BSides & DEF CON Las Vegas 2024: A Recap
Playing another round of “Galaga,” “Donkey Kong,” or “Space Invaders?” Think again! Discover the top moments from BSides and DEF CON Las Vegas!
Every August, security professionals across the country get together in Las Vegas for a series of security conferences, colloquially known as the Hacker Summer Camp. This annual gathering sees thousands of security professionals and enthusiasts flocking to events like Black Hat USA, which alone attracts around 20,000 attendees.
Apart from the most-anticipated Black Hat, this year BSides Las Vegas and DEF CON 32 stood out with several talks and presentations. Let’s take a look at some of the critical themes, major revelations, and key takeaways from these events.
BSides Las Vegas: Community-driven security
BSides Las Vegas, the more intimate counterpart to Black Hat and DEF CON, is renowned for its community-driven approach. As the unofficial start of the Hacker Summer Camp, BSides fosters a close-knit atmosphere where new voices and unconventional ideas often take center stage. This year, the conference highlighted several emerging threats and practical techniques that are shaping the future of cybersecurity.
AI and synthetic media threats
One of the standout themes at BSides this year was the growing concern of AI-generated content and synthetic media. As AI technology advances, the line between reality and digital manipulation is increasingly blurred. Talks such as “AI in the Human Loop: GenAI in Security Service Delivery” by Preeti Ravindra and “And What If It Was Hacked? Tactics and Impacts of Adversarial Machine Learning” by Larissa Fonseca explored the evolving tactics used by threat actors and their implications for data integrity and trust. These sessions explored insights for countering AI-driven attacks and addressing the pervasive issue of deepfakes.
Hacking arcades for fun
In a nostalgic nod to classic arcade games, Argentinian hacker Ignacio Navarro showcased vulnerabilities in cashless arcade-payment systems that are used worldwide, including Las Vegas. In his talk, “Insert coin: Hacking arcades for fun,” Navarro demonstrated critical flaws related to API security, access control, and NFC technology, highlighting the need for robust security measures even in seemingly trivial systems. This further highlights the importance of robust security measures even in seemingly “everyday” systems.
Playing another round of “Galaga,” “Donkey Kong,” or “Space Invaders?” Think again!
Passwords are dying
The shift toward passwordless authentication is revolutionizing security but it comes with challenges. Aldo Salas from HYPR examined the hurdles of account recovery and identity verification in a world moving away from passwords. In his talk, “We removed passwords, now what?” Salas discussed the complexities that arise as we increasingly rely on passkeys, security keys, and FIDO2 standards. This underscores the need for innovative solutions to address security and recovery challenges that come with this transition.
DEF CON 32: Hackers and unfixable bugs
DEF CON 32 showcased 104 talks, 29 workshops, and 32 hacker villages, including Aerospace, Voting, and Hardware Hacking. A key highlight was the Artificial Intelligence Cyber Challenge (AIxCC), hosted by DARPA, which enters its semi final phase this year. Participants are working to develop AI solutions for critical cybersecurity issues, with a $4 million prize to be awarded next year at DEF CON 2025.
“Unfixable” malware bugs on browser
SquareX’s much-anticipated talk, “Breaking Secure Web Gateways (SWG) for Fun and Profit” unveiled a fundamental vulnerability in SWGs that exposes businesses to “last mile reassembly” attacks. These attacks assemble the malicious components directly in the victim’s browser from seemingly non-malicious data. The team identified a staggering 25 different bypasses of SWG protections from major solution providers — each capable of infecting the target device via any popular web browser. What’s worse is that this vulnerability is not an oversight or something that can be patched with a software update.
Unique villages at DEF CON 32
DEF CON 32 is distinguished by its unique hacking villages, which are specialized areas dedicated to exploring specific aspects of cybersecurity. These villages offer attendees immersive experiences and hands-on learning opportunities in various niche fields. A few examples include:
- Lockpicking Village: A hub for enthusiasts and participants interested in physical security. Attendees learned the intricacies of lockpicking — a critical skill for understanding and testing physical security systems and gaining insights into methods for improving physical security.
- Biohacking Village: This village focused on the intersection of cybersecurity and biology, exploring challenges in medical devices and biological systems. They offered hands-on sessions on biological hacking techniques.
- Car Hacking Village: Automotive cybersecurity enthusiasts explored the complexities of securing modern vehicles, car hacking techniques, vehicle communication protocols, and strategies to protect against automotive cyber threats.
Major takeaways for businesses
Businesses need to proactively address emerging threats and refine their security strategies. Here are some key takeaways from BSides and DEF CON 32 that every organization should consider.
- Vigilance on AI and synthetic media: With the advancement of AI, businesses need to be on high alert for AI-driven attacks. Implement robust verification processes and countermeasures against deepfakes and adversarial machine learning to safeguard your organization.
- Strengthen “everyday” systems: Recent revelations about vulnerabilities in arcade payment systems highlight a critical need for enhanced security across all digital transaction platforms. Review and fortify your payment systems against potential API and NFC flaws to shield your business from exploitation.
- Invest in specialized security training: The hacking villages at DEF CON 32, such as the Lockpicking, Biohacking, and Car Hacking Villages, demonstrate the importance of specialized training in emerging cybersecurity areas. Businesses need to invest in targeted security training to stay ahead of evolving threats throughout different industries and “everyday” systems.
Stay on top of cyber trends
At BSides, we saw eye-opening discussions on AI-driven threats and vulnerabilities in arcade payment systems, making it clear that even fun tech needs serious security. Meanwhile, DEF CON 32, now in a new venue, impressed with its deep dives into web gateway flaws, the exciting DARPA AI Cyber Challenge, and interesting hacking villages.
Didn’t attend Black Hat? Read our team’s full recap and key takeaways from Black Hat 2024.
Subscribe to our newsletter below to get the latest insights and stay on top of security and compliance.