DEF CON 29 Recap: 9 Talks You May Have Missed

DEF CON 29 has come and gone, but we’re still buzzing around a few of the talks that we heard from some of the world’s top security researchers. Below are nine talks from DEF CON 29 that we recommend checking out now that the conference’s dust has settled.

1. “ATM Transaction Reversal Frauds (And How to Fight Them)”

Speaker: Hector Cuevas Cruz (@hecky)

Want another look into the disturbing world of ATM security? Bishop Fox’s Hector Cuevas Cruz gave this talk as part of the DEF CON Payment Village. In his talk, Cruz reviews what constitutes an ATM transaction reversal fraud and why these attacks are so popular (spoiler: they’re fairly simple to pull off), how they can be detected, and how they can ultimately be prevented. He brings his real-world experience to the table having secured ATMs as a member of blue, red, and purple teams.

2. “Bundles of Joy: Breaking MacOS via Subverted Applications Bundles”

Speaker: Patrick Wardle (@patrickwardle)

You may be familiar with Patrick Wardle as the creator of Objective-See, which provides free open source tools for securing OS X. His DEF CON 29 talk finds him honing in on CVE-2021-30657, a recent Apple 0day. This vulnerability affected all recent versions of MacOS and successfully circumvented security protections in place. Upon exploitation, this vulnerability could allow an attacker to compromise a user’s system with a simple double click. Few people know the ins and outs of MacOS security like Wardle, so that makes this presentation especially compelling.

3. “Offensive Golang Bonanza: Writing Golang Malware”

Speaker: Ben Kurtz (@symbolcrash1)

Go is a powerful programming language and Ben Kurtz teaches you everything you need to know about what makes it so appealing to malware authors. According to Kurtz, Golang is magic. If you would like to learn about writing Golang-based malware or better ways to detect it, don’t miss Kurtz’s extremely comprehensive presentation. He lists some popular tools like Universal Loader and Donut, and even gives Bishop Fox tool Sliver a shoutout, naming it a “heavy hitter in the C2 [framework] space.”

4. “Don’t Dare to Exploit - An Attack Surface Tour of SharePoint Server”

Speakers: Yuhao Weng (@cjm00nw), Steven Seeley (@steventseeley), and Zhiniang Peng (@edwardzpeng)

Thanks to its popularity, SharePoint is an attractive target for attackers. In this presentation, you get a thorough crash course of the structure of the content management system’s attack surface. The presentation covers both server and client-side exploitation, discussing serious security vulnerabilities that can be leveraged against the server (like the high-risk CVE-2020-16952). It’s an impressive deep dive into how truly expansive SharePoint’s attack surface can be and the potential security risks that arise from it.

5. "Gone Apple Pickin': Red Teaming Mac OS Environments in 2021"

Speaker: Cedric Owens (@cedowens)

Follow along from start to finish as Cedric Owens walks through aspects of a MacOS red team engagement in explicit detail, ending with plenty of ideas for high-value trophies. Owens acknowledges that some security professionals might dismiss MacOS-centric research because we tend to live in a “Windows-centric world,” but shares that its growing ubiquity makes it useful to know. If you work in offensive security, do not sleep on this talk. And for any blue or purple teamers out there, Owens concludes with a few suggestions for shoring up the security of your MacOS environments.

6. “Why Does My Security Camera Scream Like a Banshee?”

Speaker: Rion Carter (@rioncarter)

With a title like that, who could skip this talk from Rion Carter? Turns out Carter’s impetus for his research came from an inexpensive wireless camera he purchased to help him protect his pumpkin patch. Once he installed the camera, he quickly found several issues with it, including a high-pitched (or banshee-like) noise the camera’s corresponding mobile application emitted. That’s when Carter went on a security scavenger hunt of sorts, and he highlights his various explorations in this presentation. As Carter says toward the end of his talk, “you get what you pay for.” So buyer beware – especially if that buyer happens to be a hacker.

7. “HTTP/2: The Sequel Is Always Worse”

Speaker: James Kettle (@albinowax)

In a talk he gave at DEF CON 27, PortSwigger Director of Research James Kettle focused on the dangers of HTTP request smuggling. At this year’s DEF CON, he presented his “sequel,” focusing on HTTP/2. Originally a believer in the security of HTTP/2, Kettle discovered that this more secure counterpart was also vulnerable to a similar attack vector as HTTP was before it. “HTTP/2 is a beautiful beast, but it is complex, and where there’s complexity people take shortcuts and things go wrong,” he warns at the beginning of his presentation. In conjunction with his DEF CON 29 presentation, Kettle released a research paper delving into his HTTP/2 findings in depth. So if his talk intrigues you (and maybe inspires you to conduct your own research), consider checking that resource out as well.

8. “ProxyLogon is Just the Tip of the Iceberg"

Speaker: Orange Tsai (@orangetsai)

ProxyLogon is the shorthand moniker for CVE-2021-26855, a Microsoft Exchange Server remote code execution vulnerability that earned a 9.8 critical rating from the National Vulnerability Database and generated considerable attention. And as you can imagine, Orange Tsai shows how ProxyLogon was not just an outlier security issue but actually represents an entirely new attack surface altogether. According to Orange Tsai’s research, there are over 400,000 exposed Exchange Servers on the internet. Combine these aforementioned factors with a significant change in the Microsoft Exchange Server originating from nearly a decade ago, and you have a recipe for disaster.

9. “Time Turner: Hacking RF Attendance Systems (To Be in Two Places at Once)”

Speaker: Vivek Nair

If you put the two Matthew Broderick classics “WarGames” and “Ferris Bueller’s Day Off” together, you might have something resembling this DEF CON 29 talk by Vivek Nair. Not only does this talk feature some outstanding security research, but it’s an example of great storytelling too. Nair tells how an innovative high school student decided to reverse engineer his school’s high-tech wireless attendance tracking system to enable him to “attend” two classes at the same time. (Any students who happen to be watching might want to take note.)

BONUS: “You’re Doing IoT RNG”

Speakers: Dan Petro (@2600AltF) and Allan Cecil (@MrTasBot)

Finally, we can’t leave out this DEF CON 29 talk by Bishop Fox researchers Dan Petro and Allan Cecil, in which they share how an insecure random number generator (RNG) is found in billions of Internet of Things devices. Thirty-five billion, to be exact. We also released a technical write-up corresponding with their DEF CON talk, which you can read here.

---

What’s Your Take? We know there were many other DEF CON talks that didn’t make our list – so we want to hear from you: What talks did you most enjoy? Let us know your thoughts on Twitter (@bishopfox) or on our Discord server – even if you just second any of our choices, adamantly disagree with us, or simply wish you had Vivek Nair’s research when you were a high school student.

To see other talks we were anticipating from DEF CON 29, read our blog post from earlier this summer. And for a flashback to our picks from DEF CON 28, check out our write-up “8 Recommended Talks From DEF CON