Tech News Radio

Here are my DEF CON notes from the sessions that I attended in 2019 for DEF CON 27:

• defcon27-2019-report_DRAFT.pdf

Please fell free to do what you want with these notes.  I go to sessions so you don't have to.

Here some quick links to notes from previous years: 26 (2018), 25 (2017), 24 (2016), 23 (2015), 22 (2014), 21 (2013), 20 (2012), 19 (2011), & 18 (2010). 

Here are some more recent news links published since the conference:

1. https://www.irishtimes.com/life-and-style/motors/10-700-in-speeding-tickets-after-invisibility-test-goes-wrong-1.3985905
2. https://www.cisomag.com/smart-speakers-can-be-turned-into-cyber-weapons-to-make-aural-attacks-researcher/
3. http://www.securitysystemsnews.com/blog/discovered-defcon-27-automated-license-plate-readers-alprs-being-hoodwinked-clothing
4. https://www.csoonline.com/article/3432158/thoughts-from-defcon-27.html
5. https://securityboulevard.com/2019/08/black-hat-2019-recap-transformation-the-new-cybersecurity-culture/
6. https://timesofindia.indiatimes.com/gadgets-news/this-next-gen-weapon-is-sitting-in-your-room-and-you-dont-even-know/articleshow/70645696.cms
7. https://edition.cnn.com/2019/08/12/politics/defcon-voting-village-darpa-dominion/
8. https://www.bleepingcomputer.com/news/software/nmap-780-def-con-release-first-stable-version-in-over-a-year/
9. https://www.infosecurity-magazine.com/news/defcon-cisa-improve-election/
10. https://www.infosecurity-magazine.com/news/defcon-american-flaws-school/
11. https://www.c4isrnet.com/battlefield-tech/2019/08/12/the-air-force-is-all-in-on-software/
12. https://www.infosecurity-magazine.com/news/defcon-hackers-netflix-bank-acount/
13. https://www.prnewswire.com/news-releases/carnegie-mellon-team-flexes-hacking-prowess-with-fifth-defcon-title-in-seven-years-300899772.html
14. https://techspective.net/2019/08/14/qualys-has-a-prescription-for-better-cybersecurity/
15. https://hub.packtpub.com/nmap-7-80-releases-with-a-new-npcap-windows-packet-capture-driver-and-other-80-improvements/
16. https://futurism.com/the-byte/tesla-surveillance-hack
17. https://www.cnet.com/news/anti-surveillance-clothes-foil-cameras-by-making-you-look-like-a-car/
18. https://www.krdo.com/news/hacker-makes-iphone-cable-that-can-tap-into-computer/1109318553
19. https://www.kare11.com/article/news/minnesota-team-places-2nd-in-national-hacking-competition/89-77305e34-dadd-4b55-afcb-c8d1af6165f9
20. https://www.cmu.edu/news/stories/archives/2019/august/hacking-champs.html
21. https://www.forbes.com/sites/jeanbaptiste/2019/08/14/defcon-27-how-hackers-used-a-netflix-account-to-steal-banking-information/#1f0f14a33710
22. https://www.wired.com/story/null-license-plate-landed-one-hacker-ticket-hell/
23. https://www.idgconnect.com/interviews/1502595/secret-cso-rick-howard-palo-alto-networks
24. https://www.technologyreview.com/f/614175/a-new-clothing-line-confuses-automated-license-plate-readers/
25. https://news.gcu.edu/2019/08/gcu-students-log-in-to-hacker-summer-camp/
26. https://www.newsweek.com/cybersecurity-vulnerability-fighter-jet-f15-defcon-hacking-tads-flight-system-hack-pentagon-1454491
27. https://www.thenewamerican.com/tech/item/33162-clothing-line-fools-big-brother-surveillance-by-making-you-look-like-a-car
28. https://www.military.com/daily-news/2019/08/16/hackers-find-serious-vulnerabilities-f-15-fighter-jet-system.html
29. https://www.timeslive.co.za/motoring/news/2019-08-16-go-for-it-try-to-hack-my-car/
30. https://gizmodo.com/buttplug-hacker-talks-security-consent-and-why-he-hac-1837252628

I plan on attending DEF CON 28.  Follow along real-time on Twitter @technewsradio.

