At a hacker conference no one is safe.
When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.
Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.
The evolving demographic of Defcon attendees shows that the hacker community, like all of us, is aging. But it's also a reflection of how the threat landscape has changed. Web site defacements have given way to much more serious risks like financial fraud and unaddressed critical infrastructure weaknesses. It's a cornucopia of phishing e-mails, cross-site scripting attacks that poke holes in trusted Web sites, and criminals harvesting credit card numbers and selling them on the underground equivalent of eBay with guarantees of service and support.
Defcon and Black Hat, the pricier and more corporate sister confab held the two days preceding Defcon ($120 for Defcon registration versus $1,395 to $2,095 for phased registration at Black Hat), offer a forum for researchers to share information about vulnerabilities they find in software, hardware and systems.
Vendors and users weren't the only ones who need worry. Attendees had plenty to fear and security experts themselves weren't spared.
On July 27, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)
There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.
Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being hacked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.
Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.
This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe they were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.
I had a panic of my own at Defcon this year. I was connected to the Internet using an EVDO wireless card and a virtual private network and was startled a short while later when a Web page opened up out of the blue and I noticed the VPN was disconnected. Granted it looked like a legitimate page for my wireless carrier, but not wanting to take any chances I immediately logged off.
(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)
Unfortunately, I had neglected to disable the Wi-Fi on the laptop. Because Windows XP event logging is lacking, it's not clear whether someone may have spoofed the name of a wireless network the laptop is configured to automatically connect to. Time to call the help desk.
At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.
Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: "Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here."
There is no evidence that the fake Riviera ATM was planted by anyone at Defcon, and in all likelihood the hacked Rio ATM was not associated with the hacker show.
However, a small group of Defcon attendees was seen hacking into an ATM at the Artisan hotel where a "Ninja" party was being held on Saturday night and it appeared they had the ATM in administrator mode and were trying to change settings, several sources said.
Heightening the paranoia at Defcon was the report from event organizers on Saturday that there was a confirmed Trojan on the CD the conference hands out to all attendees. The report turned out to be false.
Also arousing suspicion were the Defcon badges, which featured a built-in microphone, LED, digital signal processor, and custom circuit boards designed to be hacked as part of a contest. I prudently popped the battery out of my badge after discussing the microphone capability with another journalist. Some attendees chose not to wear the badges at all, even without the battery, tucking them in satchels and digging them out every time they needed to display them.
As it does every year, Defcon also had its share of stupid attendee tricks--one arrest reportedly for carrying a concealed weapon and another for bungee jumping off the hotel roof.
But those are par for the course when you mix booze and rebellious youth trying to out-impress each other. It was the other stuff--the hacking and viruses and sniffing--that made me and others at the show jumpy.
Security guru Bruce Schneier, however, brushed it off as the mere cost of doing business.
"This is the way hackers play," he said. "This is the experimental battlefield. It's not bad; it is just what it is. Defcon has an important place in computer security."
Updated 12:54 p.m. PDT with information on Defcon attendees trying to hack ATM, and at 11:00 a.m. with this: Apparently, some feds at Defcon got a scare of their own. As part of a security awareness project, researchers set up an RFID reader connected to a Web camera that sniffed data from RFID-enabled cards in bags and pockets as people walked by and snapped a photo of the person in possession of the card, Kim Zetter at Wired.com reports. At risk of exposure was information on government access cards and badges agents tend to carry, as well as data stored on RFID-enabled cards that accompanied badges for Black Hat. After federal agents speaking at a panel were informed of the project, the data collected was destroyed.