, DEF CON added “soft talks” a new focus on the humanistic side of security such as laws, regulations, best practices, and ethics that explored question like:
- Who should be held accountable for the loss of an individual’s data other than the attacker?
- What are the ethics of designing deliberate weaknesses in a system's encryption so that law enforcement can collect evidence from an encrypted device?
- Should pacemakers be allowed to have a Bluetooth connection?
Soft talks have always had a place in DEF CON discourse, but there was a concerted push, especially by I Am The Cavalry, to begin opening discussions and sharing collective knowledge of the security community to policy makers at all levels. The push was apparent this year with several speaking track rooms being set aside specifically for hybrid policy discussions. This year did not stop at soft talks, however, as experts weighed in on pressing issues for the industry as a whole.
Data privacy and knowing when sharing is caring
Taking the main stage was Cory Doctorow, an author and special advisor to the Electronic Frontier Foundation to give his take on the motivations large companies have in data collection and how data interoperability between online services would benefit customers.
His talk centered around Privacy Without Monopoly: Data Protection and Interoperability, a paper that he co-wrote with Bennett Cyphers. Doctorow discussed some of the concepts within the paper such as competitive compatibility, and he shared new ideas and methods of interoperability: 1) data portability to allow users to access and transfer data held by companies, 2) back-end interoperability to mandate companies with a large market presence to maintain interfaces which allow fluid interaction between different services, and 3) delegability to mandate the creation of interfaces that allow third-party software interaction on users' behalf.
The problems of corporate concentration and privacy on the Internet are inextricably linked. We believe that a new regime of interoperability can revitalize competition, encourage innovation, and give users more self-determination in their digital lives. It’s natural to imagine that new, legally protected or legally mandated data flows will lead to new privacy and security risks. But as we’ve shown, those risks are not as grave as they might first appear, and they can be mitigated. A more interoperable Internet can and should be a more private one.
Privacy Without Monopoly: Data Protection and Interoperability
It's a humbling and engaging talk that considers both sides and I highly recommend watching the recording in which he explains his new concept of competitive compatibility (coined “ComCom”) and each of the methods of interoperability he proposes in the above paper.
Cybersecurity in healthcare: measures to seek prevention before cure
Security in the healthcare industry was one of the talk tracks at DEF CON 2021. While I wasn't able to attend the presentations, I am certain that security professionals defending our healthcare systems gleaned new insights in this challenging environment. Attacks have increased five consecutive years and jumped 42% in 2020, but it's been challenging for security to make serious inroads into changing the behavior and requirements of healthcare institutions. HIPAA protects against insider and known threats but does little to impose concrete security requirements or best practices on healthcare institutes. It’s a hard line to find between adding cost, training, and staff in efforts to prevent large scale attacks that risk patient lives.
Healthcare policy talks occurred away from the main stage, and either weren’t recorded or haven’t been uploaded yet. While not an official DEF CON resource, you can find information on this from the U.S. Department of Health and Human Services, which include talks on subjects like building resilient infrastructures. They feature indecent reports and even a full retrospective look at cybersecurity for the healthcare industry in 2020.
Locking down the smart home with home router security
In the realm of technical talks, one talk by Chad Seaman was especially relevant to home router technology as it goes through known vulnerabilities relating to SSDP and UPnP, which is well-known for being problematic and affecting millions of home devices. He then shared his experience, the research for his project, and what led him to release an open-source tool to facilitate testing for these vulnerabilities, which can be found in this GitHub repository.
The past two years have been an intense run for anyone working in the security industry. There has been a dramatic rise in both the sophistication and prevalence of ransomware attacks. Attackers have gained powers, such as targeted supply chain attacks, that were previously only believed to be in the reach of nation states yet now seem to be taking place much more frequently. Continuing to work together in combined efforts as an industry is vital to staying protected, and witnessing that collaboration in effort at DEF CON is inspiring.