Why This Is the Best Week of the Year for Hackers — and the Scariest for Everyone Else

When it comes to computer security, things have been getting a little freaky lately. Fiat Chrysler just announced a recall of 1.4 million cars because of security flaws. Millions are at risk having an attacker take over their Android phones because they received the wrong text message. A computer-controlled sniper rifle — yes, these things exist — can be made to misfire by someone whose fingers are nowhere near the trigger.

It can only mean one thing: Las Vegas is about to be taken over by some of the world’s craftiest hackers, in town for the wildest and most terrifying security conference of the year.

What the &#@$! is going on?

This week, as the Southern Nevada sun turns sidewalks into a furnace hot enough to melt lead, thousands of hackers, security pros, and recruiters from three-letter government agencies will descend upon Las Vegas to attend the Black Hat, DEF CON, and B-Sides LV security conferences. Think of it as Burning Geek.

image

(Image: Yahoo Sports)

Here’s where the rock stars of information security share their knowledge about new types of attacks, technologies that are ripe for exploiting, and new ways to find these vulnerabilities before the bad guys do.

What are they doing there?

The goal of the conferences is to educate those responsible for defending our technological infrastructure, which helps everyone build better defenses against whatever cyberattack might come next. As a side effect, the news that comes out of this conference may scare the crap out of the rest of us, as well it should.

If it seems like there have been a lot of headline-making news stories about cybercriminals and online crime lately, this is why. Hackers are trying to raise awareness of the exploits they’ve found (increasing their street cred and advancing their careers as security consultants), while organizations scramble to patch the holes before the bad guys can take advantage of them.

image

A GIF image of a live cyberattacks map, courtesy of Norse Security.

Why are there three conferences?

Black Hat is the most buttoned-down of the three, with serious topics and major security firms in attendance. DEF CON is Black Hat’s far less corporate predecessor; the conference follows immediately afterward at a different hotel, with many of the same speakers but in a much more freewheeling environment.

There’s a third, unaffiliated conference happening at the same time called B-Sides, which is for presentations that were rejected by both Black Hat and DEF CON (but are pretty good nonetheless).

Why should I care about a bunch of geeks gathering in the desert?

You shouldn’t — unless you happen to own a phone, a computer, or a sniper rifle. Or your house draws its power from the electrical grid. Or you fill up your car at a gas pump. Or you withdraw money from an ATM. These days, pretty much everything is run by computers, which means pretty much everything is vulnerable to attack.

While a fair share of the announcements will cover esoteric topics of interest only to other security analysts, several of the planned talks will affect a wide swath of the general public.

Chrysler’s recall of Jeep vehicles, issued last month, was the direct result of the work of two researchers who will reveal how they were able to take full control of a car over the Internet using the onboard communications system.

Google has already fixed a bug in its Android operating system, called Stagefright, that another researcher will talk about at the conference. The bug can be triggered by sending a vulnerable phone a specially crafted “multimedia message,” which allows remote attackers to gain complete control over the phone and the data stored on it.

The bug affects millions of mobile phone users, most of whom are still waiting for their carriers to push the updates out to them. (In the meantime, users of Android phones can protect themselves by turning off the automatic download and delivery of MMS messages.)

Other topics that could have far-reaching consequences include talks about weaknesses in the systems that manage gas pumps and other kinds of industrial control systems; understanding the communications and behavior of malicious programs; and even how to hack a sniper rifle’s prototype computer-controlled targeting system.

What should we expect in the coming week?

The news should begin trickling out from Vegas on Tuesday, but the main event begins Wednesday for Black Hat attendees when the briefings begin. Wednesday and Thursday will see furious activity as reporters struggle to cover everything that could be relevant to their audiences.

image

(Image: Zimperium/CNET)

Aside from car hacking and Android bugs, other talks will feature discussions of security vulnerabilities in online banking and “contactless” key-fob payment systems, as well as research about hacking digital broadcast services and the so-called “honeypots” that serve as an early-warning system for cyberattacks.

We should also learn more about the Hacking Team, which was itself hacked earlier this year, revealing an enormous range of previously unknown security exploits. The consequences of the Hacking Team breach have already led to important software updates being released by Adobe and other software companies.

As it is every year, it’s going to be a rough week for IT professionals and systems administrators.

What can I do to protect myself?

Over the next few days, you might expect to see a higher-than-average number of updates to software you might use in your professional or personal life. Don’t take these update notifications lightly — it’s quite likely that, as soon as a new vulnerability in a particular program or online service is announced, bad guys will be out there trying to exploit it. Update early and often.

How should I prepare if I’m planning to attend?

Batten down the hatches. The Black Hat conference area is a target-rich environment with spies and hackers everywhere. While the rules sternly warn against hacking fellow attendees, you can pretty much guarantee there will be shenanigans.

The most important thing to do is bring as little tech gear as possible. Not only will you reduce your “attack surface” by not carrying around an array of digital gear, but you’ll present a less attractive target for ordinary thieves.

image

Vikings (not real ones) protecting the Norse Security booth at Black Hat 2014 (Yahoo News).

Physical security is just as important as protecting your data. If you’re bringing a laptop, never leave it anywhere. If you’re worried about having your phone’s network connection intercepted — a not-unrealistic expectation — put it into airplane mode before you arrive at the conference and leave it that way.

Install any available security updates for your phone and/or computer before leaving for Las Vegas. Not only will this be safer, but you won’t be stuck for the expensive, in-room Internet fees the hotels in Las Vegas seem to relish billing to their customers.

And if you plan to attend DEF CON after Black Hat, be sure to leave the penny loafers and khaki shorts in your hotel room.

What else will be happening that week?

About a gazillion parties. Beyond that, though, we can’t tell you. It’s Vegas, baby.

Andrew Brandt spends his day learning how computers infected with nasty malware behave and communicate as the director of Threat Research for Blue Coat.