“The fearful stayed home,” many say about the Wild West. Lawlessness was common. In old Western movies, heroes were distinguished by their white hats; the bad guys wore black hats. Today, use of the black hat term has morphed. The bad guys don’t necessarily carry guns or ride horses, but they do have other tools at their disposal that they use for ill effect. The term now refers to hackers — those who are adept at breaking into computer systems and networks with malicious intent, often looking to steal valuable information for their own personal gain or to cause other damage.
Black Hat conferences began in 1997 as computer security events offering highly technical briefings and training sessions for and by hackers, consultants and security professionals from the private and public sectors. There are now spinoff conferences around the world attended by thousands.
Black Hat Has Become Notorious
Black Hat conferences are notorious for the serious security limitations and vulnerabilities that they expose, from hacking enterprise security systems to smartphones, ATMs and even insulin pumps. But that is not where the notoriety ends; in reality, they are more like the Wild West than the normally tame, run-of-the-mill security conferences. Black Hat conferences highlight lax security practices by attendees, which hackers are keen to expose. They will try anything, including hacking Wi-Fi and other connections; breaking into devices, hotel rooms and ATMs and cracking credit cards. Those that are successfully hacked can be named and shamed on the “Wall of Sheep,” an electronic bulletin board on which the details of those who have been compromised are publicly displayed. Unless careful precautions are taken, no one is immune.
Take the Right Precautions
So how should attendees prepare themselves? The advice to stay at home will, of course, not sit well with many, but it really is the safest option. If you are bent on going, taking the right precautionary measures starts before you leave home is essential during the conference and continues after you get back.
Before you leave home, consider what you can afford to lose. If you must take any form of computer, take one that is stripped to the minimum; leave sensitive data elsewhere. If that is not possible, back everything up, install stringent security controls, encrypt sensitive data and make sure everything is patched. Go to your local ATM and get cash. Get as much as you could conceivably need, and then get a bit more. If previous conferences are anything to go by, the ATMs at the airport and the conference hotels will have been hacked and using credit cards at the event is probably asking for trouble.
At the conference, trust no one. If you must take devices with you, exercise extreme caution. Keep them with you at all times. Do not use free Wi-Fi connections — in fact, turn off Wi-Fi and Bluetooth on all devices. Stay away from the Internet altogether if you’re not using a VPN. Do not use public charging stations as these can, and probably will be, hacked. Leave anything with an electronic chip that can be intercepted locked in a hotel room safe, but remember that the supposedly secure hotel key cards have been hacked at previous conferences. And if you are given anything at the conference, such as a USB device, do not trust it — it is bound to be tainted. Convinced you should leave everything at home yet?
Don’t let down your guard when you get home again. Every device that you felt compelled to take with you needs attention. This is where having taken a stripped-down device comes in handy since this can now be wiped without fear of losing anything important — and wiping it clean really is the best option. If that’s not possible, then a full scan of the device should be performed. This may be something that will take many hours, but it is almost definitely worth it. If needed, devices can have clean disk images restored from backup security programs. Change the passwords on everything just to be sure. You didn’t take enough cash? Keep a careful eye on all bank accounts and statements in case you were targeted, and watch out for any emails or other messages related to the event — they may be trying to phish you.
Did I Forget to Mention Defcon?
Neither Black Hat nor Defcon are for the faint of heart. They are full of the modern gunslingers, albeit using more modern tools. Where once they were looking to steal your possessions and newly-found gold, sensitive data is the new gold and hackers want to get their hands on it. Be prepared and don’t let them. Trust no one, and don’t be the next publicly shamed sheep.
Senior Analyst, Bloor Research
Fran Howarth is an industry analyst and writer specialising in security. She has worked within the security technology sector for more than 25 years in an ad...