Matt:
And then I start walking away, and I hear someone be like, can I take a selfie with you? And he's like, well, I'll do a shoe selfie. So I'm like, oh, now's my chance. I spin around, whip out my phone, walk over, stick my foot in the circle of shoes. And his shoe is right next to mine, and I got a shoe selfie with him.
You're listening to the Cyber Secured Podcast. Helping you become safer in every way. Now your hosts, Matt and Attila.
Matt:
Welcome back to the Cyber Secured Podcast.
Attila:
I'm your host Attila
Matt:
and I'm Matt.
Attila:
And we're here to talk about DEF CON today. We got our swag on. DEF CON. Yeah. the world's largest cybersecurity conference in Las Vegas. We went 2025 at long last after hearing about it for years and wanting to go. And if you have not listened to our last episode, episode 13, where we talk about our first impressions of DEF CON, you should listen to that because it has good travel tips if you've never been.
Matt:
I need to add a little bit to the first impressions. I didn't say this in the first episode about DEF CON. But, you know, when Attila talked to me about going, I, of course, if you guys hadn't picked up on it, neither one of us had ever gone to DEF CON before. We just heard stories. There are two conferences that are back to back. I don't know if it's always been this way. It probably hasn't. One is Black Hat and the other one is DEF CON. In my mind, like I knew that there was two and I knew one was more vendor focused versus the other one was more like hacker focused. In my mind, DEF CON was the vendor focused event because DEF CON is a government term. DEF CON standing for defense readiness.
Attila:
And you would think that being a hacker and anti-establishment you would choose a name that would not be so established. It's kind of like saying, I want to open up a burger joint that's anti-burger joint. We're going to call it McDonald's. Right,
Matt:
yeah. And so then the other title is Black Hat, right? So Black Hat represents, in the hacking world, there's different hats that you wear. You're a red hat, black hat, gray hat. Gray hat meaning you might do a little bit of bad stuff, but you do the bad stuff to do good stuff cross over a line.
Attila:
Ethical.
Matt:
Ethical hackers, yeah. Versus white hat, they never cross the lines. Yeah, I assumed or I had in my head that DEF CON was going to be the event with the vendors and then Black Hat was the event with the hackers and we just missed that one because it was at the beginning of the week. And then I started looking at the details and realized, oh no, we're going to the hacker conference. So yeah.
Attila:
Well, that's the one that we were hoping to see some of those, you know, people that we listen to on, uh, you know, we listen to podcasts too. And we got to both meet Jack Reciter. Yeah. And, uh, Matt has a picture, has a shoe selfie.
Matt:
I was, I was going into the bathroom and, um, and it's known if you listen to darknet diaries and you listen to Jack Reciter, he talks about going to DEF CON and he's, He's a privacy nut. He has probably heard too many horror stories to feel safe about being on any kind of social media. So when he goes to DEF CON, he always wears a mask. So he can't be identified if he's, you know, a photo was taken of him. Like, you know, no one's going to necessarily know what he looks like. And COVID was a while ago. So nobody's really wearing masks at DEF CON. So you see someone with a mask and you're like, is that Jack Recyder? And I spotted like one or two guys. I was like, ah, that's not him. And then I saw a guy that I was like, okay, I think that's him. And I was right into the bathroom when I spotted him. As I was entering the bathroom, I heard the voice. I was like, yep, that's Jack. So I went to the bathroom, washed my hands, and Iwas thinking, oh, maybe if he's outside, I might be able to shake hands or talk to him. And I walk outside, and he's immediately telling people he's got to be somewhere. And he turns, and he looks me right in the eyes. And he's like, I'm sorry, I got to go. And he hands me. a little like rubber bracelet that's like, you know, Darknet Diaries, Defcon 33. And I'm like, okay, that's cool. I don't want to mess with them or be that guy. And then I start walking away, and I hear someone be like, could I take a selfie with you? And he's like, well, I'll do a shoe selfie. So I'm like, oh, now's my chance. I spin around, whip out my phone, walk over and stick my foot in the circle of shoes. And his shoe is right next to mine, and I got a shoe selfie with him.
Attila:
Wow. Well, if you took a selfie with him, what? You'd just see a bandana, a big hat, and sunglasses.
Matt:
And he's still kind of shy about that, too. he didn't want any actual pictures or selfies with him.
Attila:
I think that's just tying into the culture of the whole thing. I mean, there are there are way more visible people doing scambaiting, you know, on YouTube. They show their face.