Here are my DEF CON notes from the sessions that I attended in 2018 for DEF CON 26:

• defcon26-2018-report-technewsradio.pdf

Please fell free to do what you want with these notes.  I go to sessions so you don't have to.

Here some quick links to notes from previous years: 25 (2017), 24 (2016), 23 (2015), 22 (2014), 21 (2013), 20 (2012), 19 (2011), & 18 (2010). 

I plan on attending DEF CON 27.  Follow along real-time on Twitter @technewsradio.

Here are my DEF CON notes from the sessions that I attended in 2017 for DEF CON 25:

• DEFCON 25 NOTES (2017) [PDF]

Please fell free to do what you want with these notes.  I go to sessions so you don't have to.

Here some quick links to notes from previous years: 24 (2016), 23 (2015), 22 (2014), 21 (2013), 20 (2012), 19 (2011), & 18 (2010). 

I plan on attending DEF CON 26.  Follow along real-time on Twitter @technewsradio.

Here are my DEF CON notes from the sessions that I attended in 2016 for DEF CON 24:

• DEF CON 24 NOTES (2016) [PDF]

Please feel free to do what you want with these notes.  I go to sessions so you don't have to.

Here some quick links to notes from previous years: 23 (2015), 22 (2014), 21 (2013), 20 (2012), 19 (2011), & 18 (2010). 

I plan on attending DEF CON 25.  Follow along real-time on Twitter @technewsradio.

Here are my DEF CON notes from the sessions that I attended and the presentation material that was shared:

• DEF CON 23 NOTES (2015) [PDF]

In addition my previous notes (all in PDF) are available for 22 (2014), 21 (2013), 20 (2012), 19 (2011), & 18 (2010).  I wish I started going to DEF CON sooner but it is what it is.

Feel free to do what you want with the report - "I attend sessions so you don't have to." ;-)

I plan on attending DEF CON 24.  Follow along real-time on Twitter @technewsradio.

UPDATE (8/3/2016): If you are a Chvrches fan and want to be interviewed in person at DEF CON 24 then message me on Twitter @chvrchespodcast.

Last summer (2014) I picked up a Asus C720-2802 Chromebook and posted a review on TechNewsRadio.com.

I recently updated to a newer version (same form factor) -- the Acer C720-3605.  I had originally ordered the Acer C720-3404  (which is the Canadian version), but ended up with the U.S. version: C720-3605.  They appear at least on the specification pages on Acer to be exactly the same other than model number (PDF spec analysis). I might have missed something so if there is a difference then please let me know.

The main reasons for upgrading:

1. Improved Performance (faster processor with dual-core)
2. Additional RAM (4-GB vs. 2-GBs)
3. Better HDMI output (for hooking up to a large monitor @ my home desk).
4. More Local Storage (32-GBs vs. 16-GBs -- excellent for watching more digital content)
5. Needed a another computer @home for my daughter to use

Here are some stats using Octane 2.0 test:

While I wasn't having any real performance issues with the 2802-series, I've found that I can experience the difference in browsing and streaming media with the 3605-series.  The hardware updates are definitely an improvement in real world usage from my perspective.

All-in-all I have been very happy with Chrome OS and these two Chromebooks (the old one is now my daughter's main system).  For me the key selling points: great battery (more than 8 hours); excellent small form factor; responsive & comfortable keyboard; integration with Google services; and the simple OS updates & patches.

I look forward to using it again as my main note taking system for DEFCON 23.

 You can order your own via this Amazon Acer C720-3605 link or this Amazon Acer C720-3404 link.  Prices seem to be all over the board so make sure you are comfortable with ordering the right model number at the right price.

I recently picked up a Logitech Wireless Combo Mk520 With Keyboard and Mouse to use full time with my Acer Chromebook when I'm using it in desktop computer mode.  

When I am in this mode I usually use the setup with a SAMSUNG T24C550 monitor as the primary monitor and the Acer's laptop monitor as my 2nd monitor off to the right-hand side.

I like this setup because it enables wireless access to both the keyboard and the mouse using one USB port.  Previously I had a dedicated wireless mouse and then a bluetooth keyboard. However the bluetooth keyboard wasn't completely full-size, would periodically drop off connectivity, and was better suited to short-term typing like like periodic emails responses on my Nexus 7.

The only draw back with the Mk520 is that the Function (F) keys are not ideally setup to match the icons on them.

