Five things to watch for at ‘hacker summer camp’

Five things to watch for at ‘hacker summer camp’
© Getty Images

The largest cybersecurity event of the year kicks off this week, as the Black Hat, Def Con and BSides conferences launch back-to-back-to-back in Las Vegas.

Here are five things the political world should watch for during an event known as “hacker summer camp.”

How will the political climate affect recruitment?

Black Hat and Def Con have long been recruiting grounds for federal agencies looking for young, savvy cybersecurity talent.

ADVERTISEMENT
But distrust between the cybersecurity community and the government is nearing an all-time high under President Trump.

The animosity between people interested in security and the federal government is nothing new; the encryption debate recently drove a wedge between law enforcement agencies and security pros.

But the Trump administration is presenting new roadblocks.

Recent comments made by Trump have left some instability at the top of the Department of Justice food chain.

The president’s criticism of the intelligence community and his reluctance to accept intelligence on Russia’s involvement in the presidential election also leave doubts for many in how appreciated cybersecurity expertise would be.

How easy is it to hack a voting machine?

In a subversive move, attendees at Def Con will be able to attend its first Voting Machine Village.

The Village offers a side conference on voting machine insecurity and a playground of real voting machines for hackers to toy with.

Given that the Def Con villages are traditionally meant to be instructive on how to breach security of an item, not whether or not an item can be breached, the goal appears to be to spread the word that voting machines have a number of known vulnerabilities among a group of influencers in the cybersecurity realm.

Though there is no evidence that machines have ever been breached in the past, and the decentralized nature of elections makes hacking a national election improbable, local elections, including those in 2018, may be easier to target. A number of local and national efforts, both legislative and citizen-driven, have moved for greater voting machine security.

Can hackers affect markets?

Researchers at MedSec and the short-selling investment firm Muddy Waters used vulnerabilities they discovered in St. Jude medical equipment last year to bet against the firm, which produces cardiac implants.

For years, the protocol for security researchers has been to notify a manufacturer of any cybersecurity flaws in its products. When Muddy Waters sought to profit from it instead last year, it triggered controversy.

It’s unclear what might happen if more researchers go the selling-short route. Would it encourage a greater investment in security testing of new products, or a greater distrust between researchers and companies?

MedSec researcher Justine Bone will present her case on Thursday, during Black Hat.

Anonymity service Tor gets an upgrade

Tor, an anonymity service used both to protect activists under oppressive governments and criminals selling weapons on the dark net, will announce an overhauled new version during Def Con.

Tor currently boosts security by anonymizing web traffic and by creating hard-to-trace websites on a hidden version of the web.

Roger Dingledine, president and co-founder of the Tor Project, identified flaws he says the new version will correct in the summary of his Def Con talk.

He said mistakes in the original version are being exploited by “fear-mongering ‘threat intelligence’ companies” to sell information to companies with information about potential hackers or other dangers. The same mistakes could be used by governments to thwart activists gathering online.

The future of the cyber arsenal

The WannaCry ransomware was built using hacking techniques believed to have been stolen from the National Security Agency.

WannaCry, malware that rendered files on 300,000 computers unusable until users paid a ransom, serves as a chilling reminder of what could happen if government-created exploits escape into the wild. Hospitals had to turn away patients and businesses had to shut down for days.

Three talks at Black Hat will approach the issue of how government-held cyber tools might escape into the public.

Matt Suiche, founder of Comae Technologies and the foremost expert on the group who claims to have stolen the exploits used in WannaCry, will present on the so-called ShadowBrokers.

But theft is not the only way government-owned vulnerabilities can escape federal control. Two sets of researchers who investigated how often multiple researchers discover the same security flaws will present their work.

Understanding how likely it would be for a vulnerability to be rediscovered or stolen affects how safe it is to stockpile them for intelligence reasons. Many believe that the most secure policy would be for the government to alert manufacturers to all vulnerabilities to allow them to be fixed, rather than hold them for use in intelligence operations.