Matt:
Oh, yeah. well, I mean, it
Attila:
They're actually going after criminals.
Matt:
Yeah, they are. And there are some guys, actually, the original grandfather scambaiters, Jim Browning, he's never showed his face. He is very identifiable by his accent, though, because he's got a Scottish accent. But dude has never showed his face on any of the events that he does when they collaborate. He doesn't show his face. And I think it's just because he's concerned about his privacy. He probably has a family and everything. And then as it turns out, too, there are certain parts of the scamming world that are a little scary. If you don't know about this, look up Black Axe. I did not know about this when I was doing scam baiting myself. But yeah, there's some scary stuff out there.
Attila:
Dark Knight Diaries has a great episode on Black Axe and what it's all about. And I think that episode, honestly, is the one that kind of pushed Jack Reciter into hiding for a little bit because that was a terrifying episode.
Matt:
He was like,
Attila:
I'm going to take a break from all this for a little bit.
Matt:
I was going after someone that could have been part of that organization and luckily I wasn't monitoring him for too long. But yeah.
Attila:
that could have turned out bad
Matt:
Yeah, it could have turned out bad. Yeah. So anyways, yeah, we saw some famous people there. We got out of an elevator and I saw a face I recognized. I was like, oh, my God, it's Hack Five. Then, you know, the chick spun around and waved. And then you said you saw Jack Recycler, too.
Attila:
Yeah, he had this really nice event for kids. So
Attila:
I didn't realize there were so many kids attending DEF CON. They were. And they're all really interesting. They had these little like, I guess is a new thing with kids, which is like an arm based computers. Okay. Yeah. So they put like a little tablet and they kind of put on their arm. So a bunch of kids had those. They had this little hacking kind of kit that they gave all the kids, and they had a little special get-togethers. They made a point to give these special time to answer questions and meet with Jack and all this stuff. But no pictures, of course. No pictures. And I don't really understand the no pictures policy, but that's probably part of the culture, and you've got to respect the little culture that's going on there.
Matt:
I think once you start get up a level of fame and notoriety and or you're known for having money. I mean we've heard stories of people that have been doxed online and been harassed. It can get bad. Once you are the target of the internet horde, it can be pretty terrible. And I mean, Jack Crusader's got stories about, what was it called, Pizzagate? Pizzagate, right. Yeah, I mean, that sounds hilarious. Guy was being bombarded by pizza deliveries, but it got really creepy, because then pizza started showing up at his family's houses. I get it. I mean, I don't get it, but I also get it.
Attila:
So that's harassment where you take some pizza games where you can ask for pizzas to be delivered to someone's home to show them that you know where they live, right?
Matt:
Well, the story was that the guy was being harassed for having a short, easy to type in Instagram. I think it was Instagram or Twitter account because having a short username back in the day, I mean, you could sell it for money. And then when he wasn't selling it or giving it to the malicious actor, then he started getting weird pizza deliveries at his door. And at first it was funny, but then it was at all hours of the night, all night long, every day. And then it started happening to his family.
Attila:
So Pizzagate is a thing. And
Attila:
harassed online if you're a target. And I'm sure they don't want that for anyone else. But I mean, there are cameras everywhere else. I'm not really sure. Maybe they don't want people to know that they're at DEF CON so they can rob their house or something. I know you're not supposed to post public travel pictures of yourself.
Matt:
Well, I mean, what I've heard on Jack's podcast was that there are people at DEF CON that have definitely 100% committed crimes that have not faced the law for it. And sometimes they're actually there talking about it, or they're even doing an unofficial talk there about it. And then there was a story, I don't know if this was on, it wasn't on Dark Knight Diaries, this was on the Hacked podcast. There was a story about how they discovered there was a journalist there taking photos and trying to get the photos to authorities because she was, I think, doing a bounty, I'm not sure, but she was caught and thrown out. Her photos were removed.
Attila:
Well, I do know, I did hear about this afterward, is that there were arrests. This year? Yeah, this year. And if you kind of Google just DEF CON 2025 arrests, there's a few things on Reddit. I'm positive that there's law enforcement undercover there. Oh, I mean, that's one of the games. Spot the Fed. Spot the Fed. Well, you know, so I mean, but that's going to happen no matter where you go.
