Considering how much we love talking about cybersecurity in events, youโd think weโre all hackers. And our lovely hosts may sometimes wish life was a Mr. Robot episode. But fortunately for our industry, they prefer lending their skills to events. Which is why the Event Tech Podcast brings you all the best news from the world of technology! And todayโs episode is a must, even for those of us who arenโt necessarily into the universe of hacking.
Safety and security are topics weโve tackled many times. But theyโre also extremely hot, especially in the digital age. Black Hat and DEF CON are two of the biggest hacking conferences in the world. So of course, there was quite a bit to learn where cybersecurity is concerned. Will Curran and Brandt Krueger wanted to make sure you didnโt miss a single detail, whether or not you had the chance to attend. Get your black hoodie and unsuspicious sunglasses of choice, because itโs time for the latest news on cybersecurity in events!
Click here for the full audio transcription.
Cybersecurity In Events: Tell Me More!
For those of you who are wondering, Brandt breaks down the details on these two conferences. โWell, itโs actually hacker summer campโ, he says. โSo Black Hat and DEF CON happen to be back-to-back security-focused conferences, both taking place in Las Vegas. And theyโve actually added a third one to the mix called BSides, and the idea is this kind of splintered off I think a couple of years ago and itโs kind of all the stuff that people didnโt feel fit anymore in Black Hat or DEF CON. So youโve got actually three simultaneous, or roughly simultaneous, conferences all going on at the same time regarding digital security, hackingโ.
Whatโs With All The Hats?
โThe white hat hackers are usually the ones that are the security researchers, theyโre the ones that are trying to break into things to test things, penetration testing, all of those kinds of thingsโ, Brandt further explains. โAnd then the black hats are the ones that are actually being malicious actorsโ. So thereโs that just in case you were ever confused with the hat terminology!
In regards to the conferences, Will finds all the information particularly exciting. โI think itโs kind of amazing, all of the stuff that comes out of it jampacked in such a short period of timeโ, he says. โFinding out that there are all these exposed issues. And whatโs really interesting, too, is that similar to I think any conference, they also present findings that theyโve probably been collecting over the last year. About major apps, major thingsโ.
The Internet Of Things
Donโt worry, weโve got you covered on the specifics. The Internet of Things โitโs any of these now multiple, multiple, multiple connected devices that weโre putting in our homesโ, explains Brandt. โWeโre just finding more connected devices, thatโs where this whole Internet of Things comes from, that all of these devices are in some way or another connected to the internet. In addition to our phones and our computers and our laptops, weโre having all of these other devices connectโ.
The Danger Looming Over The IoT
โWeโre seeing a lot of these other devices being very much so hackable. So theyโre not putting a whole lot of thought into these light bulbs and temperature sensors and thermostats and all of the security cameras that people are getting that are being pushed out now. Not only by major manufacturers. But as minor manufacturers try and get in the game to push these products out at a significantly reduced price, theyโre not paying a whole lot of attention to securityโ, adds Brandt.
โSo, thereโs a lot of interesting and easy hacks on a lot of these Internet of Things devices that a lot of thought hasnโt been put into how do we keep these things secureโ, he continues. โSo thatโs kind of the 10,000-foot level of whatโs happening. And itโs going to get worse as we put more and more and more and more of these things in our houses and officesโ.
IoT & Cybersecurity In Events
This might sound a bit scary, but itโs not the Big Brother just yet. And when it comes down to connecting this danger to cybersecurity in events, Will lays it all down. โThatโs obviously a vector to attack similarly to the way weโve talked about it in our cybersecurityโ, he says. โItโs that the events industry isnโt necessarily the direct attack. No oneโs going to, โOh, weโre going to take down the events industry.โ Itโs all going to come in sideways to get to something elseโ.
Brandt agrees and adds some important information. โSo, itโs going to be a continuing trend that we just need to keep an eye on what weโre bringing into our homes and offices, and really go into it intentionally. And donโt just buy the cheapest smart bulb, right? Make sure itโs coming from a reputable manufacturer thatโs going to stand by the productโ, he says. โJust have some intentionality to it, be sure that youโre getting your devices from reputable manufacturersโ.
Will also alerts to the fact that many of these Internet of Things are no longer exclusive to our homes. In fact, theyโve already made their way into the event industry. โSo really, really important to know that this isnโt just limited to just your home. And thatโs going to come to the events industry more and more as wellโ.
