Light Dark
August 19, 2015 By Martin McKeay 3 min read
Intelligence & Analytics

The first week of August marks an annual pilgrimage of security professionals to Las Vegas for the Black Hat, DEF CON and BSides conferences. I’ve personally been making the annual trek for over a decade. It’s a set of events I simultaneously look forward to and dread more than any other week of the year.

I look forward to being in Vegas because of the crowd of security minds that gather to talk, share ideas and catch up on the goings-on of the previous year. And I dread it because a week in Las Vegas listening to talks, being social and interviewing people is one of the most exhausting experiences of my life. Here are some of the most interesting talks and conversations I experienced.

Hot Topics at Black Hat and BSides

I attended all three Las Vegas events: Black Hat, DEF CON and BSides. If you’re not familiar with BSides, it’s a type of counter-counter-counterculture event that’s put on purely thanks to the efforts of volunteers, and it’s free as long as passes last. It kicks off the week and features dozens of interesting speakers (including yours truly, on a panel about stress in the security industry).

One of the most important tracks at the conference was organized by a group called I Am The Cavalry and concentrated on the challenges posed by the Internet of Things (IoT). This track had many interesting talks, but my favorite was “Hack the Future,” given by Keren Elazari. While she mentioned many of the threats posed by the IoT, her main point was that the security and hacking communities can actually shape the future of the IoT by getting involved in creating the protections that this new wave of technologies will need.

Another important talk at BSides was given by Jen Ellis, called “Barely Legal: The Hacker’s Guide to Cybersecurity Legislation.” There’s a long history of the legislature like the Digital Millennium Copyright Act (DMCA) and Computer Fraud and Abuse Act (CFAA) being used to stop research and to intervene with presentations at events, and then there’s potential changes to the Wassenaar Arrangement that are currently being discussed. Now that computer security has become part of the international conversation and something the public has become full aware of, legislators worldwide are paying more attention to the laws about security. This talk was an effort to educate security professionals about legislature we can’t afford to ignore and must make an effort to influence.

While not a track, one of the discussions I had many times at Black Hat was about the U.S. Office of Personnel Management (OPM) hack. The OPM attack from earlier this year has caught the public’s attention, leaks from the White House suggest that some sort of retaliation is brewing and public opinion seems to support targeting the supposed perpetrator. Most of the security professionals I talked to expressed the opinion that this is a bad idea, primarily because attribution is always a dicey proposition in the best of situations.

The Future of the Internet

Along the same lines as BSides, Black Hat hosted a number of talks on legislature and the future of the Internet. Jennifer Granick, director of civil liberties at the Stanford Center for Internet and Society, gave a keynote called “The Lifecycle of a Revolution.” She talked about the dying dreams of a free and open Internet. With cries from lawmakers and law enforcement agencies around the globe to weaken encryption and tighten the reins of control on traffic flowing through the digital pipes, Jennifer’s talk is especially timely and pointed.

In contrast, Leonard Bailey from the U.S. Department of Justice (DoJ) gave a talk called “Take a Hacker to Work Day,” explaining how the DoJ uses the CFAA to prosecute only a small number of cases each year rather than the hundreds that might be imagined by researchers and security professionals. My personal opinion is that while only a relative handful might actually get prosecuted each year, the threat of such prosecution is often enough to stop research from happening or talks from being given.

A Curious Absence

A perfect example of my last point was the ProxyHam talk, which was canceled under mysterious circumstances. A talk on a project supporting privacy using ham radio equipment to hide the physical location of the user was pulled a month before DEF CON. Except this action didn’t actually stop the talk from happening: Robert Graham and Dave Maynor from Errata Security created an equivalent device, HamSammich, on their own. This follows in a long tradition at DEF CON of making talks happen, no matter how uncomfortable some organizations might be with them.

Looking back at the week, it’s easy to see that legislature and legal concerns consumed a lot of my attention. While these are not subjects that every security professional really wants to be looking at, as our lawmakers and the public become more aware of what goes on in the world of security, they are subjects we need to pay attention to. The fact that there were so many talks about the legal landscape is an indication that our industry is growing up and getting the attention we’ve asked for. Now we just need to make sure we make the best of that attention.

 |  |  |  |  | 
Martin McKeay
Security Advocate

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature