Considering how much we love talking about cybersecurity in events, you’d think we’re all hackers. And our lovely hosts may sometimes wish life was a Mr. Robot episode. But fortunately for our industry, they prefer lending their skills to events. Which is why the Event Tech Podcast brings you all the best news from the world of technology! And today’s episode is a must, even for those of us who aren’t necessarily into the universe of hacking.
Safety and security are topics we’ve tackled many times. But they’re also extremely hot, especially in the digital age. Black Hat and DEF CON are two of the biggest hacking conferences in the world. So of course, there was quite a bit to learn where cybersecurity is concerned. Will Curran and Brandt Krueger wanted to make sure you didn’t miss a single detail, whether or not you had the chance to attend. Get your black hoodie and unsuspicious sunglasses of choice, because it’s time for the latest news on cybersecurity in events!
Click here for the full audio transcription.
Cybersecurity In Events: Tell Me More!
For those of you who are wondering, Brandt breaks down the details on these two conferences. “Well, it’s actually hacker summer camp”, he says. “So Black Hat and DEF CON happen to be back-to-back security-focused conferences, both taking place in Las Vegas. And they’ve actually added a third one to the mix called BSides, and the idea is this kind of splintered off I think a couple of years ago and it’s kind of all the stuff that people didn’t feel fit anymore in Black Hat or DEF CON. So you’ve got actually three simultaneous, or roughly simultaneous, conferences all going on at the same time regarding digital security, hacking”.
What’s With All The Hats?
“The white hat hackers are usually the ones that are the security researchers, they’re the ones that are trying to break into things to test things, penetration testing, all of those kinds of things”, Brandt further explains. “And then the black hats are the ones that are actually being malicious actors”. So there’s that just in case you were ever confused with the hat terminology!
In regards to the conferences, Will finds all the information particularly exciting. “I think it’s kind of amazing, all of the stuff that comes out of it jampacked in such a short period of time”, he says. “Finding out that there are all these exposed issues. And what’s really interesting, too, is that similar to I think any conference, they also present findings that they’ve probably been collecting over the last year. About major apps, major things”.
The Internet Of Things
Don’t worry, we’ve got you covered on the specifics. The Internet of Things “it’s any of these now multiple, multiple, multiple connected devices that we’re putting in our homes”, explains Brandt. “We’re just finding more connected devices, that’s where this whole Internet of Things comes from, that all of these devices are in some way or another connected to the internet. In addition to our phones and our computers and our laptops, we’re having all of these other devices connect”.
The Danger Looming Over The IoT
“We’re seeing a lot of these other devices being very much so hackable. So they’re not putting a whole lot of thought into these light bulbs and temperature sensors and thermostats and all of the security cameras that people are getting that are being pushed out now. Not only by major manufacturers. But as minor manufacturers try and get in the game to push these products out at a significantly reduced price, they’re not paying a whole lot of attention to security”, adds Brandt.
“So, there’s a lot of interesting and easy hacks on a lot of these Internet of Things devices that a lot of thought hasn’t been put into how do we keep these things secure”, he continues. “So that’s kind of the 10,000-foot level of what’s happening. And it’s going to get worse as we put more and more and more and more of these things in our houses and offices”.
IoT & Cybersecurity In Events
This might sound a bit scary, but it’s not the Big Brother just yet. And when it comes down to connecting this danger to cybersecurity in events, Will lays it all down. “That’s obviously a vector to attack similarly to the way we’ve talked about it in our cybersecurity”, he says. “It’s that the events industry isn’t necessarily the direct attack. No one’s going to, “Oh, we’re going to take down the events industry.” It’s all going to come in sideways to get to something else”.
Brandt agrees and adds some important information. “So, it’s going to be a continuing trend that we just need to keep an eye on what we’re bringing into our homes and offices, and really go into it intentionally. And don’t just buy the cheapest smart bulb, right? Make sure it’s coming from a reputable manufacturer that’s going to stand by the product”, he says. “Just have some intentionality to it, be sure that you’re getting your devices from reputable manufacturers”.
