A First Timer’s Guide to Hacker Summer Camp
Labor Day weekend is fast approaching and summer is coming to an end. What better way to fully embrace that reality than by spending the last bit of summer in a 115-degree Fahrenheit desert? I spent an entire week in fabulous Las Vegas and attended three of the four cybersecurity conferences open to the public. It was the best way to stay cool, learn the latest in the industry, share ideas, and level up as a hacker.
DEF CON
This conference is worthy of its own guide; it was the most technical of the conferences during the week, and there was so much to learn. I took the first day to just walk the entire convention center and get my bearings. 35 Villages ranged from traditional topics like social engineering, Industry Control Systems (ICS), and AppSec to car hacking and aerospace. One of my favorite Villages to visit was the Tamper-Evident Village, where I got the chance to move a seal off of a cardboard box, extract what was inside, and reseal it without any evidence the box had been tampered with.
The hottest topic discussed this year by far was the bug bounty debate. A bug bounty program enlists the help of hackers to find vulnerabilities within their software, platform, or infrastructure. If a hacker finds any vulnerabilities that the company deems critical, they will pay the hacker for their discovery. Some companies underestimate how many vulnerabilities they have and how much it costs to run a bug bounty program, and there have even been cases of organizations receiving notice of their vulnerability and addressing it without compensating the hacker who notified them at all. On the flip side, there are cases where bounty hunters will find a vulnerability from one company that impacts many others and walk the line of extortion when offering this vulnerability and the information behind it to these organizations.
I had the opportunity to attend three sessions that took different looks at this topic, but each session showed that companies and organizations have a lot of work to do; both in the protection of their organization and customers from online threats and in the execution of a bug bounty program that properly incentivizes an effective response by participating hackers in a way that won’t blow their entire budget in two days.
- Hunters and Gatherers: The Realities of Bug Bounty Life – This panel by Logan MacLaren, Jeffrey Guerra, Johnathan Kuskos, Katie Noble, and Sam Erb, was a breath of fresh air. How many times have you attended a panel and the panelists either all agree with each other or overcompensate their disagreements by adding disrespect to their fellow panelists? Bug bounties are a debate and this panel left no subject and the opposing perspectives on each within that debate untouched; be it bounty farming, lowballing, and the politics behind getting paid for your discovery. This session was great as it offered the perspective of bug hunters, clients, and intermediaries. Each panelist had been two of the three at one point in their career; which added a lot of volume to the discussion.
- The Dark Side of Bug Bounty – Jason Haddix gave an incredible, standing room only, presentation that went deep into the politics of bug bounties. As a top 100 recognized bounty hunter in the world, Jason gave incredible insight into his experiences in breaking the barriers currently set in the bug bounty landscape, some of the top tricks companies will use to discover vulnerabilities for as little as possible, and how bounty hunters who know they’ve made a valuable discovery can better their chances at getting paid what it’s worth.
- AWS CloudQuarry – Digging for secrets in public AMIs: This session by Eduard Agavriloae and Matei Josephs kicked off the last day for DEF CON talk track 2 and while it wasn’t primarily focused on bug bounties, the panelists discussed that they found vulnerabilities in over 200 large organizations that were being hosted on AWS and could even make money transfers and other financial transactions. When they presented these companies with these discoveries not a single one was willing to pay for the bounty and many didn’t bother to ever even fix the vulnerability.
See all of the Bug Bounty presentations on the Bug Bounty Village website.
In addition to the Bug Bounty conversation, there were plenty of other incredible talks that focused on Blue Teaming, TTPs, and even war stories into notorious threat actor groups.
- Behind Enemy Lines: Going undercover to breach the LockBit Ransomware Operation – Jon DiMaggio gave an unreal presentation on his two year journey on the inside of the LockBit Ransomware gang and their leader, LockbitSupp. This talk not only provided great insight into the inner workings of the people behind this crime syndicate, but also gave a look into the most common TTPs used by the group and how to defend and respond against them.
- The XZ Backdoor Story: The Undercover Operation That Set the Internet on Fire – This presentation by Thomas Roccia offered an in-depth look into the discovery of a backdoor in upstream xz/liblzma with the capabilities of compromising SSH servers. This talk gave a great look into their operation and the questions that still remain to be answered.
