Hanging with hackers can make you paranoid

At a hacker conference no one is safe.

When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.

Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.

The Riviera Hotel room key customized for Defcon attendees. What else does it do?

(Credit: James Martin/CNET News)

"Welcome to the hacker world," said Defcon founder Jeff Moss.

The evolving demographic of Defcon attendees shows that the hacker community, like all of us, is aging. But it's also a reflection of how the threat landscape has changed. Web site defacements have given way to much more serious risks like financial fraud and unaddressed critical infrastructure weaknesses. It's a cornucopia of phishing e-mails, cross-site scripting attacks that poke holes in trusted Web sites, and criminals harvesting credit card numbers and selling them on the underground equivalent of eBay with guarantees of service and support.

Defcon and Black Hat, the pricier and more corporate sister confab held the two days preceding Defcon ($120 for Defcon registration versus $1,395 to $2,095 for phased registration at Black Hat), offer a forum for researchers to share information about vulnerabilities they find in software, hardware and systems.

Targeted this year were everything from the iPhone and surveillance video feeds to e-parking meters and security underlying the Domain Name System.

Vendors and users weren't the only ones who need worry. Attendees had plenty to fear and security experts themselves weren't spared.

On July 27, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)

There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.

Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being hacked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.

Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.

This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe they were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.

I had a panic of my own at Defcon this year. I was connected to the Internet using an EVDO wireless card and a virtual private network and was startled a short while later when a Web page opened up out of the blue and I noticed the VPN was disconnected. Granted it looked like a legitimate page for my wireless carrier, but not wanting to take any chances I immediately logged off.

(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)

Unfortunately, I had neglected to disable the Wi-Fi on the laptop. Because Windows XP event logging is lacking, it's not clear whether someone may have spoofed the name of a wireless network the laptop is configured to automatically connect to. Time to call the help desk.

At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.

Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: "Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here."

There is no evidence that the fake Riviera ATM was planted by anyone at Defcon, and in all likelihood the hacked Rio ATM was not associated with the hacker show.

However, a small group of Defcon attendees was seen hacking into an ATM at the Artisan hotel where a "Ninja" party was being held on Saturday night and it appeared they had the ATM in administrator mode and were trying to change settings, several sources said.

Heightening the paranoia at Defcon was the report from event organizers on Saturday that there was a confirmed Trojan on the CD the conference hands out to all attendees. The report turned out to be false.

Also arousing suspicion were the Defcon badges, which featured a built-in microphone, LED, digital signal processor, and custom circuit boards designed to be hacked as part of a contest. I prudently popped the battery out of my badge after discussing the microphone capability with another journalist. Some attendees chose not to wear the badges at all, even without the battery, tucking them in satchels and digging them out every time they needed to display them.

As it does every year, Defcon also had its share of stupid attendee tricks--one arrest reportedly for carrying a concealed weapon and another for bungee jumping off the hotel roof.

But those are par for the course when you mix booze and rebellious youth trying to out-impress each other. It was the other stuff--the hacking and viruses and sniffing--that made me and others at the show jumpy.

Security guru Bruce Schneier, however, brushed it off as the mere cost of doing business.

"This is the way hackers play," he said. "This is the experimental battlefield. It's not bad; it is just what it is. Defcon has an important place in computer security."

Updated 12:54 p.m. PDT with information on Defcon attendees trying to hack ATM, and at 11:00 a.m. with this: Apparently, some feds at Defcon got a scare of their own. As part of a security awareness project, researchers set up an RFID reader connected to a Web camera that sniffed data from RFID-enabled cards in bags and pockets as people walked by and snapped a photo of the person in possession of the card, Kim Zetter at Wired.com reports. At risk of exposure was information on government access cards and badges agents tend to carry, as well as data stored on RFID-enabled cards that accompanied badges for Black Hat. After federal agents speaking at a panel were informed of the project, the data collected was destroyed.

[Michichael]

Good - I'm glad the secret service got involved with the fake ATM thing. few know that counterfeiting is the realm of the secret service.

[TechSlap]

That would be quite an event to be at. I just can't believe that there was such a high registration fee. It seems like registration would be free. Sure, it would suck that someone finds a hole or exploit in your product, but it'd be nice to know it's there so you can fix it before someone else finds out and doesn't tell you.

[disco-legend-zeke]

Most Hotel cash machine/ticket redemption machines ARE a PC apparently running windows. I happened to see one displaying a system message saying it could not start FOXPRO. It is not unusual to see the blue screen of death and others widowsey looking displays.