Beware Of The USB Cables
USB cables are, in fact, data cables. โSo even though youโre just using it for charging, it is capable of dataโ, Brandt explains. โSo if you go plugging your phone into a random, โCharge your phone here,โ station using the USB port, itโs definitely been shown that theyโve been able to plant malicious programs on there. Spyware, copy your contacts lists off your phone, all of those kinds of thingsโ. Make sure you start paying attention to the little letters when agreeing to the terms of service!
At DEF CON, a story about a man who worked โfor quite some time creating very official-looking Apple charging cables, so they look exactly like the ordinary charging cables, but he managed to actually make it so that there is an exploit in the cableโ, recalls Brandt. โSo, not only now do you have to make sure that youโre not just jacking into any old USB port, now you need to make sure that youโre not borrowing some strangerโs iPhone cable. Because itโs the cable itself that actually hacks your phone and steals your dataโ. Maybe life is an episode of Mr. Robot after allโฆ
USB Cables & Cybersecurity In Events
Guess where else you can find stations to charge your phone? You guessed it โ events! โAnd then just think about a convention centerโ, says Brandt. โWhere weโve got a large event going on, whoโs going to notice if you just roll in with a charging table. So you just look like another vendor dropping something off. No oneโs going to stop you, no oneโs going to pay any attention to it. So I think we need to start keeping track of those kinds of things. Itโs like, โWhere did that come from? Who ordered that?โ.
โBecause I think thatโs what would happen. The venue would assume that the event brought it in, the event would assume that the venue added it, and meanwhile itโs nobodyโs. And so meanwhile, a hacker just has to sit within wifi distance. Itโs probably not a very powerful chip, but still. Especially down a long hall of a convention center, youโve just got to sit there and then watch the data roll inโ, he adds. Will completely agrees that this is a serious risk for cybersecurity in events. โFor an event, itโs such a high-profile targetโ, he says. โBecause youโre getting so much volume, theyโre coming in so good. People are plugging in super-duper quick. And youโre going to be able to get a lot of peopleโs data very, very quicklyโ.
Amazonโs Storage
In addition to being the one place in the world where you can probably find everything, Amazon has other tricks up their sleeves. โItโs actually the web servers that pretty much run 75% of the internet out there. And they also have in addition to Amazon Web Services, which runs live websites, they also provide a lot of high-volume storage solutionsโ, explains Will. โAnd this oneโs called the Elastic Block Storage snapshots. What that does is allows Amazon basically to store something at a very, very cheap rate. For pennies per gigabyte to store your data that you might not ever really touch very often but you want to have it backed up somewhereโ.
โWell, some research just presented at DEF CON reveals basically that Amazon is inadvertently leaking their own files from the cloudโ, he continues. โAnd there are some exposed sections of storage, that are packed with data. If you donโt configure it properly could be set to public. Sso I think the important thing to know about this is that maybe you want to consider what solution youโre using to store all your data and all these things like that online. Always making sure that you check all the settings of everything when youโre setting it up. Because a lot of times, these things are defaulted for ease and simplicityโ, concludes Will.
Keep Your Data Safe
Brandt adds some insights into the issue of keeping data safe in the digital world. โBut these are basically virtual hard drives. So theyโve got data even if you โwrite over themโ, that data is still there. And thatโs true of current regular hard drives as well. Thatโs why you kind of need to shred them, you need to wipe, wipe, wipe that data. But these virtual volumes it looks like are being left kind of unshredded. And your people are figuring out how to poke around in them and find data that has been either reformatted or deleted. Itโs kind of what Iโm pulling out of this, both very badโ.
It sounds scary, but donโt worry. Hackers work at the speed of light. And if thereโs one thing these conferences do well, is providing solutions for problems like these!
White Hat Mentality
โI think another takeaway too for this is that when it comes to these conferences, there are people kind of poking at it and trying different things. Again, that white hacker kind of mentalityโ, says Will. โYou should have kind of a white hacker mentality or have someone do it for your events as well. Not only from the cybersecurity in events standpoint, right? Someone who can kind of poke and try and evaluate. But also thatโs how you should think about your own events when youโre planning them as well. How can we poke at and test and try new and different things that might be a vulnerability? So then that way we can fix it. And itโs the only way youโll know unless someone just decides to do the black hate side of things, which is what we want to avoidโ.
