Las Vegas is about to transform into Hackertown, USA. This week, thousands of hackers from across the country and around the world will assemble in Las Vegas for a series of hacker conferences, including the most anticipated and hottest (literally and figuratively) conference of the year, Black Hat USA 2011. The conference organizers are anticipating this to be the biggest Black Hat in history with over 20 researchers breaking new vulnerabilities and 33 new tools to be released.
While Black Hat will take center stage this week, two other solid hacking conferences will be taking place: Security B-Sides and Defcon.
Security B-Sides: A community-driven series of free events built for and by information security community members. Dubbed the “the hacker un-conference,” this year’s B-Sides Las Vegas event will include three tracks, 42 talks and over 50 presenters, as well as full-day infosec training sessions that will be free to all B-Sides attendees. The only problem is that the event has been sold out for a few weeks. The event is taking placeat The Artisian Hotel August 3-4. More Info Here.
Defcon: Started in 1992 by Black Hat founder Jeff Moss, aka Dark Tangent, DEFCON is considered the world's longest running and largest underground hacking conference. This year’s event will take place August 4th-7th at the Rio Hotel. More info is available here.
Black Hat 2011, Las Vegas
But for those attending Black Hat, here’s a preview of what to expect, what not to miss, and a few security tips to keep in mind while you enjoy your time in Las Vegas. Taking place at Ceasar’s Palace on Wednesday and Thursday, August 3rd and 4th, as Matt Hines describes, Black Hat is "an annual confab in the desert where creeps in black T-shirts covered in ink and piercings show up for a week and ruin everyone’s Camp Vegas experience by looking incomprehensibly pale and unapologetically geeky.” Don't let the piercings and tatoos fool you, this confernce offers some of the most intresting content you'll come across. Content that actually has substance, and won't put you to sleep.
Unlike many other conferences that are bogged down with sponsored keynotes from executives that most often leave you with nothing learned, the presentations at Black Hat are from people that likely won’t show up under the “Management” section of a corporate web site, but that are in the trenches. getting their hands dirty, and the ones closest to the heart of the technology of security.
What’s Hot? (Besides Las Vegas itself)
With this year’s conference featuring seven briefings tracks and two workshop tracks dedicated to practical application and demonstration of tools, it makes sense to go through the list and attend those that are most relevant to your business or interests. That being said, a few topics that are creating the most buzz as the show approaches, include:
Weapons of Targeted Attack: Modern Document Exploit Techniques - Sung-ting Tsai + Ming-chieh Pan
Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System
Battery Firmware Hacking - Charlie Miller
PulpGoogle Hacking:The Next Generation Search Engine Hacking Arsenal - Fran Brown + Rob Ragan
Black Ops of TCP/IP 2011 - Dan Kaminsky
Hacking Google Chrome OS - Matt Johansen + Kyle Osborn
Exploiting Siemens Simatic S7 PLCs - Dillon Beresford
Vulnerabilities of Wireless Water Meter Networks - John McNabb
While these are creating some buzz, it’s almost unfair to highlight some, as most of these talks will be extremely interesting. Like I said, scan through the schedule and find what interests you most. Just because one talk is creating some buzz leading up to the show, that doesn’t mean it’s the best one for you. Look around, you’re sure to find some topics of interest!
With three hacking conferences taking place in Las Vegas this week, let’s just say there will be plenty of “curious” individuals floating around the various conference locations and surrounding hotels. Here are a few things to consider this week while you’re enjoying your time in Las Vegas:
Wireless – Probably the biggest threat to worry about. It’s incredibly easy for even the least talented “hackers” to setup rogue access points and sniff your entire stream of network traffic. Once you connect to a rogue wireless network, you’re entire network connection is basically owned. Be cautious when connecting to wireless networks. If you must use wireless, use the official wireless gateway provided by conference organizers and use a VPN if at all possible. If you have the option, use a 3G or 4G cellular wireless card for Internet access, it’s the safest wireless option, though still not always 100% secure. Also, if your smartphone has WiFi, it’s a good idea to disable that feature.
ATMs – Be cautious when using ATMs around town this week, especially ones close to the venue. Hackers can install card skimmers, or as they have done in the past, delivered a completely fake ATM machine at the hotel that hosted Defcon back in 2009. Think about getting some cash before you arrive to Las Vegas, or be smart and have close look at where you’re sliding your card and entering your PIN.
RFID – If you carry any RFID enabled badges in your bag such as your work badge, passport (some counties) or even some credit cards – it’s best to leave them at home or in your hotel room. It’s probable that RFID readers will be floating around.
USB Drives – Vendors may not like this tip, as they are typically the ones giving out USB drives at events. I always stay away from them, and it’s not a bad idea to do the same. If you find a USB or are given a USB Drive, be especially cautious. Even a vendor without malicious intentions could be handing out infected USB drives.
Other Tips That Can Help Keep You Secure at Black Hat:
- Anti-Virus & Patching: Keep your AV and software up to date with the latest virus definations and patches
- Disable Bluetooth
- Delete Cookies and Clear Your Web Browser History
- Encrypt Sensitive Files on your HD if possible
- Be Smart!
For those of you who have attended Black Hat before, you know there is no shortage of parties; most sponsored by vendors that you all so often complain about. Compared to other conferences like RSA, despite the fact that many say it isn’t what it used to be and has become more commercialized, Black Hat still holds its own and ensures the content is what people are looking for and not splattered with sponsored CEO Keynotes. But don’t forget, all those free drinks come from somewhere so don’t complain too much when you see a few vendor signs around. It’s part of the deal! I’m not going to outline a list of all the parties, but as you can imagine, vendors have some of the hottest night clubs rented out for private parties, with most already in waiting list mode. Ask around and you certainly won’t have a hard time finding a place to have a few cocktails.
One thing caught my eye that goes along well with the party element: Pick Up Lines.
Rob Rachwald at Imperva posted a list of the “Top Ten Black Hat Pick Up Lines” in a blog post yesterday. For geek jokes, these are actually pretty funny, and too good not to include here.
Top Ten Black Hat Pick Up Lines (From Rob Rachwald at Imperva)
10. Don't worry, I won't deny any service.
9. You make my buffer overflow.
8. My format string is the longest you've ever seen.
7. Let me put the fire in your firewall.
6. I’d really like to poison your cookie.
5. I'll decrypt yours if you decrypt mine.
4. I want to be the man in your browser.
3. Relax, my anti-virus is up to date.
2. You look like you need a SQL injection.
1. You should see the data in my breeches.
Enjoy your time in Las Vegas. For those at Black Hat on Twitter, use the hash tag #BlackHat. For the latest news, photos, and coverage from Black Hat, be sure to follow @SecurityWeek on Twitter, or better yet, subscribe to the SecurityWeek Briefing.