Whether it be a convention for musicians, scrapbookers, or food chefs, most of us have at some point attended a large-scale event that brings people together around a common hobby or professional affiliation. DEF CON is such an event … for hackers. Well, not quite.
DEF CON—while considered the world’s largest hacker convention—attracts everyone from students and employees in the IT sector to government workers, gamers, cybersecurity professionals, journalists, and simply curious newcomers, all in all some 30,000 individuals from around the globe. The four-day convention features seminars by a variety of speakers, has something for every enthusiast, and is well-loved for its difficult but enticingly clever challenges, contests, and competitions. Lockpicking, tamper challenges, robotics-related contests, scavenger hunts, and Capture the Flag (CTF), these are what constitute fun at DEF CON.
Now, you can imagine that the motivations of DEF CON’s fan base vary much more widely than at other conventions. And because most everyone is working on some kind of “puzzle,” the wireless network can be aptly described as hostile—exactly the kind of environment ElevatedPrompt is interested in.
So, for DEF CON 26, which took place August 8–12, 2018, ElevatedPrompt in partnership with Aries Security captured close to 1 terabyte of Internet-bound traffic over several days. Then, after performing a preliminary analysis, we asked Chrissa Constantine to analyze the packet capture using DET3CT, our custom-built Kibana-based dashboard.
Chrissa got to work unassumingly but quite curious as to what she might find in the data. “At first my biggest challenge,” she says, “was to not get overwhelmed by such a vast quantity of data. There is no experience like seeing DEF CON traffic, where so many participants are on one network.”
Furthermore, traffic at DEF CON can already “look” like malicious traffic because of the contests and competitions, so Chrissa had to evaluate each finding against DEF CON-sanctioned activity. Using DET3CT and only legal, free, publicly available tools, she looked for potential live attacks against outside hosts not affiliated with the conference: in other words, malware indicators, hits against government agencies, and data dumps.
And methodically extract meaning from this gargantuan mass she did.
“My investigative research began when I saw an unusual domain in the HTTP traffic in DET3CT, where a small number of IP addresses from the 10 NET at the conference were using DirBuster on August 11, 2018, to attack what appeared to be an external host.” Her suspicion grew when she discovered that the domain’s country code is among those most commonly abused for malicious cyberactivity.
After some more sleuth work, Chrissa learned that these internal IP addresses were specifically and directly trying to access a mysterious Microsoft Excel file in an equally mysterious directory named “SpaceY_Dump.” Chrissa explains that while most of the attempts to access this Excel spreadsheet from an external host had failed, she identified the one IP address at the convention that did manage to download it—“which meant I had access to the file by reviewing the PCAP,” says Chrissa. And that one was the needle in the haystack.
From there on, one clue leading to another amounted to months of detailed analysis and over 50 pages of findings documented by Chrissa that include, intriguingly enough, a user on Twitter having tweeted about a “Space Y Dump” just days before DEF CON 26! In short, this spreadsheet, named employees.xlsx, “had 468 entries and contained job titles, names, email addresses, phone numbers, locations, and employment status,” Chrissa explains. But what’s so significant about this spreadsheet? Well, to put it mildly, it points to a real data breach against a prominent, high-ranking aerospace company.
To find out more about this saga unfolding in real time and to obtain all the technical details, follow Chrissa Constantine’s blog and formal report at https://bit.ly/2VKIDZF.