DEF CON was awesome. I had a somewhat negative outlook going in. Everyone complains about crowds and not being able to get in to talks. I assumed DEF CON was going to be like Black Hat where I’d have trouble meeting people. None of that ended up being true.
To keep costs down, I registered on the forums and found people to crash with. It worked out great. I’d do it again. My regret is that I didn’t have time to participate in any of the activities. I didn’t go to Toxic BBQ, DEF CON Shoot, Hacker Jeopardy, etc. I need to go to some of that stuff next year. I only participated in Blood Kode besides going to talks.
The top two talks I attended were BYO-Disaster: Corporate Wireless Still Sucks by James Snodgrass and Josh Hoover and the DNS May Be Hazardous To Your Health by Robert Stucke. There were plenty of great talks, but those were the best for me.
The BYOD talk covered a range of exploits to get a mobile device to think it is connected to a corporate network. From there, the rogue access point hits the user with a prompt and the user is guaranteed to enter their credentials. The technical exploits were interesting and the social engineering was impressive. In short, mobile devices will accept an authentication success to a wireless network even if authentication attempts hadn’t been attempted. Most users probably wouldn’t even check their wireless settings in my opinion. Those that do (like me) would probably just assume it was a proxy glitch or something and enter credentials at the prompt.
The second talk on DNS was all around amazing. The presenter had a couple crazy DNS tricks. First Robert covered DNS bit-flipping. He registered domains that were off by a single bit from a target and captured traffic. In his study, Google was the target and he managed to capture some traffic. I couldn’t find any indication of this in my environment though. Given the industrial nature, I was rather surprised. The second part of his DNS study was registering improperly resolved network objects. So for instance, a machine trying to find wpad for proxy settings should ask for wpad.domain.com. An improperly configured machine may continue up the chain and ask for wpad.com. His example organization was Accenture. I can confirm that. The final DNS game was registering old command and control servers to see if the botnets were still active. He found the botnets were still active and speculates an attacker could register the old domains to gain control of the botnets.