Matt:
It's true. I think DEF CON traditionally has been a place where... It's a honeypot. Well, not on purpose. It is supposed to have been a place for like-minded individuals who have or have not committed crimes, but have an interest in hacking and a knowledge of getting into things, you know, to come together and be able to have a forum about it And Of course, when you make that a public forum, then you're going to invite, you know, the authorities to come and suss that out. I think, you know, kind of going back to a little bit of what we were saying in the first episode about this, DEF CON has reached critical mass. People enjoy a thing. There can be a point where there is so much interest and attendance that it starts being a detriment to that thing. Tragedy of the comments is the term.
Attila:
Tragedy of the comments. Like over saturated
Matt:
Over saturation.
A ndWe're a little late to the game in terms of going to .com because it was the 33rd year. Yeah.It's been a while. It's been going on for a while. It's almost 50,000 people at the event. Yeah. So, we definitely did get a feel that
Attila:
Counterproductive persistence.
Matt:
Persistence, yeah.
Attila:
Well, that's as beating your head against the wall. It's a nice way of saying it.
Matt:
Yeah. So, I mean, it's neither here nor there. There's definitely some great stuff there. and switching tracks, what were some of the great things there that we enjoy?
Attila:
Yeah, yeah, no, for sure. I really liked seeing some of these vendors. The developers of these tools that we've come across like Metasploit and some ways to find out about vulnerabilities inside of platforms. So cloud is the big vulnerability. That I think we can all agree on. I thought it was funny that a lot of the presenters used Macs. Which I thought was funny.
Matt:
Oh Yeah, the whole total segue. But I mean, as tech people, of course, you're checking out other people's tech, side eyeing folks on what they're using for their OS or their computer.
Attila:
I would have expected more Linux no, it's all Macs.
Matt:
I would say, from my personal observation, about 20% to 30% of what I saw on people's screens, it was all Linux. And then maybe 60% to 70% Yeah, around there, PC. And then the rest, especially presenters and people like demonstrating things, it was all Mac, all Mac, which I thought was really interesting. Yeah, the people on stage, you can see it on their screen, you can see really easy to identify the buttons on the windows, and it's all Mac. we're saying this because we're also Mac users. We're very fluent in Windows. We have to be for the work that we do.
Attila:
Well, as the landscape shifts of users, I mean, most new users in this earlier demographic, I mean, everyone's using a Mac, which is what it comes down to. For some time, and I think it still holds, Mac has superior hardware architecture. They're kind of identical. Since they switched to the ARM, yeah. You can't beat ARM. And it's not because it's a Mac or PC, it's because it's ARM, so.
Matt:
There's been some interesting developments, though, that both AMD and Intel are starting to come out with chips that are like the motherboard I got from my PC laptop. It lasts around six to seven hours now.
Attila:
Yeah, but what kind of heat are getting?
Matt:
I mean, yeah, the fan does still come on, but not like the previous motherboard I had with the i7. That thing came on every couple of seconds, at least.
Attila:
Right, but you're getting i9 performance out of a silicon chip without any heat generation in a 10 plus, maybe even sometimes 20 hour battery life. Anyways, digress.
Matt:
Went off into the woods on that tangent because we're tech people.
Attila:
Cloud security is particularly interesting to find out about Entra and So Entrez is Microsoft's 365 environment. And out of the box, Microsoft wants everyone to start using their product. And they make it easy to do so and leave all these switches off for security. And that leads to problems. And many of the researchers that we went to go visit, or particularly the talks that we focused on, were those researchers that had found vulnerabilities at 365 configurations and developed processes and tools to be able to identify and remediate those deficiencies.
Matt:
And the deficiencies aren't necessarily like just big gaping holes. They're, as Attila put it, they're there so that out of the box you have a product that works. You shut all that stuff off, you lock it all down, you're going to have users that are coming to you with pitchforks because suddenly they can't get their SharePoint or access certain things.
Attila:
Yeah. Non-tech people don't understand security and a lot of tech people don't even understand security and everyone's irritated by security whether you're in tech or not.
Matt:
But we got to do it.
Attila:
It sucks but it's part of the, yeah.
Matt:
Yeah, I've seen a couple of things, like even at some of the talks, it just kind of blew my mind. There's one in particular that was really scary.
Attila:
Let's talk about that one.
Matt:
You want to talk about that one?
Yeah. Well, so the scary thing wasn't so much about the talk. If you are online and you use passwords at all, you've probably come across this new thing called the passkey.
Attila:
Passkey talk.
