DEFCON 21: An Odyssey

If you read my post last week about some of the Malwarebytes team heading out to Las Vegas for DEFCON 21 then you might be interested in how it went. Well, rather than doing what I did last year and just list the talks and describe them, here is a little story about my adventures in hacker land.

Day 1 Thursday:

I got up SUPER early (for me anyway and considering I traveled back in time 2 hours when I landed in LV) in order to head downstairs from my room in the Rio to purchase my DEFCON badge.

After waiting for 30 min to get a coffee from one of the two Starbucks in the casino, I took the walk to where the line for badges started. I waited in line for about an hour and a half and once I got my badge, we spent the next few hours just trying to figure out exactly what we were looking at.

The badges are very neat and as with the badges at DEFCON every year, they have multiple puzzles and purposes that might not even be discovered by attendees until months after DEFCON ends.

I ended the night by checking out the first DEFCON party, which was held in an emptied out (of chairs) track room. Loud techno music and a smoke machine, while dozens of attendees dance or stand around and enjoy the music.


Beyond the loud bass thumping I couldn’t drown out in my room (from the parties that I was too tired to attend) calling home to talk to my wife was a challenge on its own. With all of the wireless hackers making everything more “interesting” our conversation usually consisted of 2-3 min of clear speak then cutting out and the “beep beep” I heard as the call dropped. If you decide to head out here next year, make sure you don’t have any reason to call home.

Day 2 Friday:

This was the first day that the talks actually started, I started out the day by hitting the vendor area, a place that I am usually very excited about. I bought a pin for my badge that looks like a Jack Daniels label and a shirt of the same. I also bought a little black book that I have been using to keep notes on all the talks.

I first headed to the opening ceremonies talk which was in the largest track room of the convention, it was a nice look into this years badges, what mysteries they “might” posses and some history behind what inspired their design. It was given by the creator of the badges Ryan Clarke, also known as LostboY. For those of you who don’t know, every year there are new badge designs that all DEFCON attendees receive. There are also numerous puzzles involved with the badges, many of which have required interaction with other people at the convention who have different designs that help to complete the puzzles. These puzzles range from cryptography to hardware hacking and beyond.

Second talk was about government systems sharing open information in public databases and the ways in which these may reveal WAY too much about the average person. And no I am not talking about PRISM, these are local government databases that organizations might post up in an attempt to be more “transparent” but unfortunately end up being used by personal information thieves or even marketing agencies to sell products and form profiles. The talk was given by Tom Keenan who presented some interesting facts I wasn’t aware of, for example as far as Privacy goes, the U.S. is horrible at keeping people’s information secret. In fact, Germany is the most private country when it comes to personal information and what can be shared/posted online.

He also mentioned some interesting facts about a certain geneology web service that has recently started taking users DNA as well as other information, given up for free for the sake of tracing ones roots, and holding on to it forever, long after you have stopped using the service (or the free trial as I am sure most of us have never gone beyond)

The real interesting aspect is that in order to be a data hoarder or PI scraper, it really only takes time, an inquisitive mind and some basic coding skills. It might change your perception from what kind of data the government is keeping secret about people and what they choose to give to the world.

Next talk was about SMS fraud being done by Russian (of course) scammer organizations, given by Ryan Smith & Rim Strazzere of Lookout Security. It was a really good look into the operations and life cycle of SMS fraud and how it has gone from a simple single scammer type of deal to a large, organized and almost corporate operation.

One stat in particular I thought was interesting: 30% of all SMS fraud is done by the top 10 Russian scammer organizations. This isn’t just the mobile malware aspect either, this is malicious ads you might find when running some free app you downloaded. It ranges from your basic misleading ads to actual prompts that say things like “UPDATE SKYPE NOW!!” which then charges you for an update you will never get but instead infects your phone to be used in other nefarious operations.

The evolution of this industry mirrors the evolution of desktop malware as well, with fake advertisements, compromised web sites and of course the “one stop shop” mentality of the dark part of the internet.

I went to a few more talks that had subjects ranging from p2p botnets to hacking tools and the intricacies behind car dealerships using bots to buy used cars, of course involving Russian hackers =/.


I ended the night with a visit to the “Hacker Jeopardy” contest, the first one I have been to. On a side note, I always consider after I leave DEFCON (this is my third) that I never experience anything beyond the talks so this year I tried to see a little more. Hacker Jeopardy was a contest of three teams of three who answer questions pertaining to the security field and win prizes. A lot of fun and a really great experience for anyone who hasn’t gone to it yet.

Day 3: Saturday

Saturday morning started off slow enough, meeting up with some old friends and then heading over to a talk about social bots and some experiments done Chris Sumner and Dr. Randal Wald on human interactions with fake twitter accounts controlled by bots. It was definitely interesting to see the kind of effort put in to not only creating the bots but making them seem more legitimate, something that can be used to spread malware, provide propaganda and sell merchandise. The bots are getting better and better every day and it really gives me more respect for the guys at Twitter trying to catch these things.

The next talk focused on a method of how cyber criminals might exploit android flash memory to install malware on a phone. The talk was given by Josh Thomas also known as M0nk.

I decided to try my hand at one of the convention contests called Hack Fortress.

I have been playing Team Fortress 2 for years and a few years ago when I went to DEFCON 17, I was able to play in a tournament. Since then however, they have changed the game to where you not only have a team of players who are playing TF2 against other teams but they do so while a team of 4 Hackers assist each team by solving puzzles to earn the team power ups. I joined with a team looking for extra hackers and ended up solving a puzzle that involved an encrypted traffic log as well as some stenography and physical hacking.


My team didn’t win and therefore I only got in the one round of the game but I am looking forward to playing it again next year. There is a lot to be said about the numerous contests at DEFCON, it’s not just talks but also full of opportunities to donate to charity and community events.

Sunday Day 4:

Sunday was the last day at DEFCON and you can tell by the attendance of the morning talks and the attitude of everyone that everyone was tired. I hit up a talk about 0-Day Java exploits given by Brian Gorenc & Jasiel Spelman, it was incredibly informative and gave a few facts that I wanted to share: The first part of 2013 has had 130 software patches (because of known exploits) Compared to 50 in 2011. Oracle (who update Java) have made more updates with shorter time in-between which proves that despite the overwhelming amount of Java exploits we deal with today, Oracle has made huge efforts to protect their product as well as their users.


The rest of the days talks included applications being developed to assist in malware analysis (given by ANRC Training) to some actual malware analysis on a unique sample that uses exception handling and intentional software crashes to unpack hidden code. I ended the day (and the conference) by going to the DEFCON closing ceremonies which gave out awards for contest winners and listed the amount of money raised for the Electronic Frontier Foundation, a charity group that helps keep the internet free.

All in all, it was a great conference and every year it keeps growing, from a small room with only a few dozen attendees to taking up the convention center of a large Las Vegas Casino and nearly 20,000 guests. I highly recommend attending if you work in the security industry or are just curious about new findings and the Hacker counter culture. Thanks for reading and please provide your own experiences in the comment section to share with the world. Thanks and safe surfing!


Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.