- Thrunting or DEATH! (A BTV Panel): Of course we had to reconnect with former DTer, Joe Slowik! Joe joined a panel of threat hunting practitioners including Randy Pargman, th3CyF0x, Sydney Marrone, and Ryan Chapman to discuss what threat hunting really is and if it should be called Thrunting or DEATH. Lots of spicy takes were had!
The Diana Initiative
This was the one event I did not get the chance to attend, but I would be remiss if I did not spotlight the conference that kicked off the entire week. This year’s conference featured insights into how current application security efforts stack up against the new advancements in GenAI in Balachandra Shanabhag’s “Modern Appsec vs. GenAI Application: Is Your Appsec Ready?” and some great tactics in the fight against state sponsored threats in Clarissa Bury and Nivu Jejurikar’s “CTI Saves the World: Using Threat Profiles to Defend Against Geopolitically Motivated Adversaries”
TDI and their team do a fantastic job at supporting women in pursuit of careers in information security, as well as shaping workplace cultures to be more supportive of diversity. DomainTools is proud to support the Diana Initiative year round in their Student Scholarship program which helps students experience all of the learning and career development that this event, Black Hat, and the others part of hacker summer camp bring without having to worry about the cost of food, travel, and lodging. Help support by donating or signing up to volunteer on their website.
BSides Las Vegas
My week kicked off Tuesday at BSides Las Vegas. As one of the largest BSides events in the country, this conference had talks on every niche of cybersecurity you could think of, with arcades and activities like the Lockpicking Village all happening in the same room. This was a great introduction to the fun yet chaotic week that would follow. Everything was pretty much in one place, there were ample amounts of volunteers ready to lend a helping hand, and the sessions were incredible. BSides encourages you to ask questions and talk to the session speakers. This is huge for idea sharing and getting the most out of every talk you attend. One of the highlights for me was attending “Email Detection Engineering and Threat Hunting” from Josh Kamdjou. This session did an excellent job of walking through the evolution of email-based threats, how LLMs are aiding malicious actors and even state-sponsored threats to deliver more sophisticated offenses and threat detection rules that could be put in place to thwart these attacks.
If this kind of conference sounds interesting to you, come visit the DomainTools booth on September 7 at BSides NOVA.
Black Hat
I thought I knew what I got myself into with Black Hat, having attended RSAC before, but this conference was an entirely different beast. RSAC may have been just as large of a conference, but the event space was split into two rooms, and the talks were also fairly spread out. At Black Hat, EVERYTHING took place in the southern convention area of Mandalay Bay. All those people, all those talks, in the same section of the same building, at the same time. The benefit of this was it being much easier to go from place to place, and you were almost guaranteed to run into someone you knew or someone trying to revolutionize the way your SOC handles Zero Trust with their AI-powered solution.
These circumstances made it difficult to get a bite to eat or an invite to a post-conference happy hour or party. Arriving and leaving the same area at the same time has its challenges, so if next year is your first time attending Black Hat, make sure you allow enough time to get to the venue and try to leave either earlier than the last session or be prepared to wait the evening out at the Mandalay Bay. Having everything in one place, however, was great for building connections and allowing enough time to pop in between the sessions and the exhibit floor. It also allowed for sessions on the exhibit floor! Our very own Andrew Bukta had the opportunity to present at the Infoblox booth on the importance of DNS as not just a component but as the backbone of the network.
There were too many great official sessions to count, many of which will be recorded, and we highly recommend checking them out when they are published. Here were some of my favorites:
- From Exploits to Forensics Evidence – Unraveling the Unitronics Attack
- Project Zero: Ten Years of ‘Make 0-Day Hard’
- That Gambling Site? It’s Fueled by Chinese Organized Crime
- Let the Cache Cache and Let the WebAssembly Assemble: Knockin’ on Chrome’s Shell
- Behind Enemy Lines: Engaging and Disrupting Ransomware Web Panels
- The Tale of Two ASMs: EASM + CAASM
- Demystifying Cloud Pentesting: Anatomy of an Attack
- The SEXi Threat: How to Protect ESXi from Ransomware
Our Breaking Badness Cybersecurity Podcast also hosted 16 interviews that will each be featured in special edition episodes. Stay tuned on our podcast archives and subscribe to us on iTunes, Soundcloud, and Spotify. In the spirit of listening, we also had a rock and roll themed booth and gave away Zero Day shirts, a play on the band Green Day. If you missed a chance to grab yours, comment “Rock On” on the post below and we’ll send you one.
