The buzzy ShmooCon cybersecurity conference returned this weekend after a pandemic hiatus, drawing a lively crowd of hackers, security practitioners and inside-the-Beltway types to downtown Washington, D.C.
The ShmooCon conference’s silliness can seem out of sync with the severity of today’s cyberthreats, from destructive malware in Ukraine to major vulnerabilities in Dell devices. The con’s mascot is a moose, it features DIY Stargates and it encourages attendees to throw stress balls at speakers in the name of audience interactivity, among other traditions.
But beneath the quirky veneer, the event takes on heady topics: Election disinformation; Iranian cyberespionage; satellite security. And there’s a reason the roughly 1,500 tickets for the event sell out in seconds year after year.
“This is a unique space because it’s in the capital, so you have a lot of people from intel here — not the company, the IC,” said ethical hacker and Synack red team member Rhette Wallach, who’s attended ShmooCon for years. “The federal presence is overwhelming … so it’s a little bit special in that respect.”
Wallach, who also appeared on a panel Thursday on diversity and inclusion, told README that she’s attending the conference to make a positive impact and help mentor other women hackers at a time when they’re still vastly outnumbered by men.
“We don’t have time to screw around with this problem because this problem is self-made and it’s completely unnecessary,” she said. “The rate at which this industry is changing is so fast relative to the rate of social change.”
Here are five takeaways from this year’s ShmooCon, which ends today:
1. Attribution is still hard
Allison Wikoff, director of global threat intelligence at PwC, tracks “kittens” for a living, tracing cyberattacks to Iran-based threat groups.
“I get asked all the time, who got it right and who got it wrong? In terms of attribution, generally the answer is, no one,” she said.
But that’s no reason to abandon the effort, even though attributing cyberattacks to specific groups “is super hard” as Iran-based threat actors shift around within different contractor organizations and take on tasks assigned by various agencies in Tehran.
Attribution “actually does really matter,” she said. “Motivations widely differ sometimes when we’re talking about intrusion activity … . Your response to a ransomware actor is probably going to be a lot different compared to your response to an espionage actor.”
ShmooCon organizers instated a vaccination and mask requirement this year due to the COVID pandemic. Blake Sobczak/README
2. Graph theory is here to help
AJ Read, a recent grad student and research assistant in The George Washington University’s Graph Computing Lab, developed a detection algorithm called “ProcAid” to detect potentially malicious anomalies on a given host.
Pairing graph theory — the study of mathematical structures between objects, like users in a computer network — with machine learning techniques is a relatively new field.
But it’s perfect for building cybersecurity tools like ProcAid, Read told README. “It’s intelligent, it’s very lightweight — the amount of logs you can condense into a single graph to do analysis on is amazing.”
Read, a self-described visual learner, said graphs can help make cybersecurity data more intelligible, becoming a powerful tool for incident response. “If you’re staring at log data, that doesn’t mean a ton to me,” he said. “But when I see, ‘this user is a node, and he’s interacting with these other nodes in a graph,’ you can see those relationships, and as humans, we can understand that.”
3. VPNs aren’t magic
Investigative tech reporter Yael Grauer debunked the security claims of some unscrupulous VPN companies. “A lot of people use VPNs because they don’t actually know what they do, and a lot of the marketing material out there doesn’t help with that,” she said. Mullvad, IVPN and Mozilla topped her Consumer Reports list of VPNs worth considering for users who prefer to hide personal info from their ISPs.
The bottom line for using VPNs? “They’re not like magic fairy dust,” Grauer said. “A security key, good password and MFA will do a lot more than a VPN can.”
4. Wardriving begets wardriving in a “vicious cycle”
WiFi wayfarers Mike Spicer and El Kentaro are on a mission to see what networks populate the world, a hobby known as wardriving. Kentaro takes hours-long walks around Tokyo hauling a custom-built, Raspberry Pi-equipped rig to catalog wireless networks and win street cred in the WiGLE wardriving community.
It’s a vibrant community with a “because we can” attitude. Kentaro recounted recognizing someone in ShmooCon’s RF Hackers Sanctuary by their custom-build wardriving rig. “I thought, I don’t know that face, but I know that rig,” he said. “Truly, there is no rig alike — everyone has their own niche.”
Curiosity is the core of hacking, and wardriving aficionados strive to outdo one another in a “vicious cycle,” as Spicer put it: Bigger rigs, more breathable backpacks for long walks, shortcuts like using aliasing commands to streamline the scanning process.
“It’s inspiring to see what everyone else is working on,” said Spicer. “It turns into a competition between me and the internet and [Kentaro], so now I have to go home and build something or do something bigger, over the top.”
5. One hacker’s failure is another’s success
Eugene Lim, a technology researcher for the Singaporean government, shared insights into a hack that wasn’t: Synology’s DiskStation storage devices survived two high-profile hacking competitions unscathed despite offering a $40,000 bounty for finding a path for full remote code execution. “When we fail, it’s a victory for those coders who made their products secure,” Lim said.
How did Synology’s tech survive? Solid authentication and authorization practices, hardened standard library calls, and centralized security funnel to a “single source of truth” all played a role protecting Synergy even as researchers were “raining down crits and code execution vulnerabilities” for other targets, Lim said.
Still, most vendors have a long way to go with their approach to cybersecurity vulnerabilities.
“They’re not learning from each other; they’re learning from individual problems,” Lim said. “That’s something that needs to be fixed.”