The keyboard uses the basic standard keyboard layout on most Chromebooks. So ESC is ESC (Escape) and:

• F1: Go to the previous page in your browser history
• F2: Go to the next page in your browser history
• F3: Reload your current page.
• F4: Open your page in full-screen mode
• F5: Switch to your next window
• F6: Decrease screen brightness
• F7: Increase screen brightness
• F8: Mute
• F9: Decrease system volume
• F10: Increase system volume

At the very top of the keyboard is a media control area (3 keys): back, play/stop, forward. Those don't seem to work with videos.  But the sound control area (3 keys): mute, decrease sound, and increase sound do work.  And the WINDOWS button is a dedicated SEARCH button; the STAR button brings up the BOOKMARKS page list; and the CALCULATOR button goes into FULL SCREEN MODE.

Over all the keyboard feel when typing is very good, and I like the pressure the keys have. In addition, I like the ability to tilt up the keyboard and to have it stand-up at 90-degrees for using your desk area for writing if needed.  I would recommend the keyboard if someone is looking for the same feature set.

The PCI Security Standards Council has released guidance (PDF) to businesses to show them how to use penetration testing to identify network vulnerabilities that could be exploited for malicious activity. [tbusinessnet.com, bankinfosecurity.com, news.google.com]

There is also a discussion thread over on SANS.org Forums.

The CISSP Domains (Effective April 15, 2015) will be changing:

1. Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)
2. Asset Security (Protecting Security of Assets)
3. Security Engineering (Engineering and Management of Security)
4. Communications and Network Security (Designing and Protecting Network Security)
5. Identity and Access Management (Controlling Access and Managing Identity)
6. Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)
7. Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)
8. Software Development Security (Understanding, Applying, and Enforcing Software Security) 

A detailed conference report of the sessions attended has been posted: DEFCON22 (PDF).

In addition, here is a summary of DEFCON 22 related news articles of potential interest:

• Founder of America’s Biggest Hacker Conference: ‘We Understand the Threat Now’ [Time]
• Black Hat, Defcon Conferences: From Hackers to Pwnie Awards [eweek]
• DEFCON's Latest challenge: Hacking altruism [itworld]
• DEFCON 22: HACKING AIRPORTS, AIRPLANES AND AIRWAVES [tripwire, scmagazine#1, scmagazine#2]
• Blackphone isn’t insurmountable, hackers prove at Defcon [technewsnow, itporportal]
• Taiwan hackers win 2nd prize in Las Vegas [taiwantoday]
• McAfee sideshow eclipses Defcon's real security breakthroughs [infoworld]
• The clash of cultures between Black Hat and Defcon hacker events [venturebeat]
• At Defcon, hacker coalition calls for safer computer systems in vehicles [computerworld]
• DefCon: Bug bounty programs continue to evolve [scmagazine]
• Hacker Couture At Defcon [forbes]
• DefCon: Stolen data markets are as organized as legitimate online businesses [scmagazine]
• Propeller 1 on the DEFCON 22 Badges in Las Vegas! [parallax]
• Hackers Were Busy at Black Hat [PC Magazine]
• With Black Hat and DefCon comes spike in Vegas-based attacks [SC Magazine]
• Cyber Attacks From Las Vegas Spiked During Black Hat, Defcon [SecurityWeek.Com, site.co.uk, itsecurityguru.org]
• SensePost demos WiFi attacks at DefCon [ITWeb]
• DefCon 22: Home Automation Security, Personal Wrist Computer Badge and How To Buy Online Anonymously [Revision3 Part 3, Part 1]
• Inside Defcon: What Happens At The Annual Hacker Convention [nbc-chicago]
• EFF's T-Shirt Puzzle
• More info on OpenDNS's DEFCON presentation

Here are pointers to previous reports: DEFCON 18, DEFCON 19, DEFCON 20, and DEFCON 21.

I recently picked up via Craigslist a "new in the box" Asus C720-2802 Chromebook to use as my new primary system for TechNewsRadio.com.  The main reason was that DEFCON22 is coming up soon in Las Vegas and I needed a "relatively" secure system to attend sessions and take notes for ~8 hours a day.  

My previous note taking system was relatively old ThinkPad that I had 3 sets of extra batteries for. So, I dropped about 6 pounds by moving to the C720.  And I don't have to configure a fresh system to take to DEFCON and then scrub after.