What's is suspicious is that it was located outside the view of surveillance cameras. No hotel would have a cash vendor that was not watched by at least one recorded camera.

[sharmajunior]

I think I also recall seeing the blue screen froma projector projecting patterns at the Olympics at Beijing.

[ikramerica--2008]

yep. bsod at olympics.

[n3td3v]

It should be free to get in, it should be funded by the government or something to pay the costs.

Information should be free, there should be no barriers if people want to learn, especially young people. Nobody benefits from the conference with it having an entrance fee apart from Defcon Communications, Inc and The Riviera Hotel.

Defcon is money centric, gone should be the days of money making, gone should be the days of people only going there to shake hands on money deals. It shouldn't be host at a casino either, thats sending out the wrong message altogether.

Defcon and security conferences are losing sight and focus on what their supposed to be doing, making money isn't supposed to be one of them. It's about gathering people together so they can information share and learn.

Jeff Moss should talk to his DHS advisory board about getting funding, to attract more people to come to Defcon, be non-profit be free be funded by the government.

You'll soon reap the rewards far greater in the long run being free from money.

[pentest]

The information is free. You can download it on the defcon and blackhat websites.

What is not free is renting hotel space and hiring caterers.

[securitah]

You are an idiot. The cost is minimal (120 bucks), it covers the hotel space, the insurance, security, pay for the goons and speakers. Free is not an option, don't be pissed because you can't afford to come to it. Pay your money just like everyone else that is there and enjoy the content and networking.

[ikramerica--2008]

Well, not sure about the money part, but GLORIFYING the hackers certainly isn't in the best interest of the world. A look at all the photos from these events shows a lot of self-satisfied, smug people who claim to have "warned" the companies but still, for publicity and fame, reveal the exploits before many of the fixes can be finished, and make PoCs and step-by-step details available to any two-bit, not smart enough to figure it out on his/her own hacker to exploit in the time between the revelation and the fix.

[securitah]

It's not about glorifying anything. It's about the sharing of information. As for the smug looks and stuff like that, well, that's the community. It's just the way it is. It isn't going to change. If you don't like it, don't go to it. The people there don't care either way.

[teh_chrizzle]

have you ever been to a hacker con? almost all of them lose money. a lot of folks (toorcon, notacon, phreaknic, shmoocon) who run other cons run events/sell merchandise at defcon to raise money to run their respective cons.

defcon is one of the few cons that actually make money, which is good because turning a profit means it will continue to be there year after year. also, defcon is a venue for a number of other community events that are possible thanks to the large defcon crowd, like b-sides, neighborcon, queercon, sushicon, hackerpimps, you name it.

H.O.P.E. is way more expensive and it's existence is always in question thanks to poor management.

if you don't like the cost, then go to phreaknic. it's like $25 to get in there, it's way more laid back than defcon and it has some of the best swag evar.

if you can't get to nashville, there are other smaller, cons that don't cost as much and have many of the same people. you can catch bruce potter at notacon and phreaknic as well as defcon, along with many of the southern and mid-western crews that make up the bulk of attendees at defcon.

if you join a local crew like your city's defcon or 2600 group, they might help you get in and share costs. i help my crew with their activies and we share admission and room costs. defcon is freaking expensive, even if you get a break on entrance and lodging, so be prepared to drop cash while in vegas.

also, if you absolutely have to go to defcon and cannot afford the entrance fee and cannot find a crew to join, then volunteer as a goon or give a talk. speakers and entertainers get in free, and i think there are staff rooms for the goons.

if you don't want to contribute anything at all then stay away, the hacker community doesn't need you.

[chlimouj]

Wow. You really lack critical thinking skills.

[cosuna]

Gibbons would be proud... Neuromancer realm is well and kicking.

[ScratchCratchRatchAtch]

I didn't know lower primates liked sci-fi, even if Gibson is one of the best.

[SenorFrog]

Defcon's definitely on my bucket list.

[cnetcommentator]

Chris Paget works for ebay maybe, but definitely not Google.

[aazippo1]

Defcon totally ROCKED this year. Absolutely amazing!

RT
www.anon-web-tools.net.tc

[teh_chrizzle]

the defcon wireless isn't that bad. just tunnel your traffic either via SSH or VPN and you'll be fine.

seeing dreamhost and facebook logins on the wall of sheep should be a wake up call to those service providers to stop using clear text logins.

[chlimouj]

I smell a pretty good MITM attack...