On July 27th to July 30th, I was at Defcon 25. Here are my top 8 takeaways.
1. Resistance is futile: The evolution of bots has reached Borg-level complexity
Most people know bots are useful to do some automated tasks like answer pre-sales questions, for a business website, or as we can see in the last election, to amplify a political message on social media forums or chat platforms. Bots has evolved from a crude tool of automation, to a sentient being that sometimes may pass the Turing test. However, malicious attackers have a different agenda with bots, and its on-going evolution has opened a pandora’s box.
We are approaching 4th gen bots. Now bots are used in browser-based exploits and automation of social media account.
Researcher Inbar Paz in Do Tinder Bots Dream of Electric Toys? presentation break down the different generation of bots.
Before, users ask this question: Is the person I talk to online, really a person, or a bot?
Now users need to also ask: Is the message from Facebook really messaged from my friend, or was her account compromised? And is that message simply a hidden exploit? Is h0tGirl2385 really a person on Tinder, or just another bot?¹
Inbar Paz talks about new dating app software-as-service plans using bots to autogen user profile. This is truely a sad day for humanity — or for lonely bacherlor/bachelorettes.
The question is getting harder to answer. Sure, the bots ellicting your reaction surely will fail the Turing test, but that might not be the goal longer. Just making you click that email or Facebook message on a pop-up window is enough to trick you into becoming a host to distribute a new network of attack — all without your authorization.²
The example from Paz is automation from dating profiles. However, if you are to extrapolate this, all social media platforms with user accounts are fair game. The lessons here can be replicated on more sinister applications, such as news media account — WaPo, NYT, YouTube — and has huge implications on messaging and shaping the political platform, particularly on state-funded server farms to serve bots as a tool of disinformation for the masses.⁴
All 30 voting machines were p0wned.
This is the first year the Voting Machine Village open at Defcon 25. It takes 2 mins, a researcher found a network vulnerability and gain remote access to the WINVote machine.³ To be fair, the task was known beforehand to be technically, on the lower-end of the technical spectrum. I mean, for gawd’s sake, the OS on these machines can run Window XP!
The point really was to get the Feds and the public to take voting machine security more seriously. I honestly think it was just for PR, but the Voting Machine Village is in its infancy. Wait in the next couple years. “U.S. Voter registration database hacked” are four words we do not ever want read in the news. The task to hack a centralized server is much more difficult, since votes from these machines are not connected to a network. Data are physically transfered.
You got to admit, listening to Rick Astley’s “Never Going To Give You Up” on the WINVote was a great throwback Friday song.
Tomer Cohen explains how bots are used to automate malicious distributed attack using Wix, Facebook, and Chrome Extension. 