This version (2802) seems like the middle build release (~Feb2014) from the original that was in late 2013 and the most current $199 version that uses the Intel Celeron 2955U processor (2848).  There is also a newer more expensive C720 with an Intel Core i3 processor available.

The positivies:

1. Keyboard is great.
2. Integration with my Google account was flawless.
3. Integration with all my core online services was flawless.
4. Working offline seems to work as expected.

The negatives:

1. Can't seem to check IMAP email with an extension or a native Chrome application.

The still to be determined:

1. Will it get hacked at DEFCON?
2. How to edit audio?
3. Will it let me take notes all day at DEFCON?

POST DEFCON REPORT: There is now an IMAP client - CloudMagic.  I am pretty sure I didn't get hacked at DEFCON.  I was able to take notes all day long at DEFCON without any issues.  I have not found a good solution for editing audio.

Back in Podcast #325 we had a mention and a link to a personal finance tool called Wesabe. It is no longer available.

There are other options out there like Mint and PocketBook.

If you know others then please let us know!

Here are some links to stories about TrueCrypt shutting down:

• ThreatPost.com
• KrebsOnSecurity.com
• Reddit's SysAdmin
• Reddit's NetSec
• EtcWiki.org
• TheHackerNews.com
• TheRegister.co.uk

TrueCrypt is a key tool in our toolkit for protecting data and we use it everyday.  If it is actually going to go away then it will leave a big whole in end-user security options for data encryption.

I recently picked up from Harbor Freight Tools the following solar power kit: 45W Solar Power Kit (#68751) for just over $150 (including tax).

Over the course of the last couple of months I've been able to try out the kit on several camping trips were there was no easy electrical grid access.  The camping environment was pretty sunny but not always 100% full sun.  The time of year for all the trips was summer and the location was Southern California.  I ended up setting up the kit on the top of our small camper.

The main reason I picked up the kit was to keep all of my tech gear charged so I could keep tabs on email, news, and any tech issue with my sites.  This was usually less than 1 hour a day which worked out well for my needs, and expectations related to being on a camping trip.

The gear I was able to keep operational using the kit included: cell phone, tablet, WIFI card, and a laptop during trips lasting up to 7 days.

I was suprised during the main daylight hours that the inverter could charge directly: the cell phone, tablet, and WIFI card.  To keep my laptop charged I needed to capture to an emergency car battery system, and then use 3rd party car charger/inverter to get the right power levels to keep the laptop charged.  I was also able to keep charged a USB battery pack so I could run my WIFI card during non-daylight hours when needed.

One other lesson learned, was to turn off all electronics while sleeping.  This helped keep all the devices more readily available the next day then keeping them in standby/sleep mode overnight.

All in all the system worked very well and I'd recommend it.

Updated: 3/16/2014

DEFCON 21 was in Las Vegas, NV from August 02-04, 2013 and we were there.  Our real-time posts, references, and links are available over on @Technewsradio on Twitter.  

We have a detailed report (PDF) from the sessions attended if you are interested.  Just drop us an email to get the full report or a request via message on Twitter.  A podcast summary is planned but not promised at this time.

Things that we are "worried about" from an Enterprise computing perspective:

• Social Engineering against users is like a hot knife cutting butter. Only defense seems to be training and awareness. Traditional information assurance (IA) protections: virus scanning, IDS, firewall, etc are not effective.
• You can't secure what you don't manage.
• Basic system administration tools and infrastructure services in the Microsoft Windows world can be used for evil: PowerShell, .NET, DNS, browsers, PKI, and SCOM.
• USB is not your friend.
• Mobile computing and Bring Your Own Device (BYOD) are really not your friend.
• Cloud computing could be your friend but probably won't.
• Developers writing code for an organization without a security focus is just asking for trouble.
• If you think your stuff is secure just because you have it behind a lock and a key you are in denial.
• In a year or less, penetration testing is going to include inexpensive mobile assault options via semi-autonomous very-small drones and robots.

P.S. x 1: We were also at DEFCON 20 and have that report available if you are interested. Just drop us an email or message on Twitter for a link.

P.S. x 2: There are also DEFCON 18 and DEFCON 19 reports.  They are surprisingly still relevant IMHO -- same bat channel.