Will also alerts to the fact that many of these Internet of Things are no longer exclusive to our homes. In fact, they’ve already made their way into the event industry. “So really, really important to know that this isn’t just limited to just your home. And that’s going to come to the events industry more and more as well”.
Beware Of The USB Cables
USB cables are, in fact, data cables. “So even though you’re just using it for charging, it is capable of data”, Brandt explains. “So if you go plugging your phone into a random, “Charge your phone here,” station using the USB port, it’s definitely been shown that they’ve been able to plant malicious programs on there. Spyware, copy your contacts lists off your phone, all of those kinds of things”. Make sure you start paying attention to the little letters when agreeing to the terms of service!
At DEF CON, a story about a man who worked “for quite some time creating very official-looking Apple charging cables, so they look exactly like the ordinary charging cables, but he managed to actually make it so that there is an exploit in the cable”, recalls Brandt. “So, not only now do you have to make sure that you’re not just jacking into any old USB port, now you need to make sure that you’re not borrowing some stranger’s iPhone cable. Because it’s the cable itself that actually hacks your phone and steals your data”. Maybe life is an episode of Mr. Robot after all…
USB Cables & Cybersecurity In Events
Guess where else you can find stations to charge your phone? You guessed it – events! “And then just think about a convention center”, says Brandt. “Where we’ve got a large event going on, who’s going to notice if you just roll in with a charging table. So you just look like another vendor dropping something off. No one’s going to stop you, no one’s going to pay any attention to it. So I think we need to start keeping track of those kinds of things. It’s like, “Where did that come from? Who ordered that?”.
“Because I think that’s what would happen. The venue would assume that the event brought it in, the event would assume that the venue added it, and meanwhile it’s nobody’s. And so meanwhile, a hacker just has to sit within wifi distance. It’s probably not a very powerful chip, but still. Especially down a long hall of a convention center, you’ve just got to sit there and then watch the data roll in”, he adds. Will completely agrees that this is a serious risk for cybersecurity in events. “For an event, it’s such a high-profile target”, he says. “Because you’re getting so much volume, they’re coming in so good. People are plugging in super-duper quick. And you’re going to be able to get a lot of people’s data very, very quickly”.
In addition to being the one place in the world where you can probably find everything, Amazon has other tricks up their sleeves. “It’s actually the web servers that pretty much run 75% of the internet out there. And they also have in addition to Amazon Web Services, which runs live websites, they also provide a lot of high-volume storage solutions”, explains Will. “And this one’s called the Elastic Block Storage snapshots. What that does is allows Amazon basically to store something at a very, very cheap rate. For pennies per gigabyte to store your data that you might not ever really touch very often but you want to have it backed up somewhere”.
“Well, some research just presented at DEF CON reveals basically that Amazon is inadvertently leaking their own files from the cloud”, he continues. “And there are some exposed sections of storage, that are packed with data. If you don’t configure it properly could be set to public. Sso I think the important thing to know about this is that maybe you want to consider what solution you’re using to store all your data and all these things like that online. Always making sure that you check all the settings of everything when you’re setting it up. Because a lot of times, these things are defaulted for ease and simplicity”, concludes Will.
Keep Your Data Safe
Brandt adds some insights into the issue of keeping data safe in the digital world. “But these are basically virtual hard drives. So they’ve got data even if you “write over them”, that data is still there. And that’s true of current regular hard drives as well. That’s why you kind of need to shred them, you need to wipe, wipe, wipe that data. But these virtual volumes it looks like are being left kind of unshredded. And your people are figuring out how to poke around in them and find data that has been either reformatted or deleted. It’s kind of what I’m pulling out of this, both very bad”.
It sounds scary, but don’t worry. Hackers work at the speed of light. And if there’s one thing these conferences do well, is providing solutions for problems like these!
