Archive for the ‘Conference Coverage’ category

Notes from DefCon18 in Las Vegas – hackers, education, and the “Race to the Top”

July 30, 2010

The major theme coming out of the world’s largest hacker conference this year sounds quite benign, considering DefCon’s reputation as a venue for barely legal activity. But many of Friday’s sessions echoed a call for education, lest the world’s most prosperous nation sink under a powerful tide of cybercrime that threatens both our prosperity and our national security.

The Reasonable Reporter has long compared the average American to a little old lady walking down a crowded city street with her purse hanging open.  Most people – even very smart individuals – don’t know and can’t fathom the ways in which they are vulnerable to cybercrime. Consciousness is dawning slowly, as the spotlight has shone on spamming, phishing, and privacy issues related to Facebook. The task of educating consumers has largely belonged to the media.

Business is an even juicier target, having  a higher concentration of cash than individuals, and larger stores of valuable data. (Information assets, in the parlance of the security community.) So who will educate business?  Other businesses, of course, and their experts are present in droves at DefCon.

The highlight today was a contest in which 10 large corporations were targeted for social engineering attacks via telephone.  “Social engineering” is a techie term for a good old-fashioned non-technical scam.  It means one guy induces another guy to give up something valuable before the second guy realizes he’s being hustled.

Each contestant was assigned a company to call. Some posed as potential customers seeking product information, and others as workers from a distant office of the same company, calling to perform an internal audit, or to check the progress of some corporate project. The name of the game was to get employees on the other end of the phone to give up information about the operation of the company.

And it worked, in nearly every case. Employees of target companies coughed up explicit IT specifications that would give a cyberattacker significantly higher odds of success.

This contest was controversial, and had even come to the attention of the FBI when it was announced earlier this year. Large tech companies freaked out when they got wind of it. Some contestants dropped out at the last minute, having been threatened by their employers – mostly tech companies – that they’d be fired if they participated.

The point of the exercise, though, was to educate. The contest sponsors are in the business of security training, and much more will be written about it in the coming days.

The most insidious cyberattacks are network intrusions, and there is a shortage of Americans qualified for the network security arena. Federal agencies send recruiters to DefCon, hoping to grab up young tech talent to work in cybercrime investigation and in national security.  The Air Force has hundreds of openings, and today put on the record its willingness to consider “everyone” at DefCon, including those who “may have stepped over the line” in the past.  You need to have attended DefCon once or twice to grasp the chilling implications of this hiring policy by a branch of the U.S. military.

The talent shortage has prompted a call for education in the classic sense. A DHS official today told an audience that a national science education effort is needed like the one launched under JFK after Sputnik.  A push for math and information technology is needed, and DHS is taking the helm, even reaching down to the high school level. More will be written shortly about this, as well.

Meanwhile, states have been competing for “Race to the Top” money, in the form of federal grants to education.  And little has been revealed about the criteria for success in this quest.  But here in Nevada, where the world’s largest hacker conference is held, we did not win.

The Silver State’s major industry is so tied to technology that it spawned a publicly-traded gaming technology company called IGT.  Microsoft, Intuit, Cisco all have operations in Nevada. Def Con and Black Hat Briefings are both annual events in Las Vegas. Reno is a four-hour drive from Silicon Valley. Maybe Nevada’s real-world Race to the Top could be won with a focus on information sciences, for which there is a concrete and growing demand.