First time attending DEF CON. I had planned on going this year but forgot about it until my manager mentioned it. I was a bit burnt out from Hack Week and work in the weeks after. There was a budget for conventions/training so I took the offer. The main target was to bring back some knowledge from the Payments Village and support a friend giving a talk at the Recon Village about Ensemble.

I spent most of the time in the villages.

Payments Village

The talk given was a review of magstripe credit cards and their history. Understanding what goes into the Track1 and Track2 data. Review of the Luhn Algorithm. How you can see the encoding of the magstripe using ferrofluid. It would be a cool project to use Computer Vision to decode the track data visually. The track data is still relevant since this is what is stored in the EMV chip. Payment fraud in the US is higher than in other countries like the UK since chip and pin is not enforced and the fallback is to magstripe. Carders can recreate the magstripe data and have a faulty EMV chip so that the reader will default to that mechanism. The CTF with the Android SoftPOS app was fun and plan to do a write-up later.

Lock Pick Village

Was cool to see and try. Got myself a starter lock-picking kit from Sparrow Lockpicks.

Social Engineering Village

The Social Engineering Village had some interesting vishing and the competition was great to watch.

Red Team Village

Was able to catch some of Jason Haddix's latest talk on recon and bug bounty. You can watch some of his past talks on YouTube.

Recon Village

There were a couple of interesting talks related to Police oversight through Police Radio by @sally_yachts. As well as Anthony Russell's talk on Bypassing Geo DNS with Ensemble. I plan on contributing to this tool.

Application Security Village

It was great watching Ken Pyle talk about pwning ScreenConnect and how he did it at the AppSec Village.

Physical Security Village

Was good to see talks about accessing buildings through the apartment buzzers, elevators, cabinets, gates, etc using default keys anyone can purchase. Seeing RFID replay using a chip on the actual reader allows for your magic RFID card to replay the previous swipe. Tailgate and swipe if caught, NBD. I opted not to have an RFID chip installed in my hand.

Ham Radio and Radio Frequency Village

I want to get more into RF. Wish I had a directional antenna for the Fox Hunt.

Car Hacking Village

The Car Hacking Village had some good talks.

Aerospace Village

I missed the Hack-a-Sat challenge at the Aerospace Village.

Password Cracking Village

I wanted to participate in the password-cracking challenge at the Password Village using in using more than Hashtopolis. Possibly using a Spark cluster that had GPUs. Potentially a future project.

Lonely Hackers Club and SubReddit

It was good connecting with 70+ people from all backgrounds from the LHC and the r/defcon subreddit. There was always something going on from group rides to the Omega Mart to filling up the High Roller with hackers. Shout out to @p0ns for the cool SAO.

The daily routine was to wake up around 8 AM, walk over to the villages talks until 5 PM grab dinner with people and head out to the official and private parties. Stay up until 1-2 AM then rinse and repeat. Averaging about 27k steps per day. Wish I had booked at the Horseshoe which was closer, instead of saving money elsewhere.

There was an evacuation on Saturday night as we were getting Korean BBQ due to a suspicious package. If there were suspicious packages to be found, it would be DEFCON. Safety first which was fine as there were private parties that made up for the Forum evacuation.

Shenanigans

Some kiosks were set to install mode and others were in admin mode. Some digital slot machines with BSOD. Who is to say...

Darknet Diaries

Was cool to see Jack Rhysider at the pool party. His episode on Plaid Parliament of Pwning does a good job describing DEFCON.

Ending Keynote

Was interesting to hear about all the shenanigans that occurred during the convention and what it takes to run things. Remembering those we lost over the last couple of years during Covid as well as the late Kevin Mitnick.

People were upset with the "paper" badge Fiasco, but it got worked out. Lots of things to look into. Too many things to participate in from CTFs to the Badge challenge. Hard to keep up on Discord and Telegram. Had a great time meeting and learning from everyone.

More pictures here.

Update 09-16-2023:

MGM and Ceasars have been hacked and ransomware was installed supposedly by Scattered Spider seemingly through social engineering. Things will only get worse with deep audio fakes and voice cloning and generative AI technologies that would allow for automated and convincing spear phishing like w0rmGPT. Other properties were hit, not just in Vegas.

https://twitter.com/i/status/1701310137745678488

https://twitter.com/LasVegasLocally/status/1701269221735608446

https://www.wired.com/story/mgm-ceasars-hack-ransomware/

Links

• https://defcon.org/

• https://en.wikipedia.org/wiki/DEF_CON

• https://defcon.outel.org/dcwp/dc31/activities/villages/

• https://www.paymentvillage.org/

• https://www.reconvillage.org/

• https://redteamvillage.io/

• https://passwordvillage.org/

• https://www.carhackingvillage.com/

• https://www.aerospacevillage.org/

• https://hackasat.com/

• https://physsec.org/

• https://github.com/hashtopolis/server

• https://en.wikipedia.org/wiki/EMV

• https://en.wikipedia.org/wiki/Luhn_algorithm

• https://en.wikipedia.org/wiki/Carding_(fraud)

• https://github.com/DotNetRussell/Ensemble

• https://www.youtube.com/watch?v=Bo77s0f1XNc

• https://krebsonsecurity.com/2022/12/connectwise-quietly-patches-flaw-that-helps-phishers/

• https://twitter.com/L0nelyH4ckers

• https://idk.bz/

• https://meowwolf.com/visit/las-vegas

• https://en.wikipedia.org/wiki/Kevin_Mitnick