War Shipping
You can put down the pitchforks, itโs not what looks like! โJust so people understand the name, itโs not just made up craziness, thereโs a couple of things going on thereโ, explains Brandt. โOne is wardriving, which was the terminology that was used when people would just drive around looking for open wifi networks. Or just driving around looking for unsecured wifi networks. And then later as more people secured their networks, you would just literally park on the street. And then spend all day trying to hack into that network, collecting just enough data to eventually try and figure out what the encryption was. So, thatโs wardrivingโ.
โSo, thatโs where this idea of war shipping comes fromโ, he continues. โWhat they set out to do and succeeded in doing was, โOkay, how can we use mailing packages to basically hack a corporate network?โ. โAnd so what they put together using pretty much off-the-shelf components was a little device. They could pack it into an ordinary shipping package, make it look like itโs coming from Amazon or something like that. And that little device would have a very low power mode that would just power up enough to send a GPS signal back to the command and control servers. And so that way the bad guys, the โbad guysโ, would know where that device is, and then they would know when it arrived at its destinationโ.
Is There A Solution?
The entire thing sounds pretty scary, especially considering what it means for businesses. As Brandt says, โthis is another one of those things where itโs devilish. And you know if these guys can figure it out, anybody can figure it out thatโs got any kind of hacking smarts or state sponsorship. So it brings, much like the cables and things like that, another whole new level to having to protect your dataโ.
Will agrees and, thinking of a solution, adds: โI almost see this potentially creating a mailroom intermediary service. Where, for example, instead of mail getting directly delivered to the building it gets sent somewhere else. And then almost like a TSA check, checks through all your packages, scans it, all these things, theyโve got to look for devices that are on and all that sort of stuffโ.
Away From Cybersecurity In Events, But Relevant
Straying a bit further from our industry but towards something of societal importance, Brandt mentions a voter village aspect. โThey actually purchase real live actual voting machines that are being used in the United States. And then give people an opportunity to hack on them. And itโs one of those things that I think we need to be aware of as citizens of this country and other countries to make sure that weโre having fair electionsโ, he says.
โItโs great to have the technology, itโs great to have the ability to tabulate things quickly, but these machines suckโ, continues Brandt. โTheyโre absolutely terrible. Last year they were able to hack one using only a USB keyboard, and they were able to do that in less than a minute. I believe this is something we need to be much more aware of. And so I strongly encourage folks to talk to their members of Congress. Because thereโs been legislation thatโs been passed that puts in some pretty common-sense stuff for taking care of our elections and making sure that cities and counties and states have the money that they need in order to secure these things. And it being blocked by certain people in the congress for whatever reasonsโ.
Category IsโฆAwareness!
โI think itโs really, really important that awareness is a huge part of everything that weโre doingโ, says Will. โThe important thing is awareness in general of this sort of stuff because the last thing you want to do is be caught off guard because thatโs where you get taken advantage of 100%โ. Pay attention, protect yourself, and for the love of god, use different passwords.
One Last Thing
Brandt leaves us with an extra piece of knowledge. โIf youโre working with associations or you work for an association, planning their annual conference or even their in-between meetings and events. Just be aware that that, as we predicted, was going to start picking up the targeting of associations, as well as city and state governmentsโ, he says. โSo, the commonality between these things, between associations and cities and other government entities, is that they have a tendency to post their structure publicly. All of these local organizations and major associations across the country and across the world have a tendency to do thatโ.
โIf you deal at all with your schools, with your city government, with your local government, your state government, or are working for an association where this information is publicly available. You really need to start paying attention and getting the word out amongst your people that you are a targetโ, he adds.
Cybersecurity In Events: Conclusions
Itโs time say goodbye to todayโs episode of Event Tech Podcast. Cybersecurity in events is major. And as Brandt puts it, โthe important thing is to make sure that cybersecurity is all of our responsibilities. Itโs not just being taken care of by the white hats and by folks with the glasses down the hall. We need to make sure that weโre all doing our part to make sure that weโre keeping ourselves, our organizations and our attendeesโ data as safe as possibleโ. Tune in next week for even more tech wisdom!
Resources
What Security Pros Need to Know About Black Hat and DEF CON
How Not Having Data Backups Will Ruin Your Event
