written by Chris Griesemer

Click here to read the previous DEFCON recap.

This year I was fortunate to once again attend DEFCON in Las Vegas. DEFCON is the largest hacking convention in the world. There were more than 16,000 attendees representing 20 different countries. Why do I attend DEFCON? This conference provides a key insight to determine what hackers are targeting.

The “Con” takes place on a Friday, Saturday and Sunday. There are 30 presentations you can attend each day along with daily contests and evening events to socialize with fellow DEFCON’ers. In previous years I have only attended the presentations. This year I decided to dive in a little deeper and witness some of the other activities first hand. It was definitely an eye-opening experience.

Presentations and Vendors
This conference is not unlike most conferences you attend. Along with four presentations per hour there is also an area full of vendors. These unique vendors offer products such as lock picks to hidden spy cameras; the kind of cameras that look like a credit card or one to fit on your key chain. There was also a hacker school you could attend called The Hacker Academy. (You can check them out at thehackeracademy.com)

The Wall of Sheep
The Wall of Sheep is a popular area where hackers steal usernames and passwords of attendees trying to login to the convention centers unsecured wireless network. If someone was just browsing the Internet, they were fine. The minute a “sheep” logs into any internet site, the hackers would grab that info out of the air, write down the username, the first three digits of their password, the web site they were trying to log in to and even the MAC address of the wireless card that person was using. The next thing you know, they are listed on the Wall of Sheep. It was amazing to see how easily these guys could get that information.

Capture the Flag
Another popular contest was Capture the Flag. This is a social engineering game in which contestants would have a list of items (flags) they tried to discover about a targeted company; items like whether or not their hard drives were encrypted, what operating system was being used, the name of the janitorial service, etc. I heard more than one contestant explain how easy it was to find information. Contestants would check pictures on company web sites, Facebook or Flickr for any kind of information which might give them an edge. Finding pictures of employees and their badge information was also valuable information for these social engineers.

Corporate Policies
After attending DEFCON you can’t help to walk away feeling a little more wary of the corporate policies and procedures in everyday business. A few questions to consider if you’re concerned about online security:

  • Using a company wireless notebook or iPad while on the road
  • The use of a public Wi-Fi spot in town
  • Logging on to secure sites via public Wi-Fi
  • Does your company have a Facebook page or website with pictures on it
  • Do any of the pictures provide information about your company
  • Does your company have any kind of social engineering training

We assist businesses and banks with these challenges. Please contact us if you have any questions about wireless security or social engineering.

written by Chris Griesemer, Partner