It’s been about a week since Black Hat USA 2024 and DEF CON 32 wrapped up. As I transition back to my daily editing work in South Korea, I realize there’s still more to share with The Readable’s readers from these major hacker events. This includes statements from National Cyber Director Harry Coker, Jr., the latest research on doxing, results from the Capture the Flag (CTF) competitions, and some announcements and observations from the event hosts. I hope you find these insights valuable!
National Cyber Director Harry Coker, Jr. ― Opening remarks at DEF CON 32
“The desire to take things apart is rooted in a hope that they will be made stronger. To recognize that the Internet – decentralized, governed largely by a simple set of rules written decades ago – is a miracle of human ingenuity. And that, miraculous as it may be, the Internet also needs protecting.
That ethos – of trying to make the Internet a safer place – is what makes this community so important and vital to our way of life. It’s why it’s so important to me that I made the pilgrimage out to the desert, along with so many of our cybersecurity colleagues. And I’ve got good news for you. My voice is not alone in Washington, and the chorus is growing.
For the first time, we are seeing policymakers consider how to leverage the unique aspects of the security research community to solve some of the very hardest problems in cybersecurity. Some of that is manifesting at the operational level as collaboration, not simply information sharing, increasingly becomes the norm at NSA’s Cybersecurity Collaboration Center and CISA’s Joint Cyber Defense Collaborative.” READ THE FULL STATEMENT HERE
Announcements regarding open-source software security ― RFI summary and $11M investment
Coker’s statement came just one day after the Office of the National Cyber Director (ONCD) released the report titled “Summary of the 2023 Request for Information (RFI) on Open-Source Software Security.” At last year’s DEF CON, U.S. government agencies announced the RFI, which led to 107 public submissions on what should be prioritized to enhance the security of the open-source software ecosystem. The proposals from respondents include the following:
- Increase the adoption of memory-safe programming languages and, using a tiered and prioritized approach, translate open-source software libraries into memory-safe programming languages.
- Fund the development of new open-source tools and libraries to help secure the open-source software ecosystem.
- Research the use of Artificial Intelligence (AI), including Large Language Models (LLMs) and Machine Learning (ML), to enhance and accelerate secure software development.
- Pursue public-private partnerships within open-source software development ecosystems.
- Share known vulnerabilities throughout the global software supply chain.
- Invest in educating new and existing developers to pursue secure open-source software projects and initiatives.
- Foster international collaboration with other governments, agencies, and organizations on open-source software policies and frameworks that work across borders.
- Leverage existing policies and frameworks to inform procurement requirements for open-source software projects and initiatives.
At this year’s DEF CON, the National Cyber Director announced the launch of the Open-Source Software Prevalence Initiative. “The initiative will assess the prevalence of open-source software in operational technology used by critical infrastructure owners and operators,” said Coker. “We know that open-source underlies our digital infrastructure, and it’s vital that, as a government, we contribute back to the community as part of our broader infrastructure efforts.” Additionally, the Department of Homeland Security will invest over $11 million in open-source software security, according to the director.
Latest research on doxing ― Jacob Larsen interviewed extorters
On August 7 at Black Hat USA 2024, security researcher Jacob Larsen presented his research on doxing. His session, titled “From Doxing to Doorstep: Exposing Privacy Intrusion Techniques Used by Hackers for Extortion,” was particularly insightful as it involved direct interviews with extorters. Alongside the presentation, Larsen published a report on his personal website, detailing the interviews with these threat actors, including the transcripts. Below are Larsen’s conclusions and recommendations based on his research:
- Doxing is no longer just a virtual threat; it has evolved into a tool used for real-world extortion.
- Limit the personal information you share and regularly search for yourself online.
- Avoid securing your accounts with SMS-based authentication.
- Blur your home on Google Maps and implement physical deterrents.
DEF CON 32 CTF winner ― MMM
The Korea Information Technology Research Institute (KITRI) announced that the Maple Mallard Magistrates (MMM) team, composed of mentors and graduates from South Korea’s white hat hacker training program “Best of the Best” (BoB), ranked first in the DEF CON 32 Capture the Flag (CTF) competition. The MMM team has won the competition for three consecutive years since 2022. This year at DEF CON CTF, five teams affiliated with KITRI advanced to the final round.
Related article: Godfather of cybersecurity talent in South Korea: former politician who devoted his life to training white hat hackers READ MORE
Launch of DEF CON Franklin and DEF CON Academy
During the DEF CON 32 closing ceremony, DEF CON and Black Hat founder Jeff Moss, also known as “The Dark Tangent,” announced two new projects: DEF CON Franklin and DEF CON Academy. The Franklin project aims to “infuse research from the hacker community into national security and foreign policy debates” by publishing an annual “Hacker’s Almanack” focused on security issues related to critical infrastructure. In his welcoming statement in the DEF CON 32 program book, Moss explained that “A new ‘Franklin’ initiative is in Alpha testing this year, providing an experimental way to engage hackers and researchers in helping protect critical infrastructure.”
Another new initiative is DEF CON Academy, described as “a concerted effort to maximize hacker potential by providing open, clear, approachable, and inclusive practical resources for budding hackers.” Moss added, “We support the hacking community the best we can. We’ve expanded the number of DEF CON Communities and launched DC Nextgen, focused on helping younger hackers experience the joy of discovery. DEF CON Academy is something new we are trying this year to help provide guidance on your hacking journey at DEF CON.”