Matt:
Yeah. Passkeys aren't really anything new in the world of SSH. If you're remoting into Linux system, Generally, I mean, I have done this for years, you type in a username and password. If you want to make it more secure and you want to make it easier, you can use key system, public and private key, and you exchange that between the two servers. So when you connect with your server, they see the keys on both sides. I'm oversimplifying this by a lot. And then it just lets you in.
Attila:
And the key is a long encrypted string.
Matt:
Key is a long encrypted string, yeah.
Attila:
String of characters and numbers. In case none of our viewers have seen it.
Matt:
Yeah. And so there isn't a username or password there. The username and password is that public and private key and they're just exchanging it between each other. And then you're just in as the user that you set up with that key pair. So pass keys, I looked it up, it's the same function, it's the same exact thing, but it's in your browser and it's with your, whatever your. passkey or identification system is on your device. So for Macs, we have keychain. You can use that for passkey. You can also use your password managers for passkey stuff. It usually will tie into your local authentication chain on your operating system.
Attila:
I think even browsers are doing it now, right? Chrome
Matt:
I'm not sure. I think so. I'm only really now starting to get into the world of passkeys and understanding how to set it up and how to use it. It is really convenient. And I will say, after this talk, I really understood the fact that doing a passkey has its benefits because You can have a website where you've got a passkey, and let's say, like in the past has happened over and over and over again, that website gets hacked. And their database with all the users and passwords gets breached, and then they start extracting all that stuff. And somehow, let's say, they've got some supercomputer that actually gets the key information for the passkey for that site for your account. Can they use that anywhere else? No, because on the other sites where you've got passkeys, those passkeys are unique to those sites. So it's almost like using a password manager. because it's different for every site.
Attila:
Yeah, you're forcing people to have a unique string of characters to authenticate themselves, which is good cyber hygiene to begin
Matt:
Yeah, why we promote using a password manager, because password managers do that same kind of function. So what these guys discovered is that there is a way that you can breach the passkey system and be able to get into a site. it does require that they have a man-in-the-middle interaction on the browser. It can be a cross-site script or in the use case that they showed during their talk, it can be a malicious plugin or extension on the browser.
Attila:
Which we've been seeing.
Matt:
Which we've been seeing. Yeah. So once they have that, it's a little like, The way they discussed it or have it listed in the talks, it felt a little alarmist because it looked like that once they have that access, they immediately had access to your passkey. It's not the case. They would actually have to force the user to de-auth their passkey and create a new one. So in that process, there's something a little hinky going on. You might suspect there's something weird happening. Once you create the new passkey, they're in. And they can pass through the new passkey through their system to your system so everything looks normal, everything looks legit, and then now they have access to your email. Let's say they did it with your Gmail account, right? And they can use that token from that passkey system to be able to log in other systems, to be able to connect and do other things. So that was interesting. I liked that. That was cool. That wasn't really the part that interested me or set the alarm bells off. He did talk about this a little bit and emphasized it a bit. What was so alarming to me is the fact that the extension that he loaded this malicious action on required
Attila:
Browser extension. Yeah.
Matt:
This browser extension, see if I can find it in my notes. It just required a simple global, I think he called it a global host access to the browser. As he pointed out, 90 percent of extensions out there all use this, they all require it. Meaning, any extension that you have loaded can see your passwords and see your pass keys as you're using them. That was really alarming to me. That was really scary.
Attila:
There's a failure in the architecture.
Matt:
There's a failure in the architecture. And that actually was his key point to this, is there's a failure in the architecture and how this functions.
Attila:
So let's just recap, every extension that you load into Chrome or Edge, 90% of them have global access, or should I say like administrative global access?
Matt:
I mean, it makes sense. Yeah. If you're using, what is that one that can correct your grammar? Grammarly.
Attila:
Grammarly.
Matt:
So I mean, Grammarly, for it to be able to see what you're typing and analyze it and dictate back to you or spit back to you the corrections, it needs to see what you've got in your browser. And the point is that, and the thing that we're taking away from DEF CON in general, and we've been hearing this more and more, is the fact that our browser and our interaction with the internet is really where all of our computer interactions are happening now. It's not so much on your local system. Yes, you're going to still have local directories with Microsoft Active Directory and file systems and all that kind of stuff. Yes, we still need to have good practices involved in protecting that stuff, you know, mainland things and have EDR tools and everything to just keep that protected because those vulnerabilities will never go away. But the new landscape where all of our architecture is where we're accessing stuff is all in the cloud, right? And as the guy points out, it's kind of a slogan for the company he works for, your browser is the new OS.