Learnings: Dos and Don’ts for Your First Hacker Summer Camp
- Don’t pack out your entire schedule: It is incredibly important to leave time for attending sessions, getting to and from each location, and taking brain breaks to recharge and bring your best self to the responsibilities you have lined up for the week.
- Do drink water:
This sign from DEF CON sums it up. Hacker summer camp takes place at the hottest time of the year. If you’re like me coming from some humid part of the East Coast thinking their 115 degree heat has nothing on your 90 degree humidity, you’re not as right as you think. One thing about dry heat is that it is DRY! Dehydration is so easy with all of that walking and not a drop of water in the air. Bring a nice refillable bottle and drink water aggressively, if you forget to bring a water bottle there are hundreds of vendors at any given conference ready to give some away. - Don’t act like you know everything: These conferences will humble you quickly. There are so many dedicated experts within every facet of the infosec community and their BS meter is on the highest of alerts. Whether you’re coming to hacker summer camp to promote your organization or a discovery you made, treat everyone you come across with respect and if you’re asked a question you’re unsure the answer of, be ok with saying that you don’t know. Those I’ve seen criticized the most are the ones that act like they have all the answers. Embrace what you don’t know and you’ll be welcomed for being real.
- Do ask questions: Do not be intimidated by all of the smart people out there. If you’re new to infosec, most of the experts you see were once in your place and are more than happy to mentor you or point you in the right direction. Be curious and do your research first, but ask questions as it helps others be more comfortable asking questions, and that’s an excellent culture to encourage. You have something to offer and whatever skill you’ve built up most likely can contribute to a niche in cybersecurity that’s begging to find more people like you. As you’re learning about cybersecurity, share what you’re learning with the world in the medium that best suits you. Leverage your newcomer status to bring your excitement and even your fears, offering a fresh perspective to a community eager for outside attention.
- Don’t give strangers your phone or any information you wouldn’t want public: Hacker summer camp has hackers, it’s great to meet new people and make friends but least privilege principles apply in real life too. While I found the hacker and infosec community to be incredibly helpful and friendly this week, you can’t trust everyone. Social engineering is as big of a pastime for these attendees as blackjack is for a casino reward member. No “cool trick” is going to be worth giving access to your phone and data. Watch for prying eyes as you take your devices out at these conferences as well and be very mindful of taking the necessary precautions to safeguard your personal information. Here are some tips from our security team
- Update the operating system on your devices before attending so they have the latest security patches.
- Power down laptops (no sleep mode!) when not in use, and do not leave laptops unattended. Avoid leaving them in hotel rooms if you can carry them with you, but if you must leave them in your room, power them off first.
- Disable bluetooth on computer and phone while on the floor/at the con.
- Disable wifi on the phone if not in use.
- Disable Airdrop and NFC – on iphone, Settings -> General -> Airdrop, set “Receiving off” and disable “Bringing Devices Together”
- Use privacy screen protectors if you have them and always be aware of your background for shoulder-peepers.
- Do spend some time with a buddy that’s been here before: There is no shame in being a noob, just because you attended a conference does not mean you’re prepared for 4+ conferences stacked in an entire week and that’s ok. I was lucky enough to tag along this week with hackercon veterans Corin Imai and Ian Campbell. This was especially needed for me during DEF CON trying to navigate through all of the different Villages, find where the learning tracks took place, and to just know where to get away from the crowd to get a bite to eat. They also did a fantastic job at managing a Signal chat for our group and giving a list of helpful tips on what sessions to check out and how to get the most out of each conference. If you have co-workers or someone in your network attending this week who’s been there before, I highly recommend taking some time out of your week to talk through a summer camp game plan.
