My DEF CON 32 brain dump (will be revised):
Day 1: August 9th
Lockbit Doxxing – John Dimaggio
- Read the “Ransomware Diaries” story.
- Explore the security researcher’s relationship with Lockbitsupp.
- Watch Trafficked by National Geographic.
AI Ocean 11
- AI Models can be fooled by creative hacks, such as using unusual earrings or jewelry to bypass facial recognition systems.
Day 2: August 10th
Social Engineering Village: AI vs. Humans Competition
Observations
- AI responses were generally better due to the quality of humans answering the calls.
- AI voices are becoming more responsive, with ~600ms response time compared to human conversation’s 300ms.
- As AI technology advances, response time will improve, and AI-driven social engineering will become harder to detect.
AI Tools Used
- AI voice platforms (e.g., ElevenLabs, PlayHT).
- Transcription services.
- Call center software integrated with LLM/voice models.
- Large Language Models (LLMs) like GPT-4 and Claude 3.5.
Scary Potential
- AI can place thousands of simultaneous voice calls.
- Option for “emotion detection” was available but not used, as it could behave unpredictably.
- AI-driven attacks could surpass the current limitations of accent detection, making scams more convincing.
Discussion Points:
- Determining if a caller is AI can be challenging, but current latency and interruption response times can be clues.
- AI’s ability to mimic human speech, including fillers like “like” or “um,” makes detection harder.
- Potential uses for AI in malicious activities, like fake kidnappings or bullying, could cause victims to feel ashamed of being duped.
Mitigations
- Use codewords with family members (store them securely, like in a password manager).
- Ask the caller something only they would know.
- Hang up and call back using a known number.
- Record calls and implement anti-vishing systems to detect and block suspicious calls.
- Decline unknown calls and verify the number before calling back.
Technical Considerations:
- Prompt injection attacks are possible but were mitigated during the competition.
- Defense strategies should include layered approaches involving people, processes, and technology.
- Some front desk employees deflected suspicious calls to managers, showing effective process defense.
- OSINT (Open Source Intelligence) tools like ChatGPT can be useful.
Confused Pilot Scenario
- Modified documents led to a co-pilot receiving incorrect information, preventing the correct linking of documents or blocking answers due to confidentiality concerns.
USPS Scams
- A speaker hacked into a scammer’s infrastructure, uncovering that the criminal was Chinese and accessed their Telegram, web server, web interface, and a limited victim database.
To be continued…