Attila:
It's all the browser where they're coming. Yeah, the blog entry I just sent out today, actually, was all about how these new VPN services are becoming, like there's a surge in VPN service interest. And they're now, like you said, they're creating browser extensions for VPNs. That way you
Matt:
don't have to install the software and use it.
Attila:
Well, the problem is that there's one that they particularly found, which is called FreeVPN. Every one second would take a screenshot
Matt:
Of course
Attila:
Of what you were doing, and then send it off unencrypted to their servers for quote unquote analysis. And when this researcher reached out to FreeVPN to ask, What are you guys doing with this? They said, oh, yeah, we're looking for malicious websites. Like, OK, but I just went on eBay. I went on Google. I went on these really non-malicious websites, clearly known. Why are you taking screen grabs at this? And I promise you, they're not the only ones doing this. And this is a well-vetted,
Matt:
I'm shaking my head vigorously as he's saying this. I just watched a YouTube video this morning of a security researcher talking about this exact thing and how someone made a big exposure to how pretty much every single password manager out there is vulnerable. to this and it's worse than what you're saying even. Because what the security researcher was pointing out that another researcher found, all the extension needs to do is have, it sounded like either a clear image or a clear div going over the entire page and when your password manager fills in your username and password for a site, it captures that.
Attila:
Oh great Wow. So it sounds to me like almost no extension is really safe to use.
Matt:
Yeah, almost.
Yeah. I mean, so he did point out that it sounds like Bitwarden is already in the process of releasing version that has a fix for this or a security fix that eliminates this whole. But yeah, in general, yeah, extensions are scary. you don't have to be an admin user on a computer to install an extension in your browser.
Attila:
Well, that leads to this other talk we went to with the 365 researcher. I pretty much figured out that, yeah, I can get admin rights by setting myself up as a application under a 365 tenant. I don't
even need two-factor. And then from there, I can escalate my privileges to an admin user. And this was something that was given to Microsoft so they could go in there and fix it, but the problem is a fundamental deficiency in the architecture.
Matt:
Right. And if they fix that as is, it's probably going to break a lot of things.
Attila:
Or break everything, yeah. So I don't know. My big takeaway, maybe this is like pulling up the yoke on our airplane up to 30,000 feet, is that all these things we saw at DEF CON, were pretty much on how to break into everything from critical infrastructure to cloud infrastructure, browser extensions, user information. They had a whole hacking thing on, which I didn't get to go to it, on HikeVision. So you want to hack DVRs? Here we go. We'll show you how to do it. There is no 100% guaranteed safe piece of technology out there. No, absolutely not. We're recording ourselves on these little microphones. Even these could probably be hacked, right? Probably. China could be listening. We don't know. But the big takeaway I got was that you got to be prepared. So think about how you would respond to something happening in your organization because you can't plug all the holes. There's new holes coming up all the time. So how do you prepare? And this is why I thought the tabletop exercises were so interesting. because it gave an opportunity to think about these scenarios that, as crazy as they were, were valid. Who do you report to when there's a problem, especially if you're a government agency? Who do you ask to help from? Who do you not ask for help from? What resources are you going to need to get back on track? What's going to be the public relations fallout? What's going to be the legal fallout of this? Are you obligated to notify? How do you mitigate a loss of human life? you know, how do you choose who to save and who not to save? Because let's be honest, a lot of these critical infrastructure, I mean, they're called critical infrastructure because implicitly there's human life involved. And we're going to see more of that, especially as we get more into space, right? Because there's danger, you know, from above, there's danger from abroad, there's all the critical infrastructure has got some sort of electronic components that are vulnerable. So how do you plan for that? And then at a much smaller scale, your business, your organization, right? Interruptions can lead to a company going out of business, which we've seen firsthand. So What are the financial implications of that? How do people continue to pay for their cars and their places to live if there's no company to employ them? So these are some big questions that we should probably answer in our next episode. Yes, I like it. We want to try to keep these short for you guys. So we could talk for hours, and we will, but we'll record that and give them to you in chunks
Attila:
Yeah, there you go. So thanks for listening. I'm Attila.
Matt:
I'm Matt.
Attila:
Stay safe out there.
Matt:
Cheers, everybody.
This episode was brought to you by Cypac. To learn more about keeping your business safe from threat, crime and disaster, visit Cypac.com.