When A "Good Guy" Turns On You
The first "hacker convention" to hit Vegas was BlackHat. One of the primary reasons companies send their computer security experts to the annual Black Hat security conference is to learn about new security vulnerabilities that bad guys could use to disrupt Internet communications that most of us rely upon to send e-mail and browse the web. The most popular speakers at the gathering typically are security researchers who have discovered new flaws in the hardware and software designed to ensure that the webpage you request is the same one that is served and that your e-mail gets routed to its destination without incident. Now what if "one of these good guys" actually turned on you and your company?
It happened this year at BlackHat as top security expert Michael Lynn publicly announced his resignation from Internet Security Systems. Also at the same time, Lynn used the opportunity on stage to expose a serious vulnerability in Cisco routers, despite efforts by the router manufacturer and his former employer to block the presentation. In the aftermath, Lynn reached a legal settlement with Cisco and ISS in which he agreed to erase his research material on the vulnerability, to keep secret the details of the attack and to refrain from distributing copies of his presentation, among other concessions. Now facing an FBI investigation and sudden celebrity status in the tech world, Lynn continues to discuss the events surrounding the scandal. Gutsy/morally correct or dumb/self incriminating? People will have mixed opinions.
I Can Shoot It Farther Than You
The next "hacker convention" in line was DefCon 13. When it comes to media exposure, DefCon is by far the more popular of the two conventions. The main reason is the mix of people it attracts. Unlike the BlackHat crowd, DefCon attendants don't fit the "stuffy suit" image. It is a more laid back and casual atmosphere. A variety of events is held each year at DefCon and this year we saw the return of favorites like wardriving, lock picking, spot the fed contest and of course the infamous "Wall Of Sheep". If you have never been to DefCon or haven't ever heard of these things, let me briefly explain.
If you recall a post I did back on 06/21/05 Bluetooth Snarfing Sniper Rifle, then you already familiar with wi-fi shooting and wi-fi ranges. Well this year at DefCon a new "wi-fi shooting world record" as well as new "wi-fi range world record" were set! Los Angeles-based team "Flexilis" set the world record for transmitting data to and from a passive radio frequency identification (RFID) card, covering a distance of more than 69 feet. What that means is that using a device like the one Flexilis built, someone could conceivably sit out in the parking lot and peer inside the shopping bag of a customer leaving a store, or use the RFID tags to keep tabs on that person’s movements. Using slightly different methods, attackers could send signals that effectively jam or manipulate a store’s RFID readers, tricking the devices into reading a $99 item as a 99 cent item, for example. The other wi-fi range record was pulled off by some teens from Cincinnati, who broke the world record they set last year by building a device capable of maintaining an unamplified, 11-megabit 802.11b wireless Internet connection over a distance of 125 miles (the network actually spanned from Utah into Nevada)!
Drunk Geeks Tap-In
Also this year at DefCon, "The KegBot Project" made an appearance. One the coolest projects seen so far at any of the DefCon conventions was the Linux based KegBot that dispensed beer as long as you have an iButton key. The system keeps track of who you are, how much you're drinking and where you rank among the other beer chuggers. The KegBot crew built and deployed the entire project on site at DefCon - truly a first of it's kind.
Only The Best Will Be Asked To Apply
As always a good game of "Spot The Fed" was played at DefCon. "Spot The Fed" is exactly what it sounds like - hackers try to spot federal agents who are in attendance, but undercover. If you successfully spot a true fed, you are usually awarded a free t-shirt. Although it's not about getting the free swag, it's more about being able to pick the right face out of the crowd and unveil his true identity to the rest of the group...plus it is just kind of fun and funny.
I should also note that it might not always be the "hacker" trying to locate the "fed". Sometimes it's the fed trying to locate the hacker and why you ask? Well to give him a job! That's right, alot of federal agents and other government officials seek out the more talented hackers in hopes of persuading them to accept a job offer. If you think about it, it only makes sense. The best way to secure anything is by seeking the expertise of a skilled hacker who is able to break it in the first place. Let him find your flaws and weaknesses and point them out BEFORE it's too late and you are left with a huge gaping security hole and a host of other problems. After all, how do you think yours truly gets half of his clients? Basically, it's not always true that if you want a job, you have to go and find it. In this line of work, sometimes the job really does come to find you.
The Weak Will Not Survive
Lastly, if you aren't smart and careful enough, attending DefCon can be a rude awaking. Some unlucky, or should I say unsmart, "hackers" will find themselves up on "The Wall Of Sheep" - similar to the wall of shame. This is a list that is constantly being updated and displayed for all attendees to see who among them is "hackable". Those that leave their system unprotected, their passwords in the clear and their wi-fi unencrypted will see their names along with all their personal information that was obtained, via other hackers, spread on a huge screen at DefCon. It's where your hacker bragging rights get thrown out the window if you find yourself added to the list. Now if I didn't provide enough coverage on the events for you, check out MAKE Magazine's extensive/in-depth DefCon report full of photos, articles and links. Overall, Black Hat and DefCon was a great opportunity to meet and talk with some of the brightest minds in information and computer security. As usual, expect both conventions to return next year to Sin City. Also expect there to be even more scandals, record breaking and pasty geeks galore in years to come.
No comments:
Post a Comment