White Hat Mentality
“I think another takeaway too for this is that when it comes to these conferences, there are people kind of poking at it and trying different things. Again, that white hacker kind of mentality”, says Will. “You should have kind of a white hacker mentality or have someone do it for your events as well. Not only from the cybersecurity in events standpoint, right? Someone who can kind of poke and try and evaluate. But also that’s how you should think about your own events when you’re planning them as well. How can we poke at and test and try new and different things that might be a vulnerability? So then that way we can fix it. And it’s the only way you’ll know unless someone just decides to do the black hate side of things, which is what we want to avoid”.
You can put down the pitchforks, it’s not what looks like! “Just so people understand the name, it’s not just made up craziness, there’s a couple of things going on there”, explains Brandt. “One is wardriving, which was the terminology that was used when people would just drive around looking for open wifi networks. Or just driving around looking for unsecured wifi networks. And then later as more people secured their networks, you would just literally park on the street. And then spend all day trying to hack into that network, collecting just enough data to eventually try and figure out what the encryption was. So, that’s wardriving”.
“So, that’s where this idea of war shipping comes from”, he continues. “What they set out to do and succeeded in doing was, “Okay, how can we use mailing packages to basically hack a corporate network?”. “And so what they put together using pretty much off-the-shelf components was a little device. They could pack it into an ordinary shipping package, make it look like it’s coming from Amazon or something like that. And that little device would have a very low power mode that would just power up enough to send a GPS signal back to the command and control servers. And so that way the bad guys, the “bad guys”, would know where that device is, and then they would know when it arrived at its destination”.
Is There A Solution?
The entire thing sounds pretty scary, especially considering what it means for businesses. As Brandt says, “this is another one of those things where it’s devilish. And you know if these guys can figure it out, anybody can figure it out that’s got any kind of hacking smarts or state sponsorship. So it brings, much like the cables and things like that, another whole new level to having to protect your data”.
Will agrees and, thinking of a solution, adds: “I almost see this potentially creating a mailroom intermediary service. Where, for example, instead of mail getting directly delivered to the building it gets sent somewhere else. And then almost like a TSA check, checks through all your packages, scans it, all these things, they’ve got to look for devices that are on and all that sort of stuff”.
Away From Cybersecurity In Events, But Relevant
Straying a bit further from our industry but towards something of societal importance, Brandt mentions a voter village aspect. “They actually purchase real live actual voting machines that are being used in the United States. And then give people an opportunity to hack on them. And it’s one of those things that I think we need to be aware of as citizens of this country and other countries to make sure that we’re having fair elections”, he says.
“It’s great to have the technology, it’s great to have the ability to tabulate things quickly, but these machines suck”, continues Brandt. “They’re absolutely terrible. Last year they were able to hack one using only a USB keyboard, and they were able to do that in less than a minute. I believe this is something we need to be much more aware of. And so I strongly encourage folks to talk to their members of Congress. Because there’s been legislation that’s been passed that puts in some pretty common-sense stuff for taking care of our elections and making sure that cities and counties and states have the money that they need in order to secure these things. And it being blocked by certain people in the congress for whatever reasons”.
“I think it’s really, really important that awareness is a huge part of everything that we’re doing”, says Will. “The important thing is awareness in general of this sort of stuff because the last thing you want to do is be caught off guard because that’s where you get taken advantage of 100%”. Pay attention, protect yourself, and for the love of god, use different passwords.
One Last Thing
Brandt leaves us with an extra piece of knowledge. “If you’re working with associations or you work for an association, planning their annual conference or even their in-between meetings and events. Just be aware that that, as we predicted, was going to start picking up the targeting of associations, as well as city and state governments”, he says. “So, the commonality between these things, between associations and cities and other government entities, is that they have a tendency to post their structure publicly. All of these local organizations and major associations across the country and across the world have a tendency to do that”.
“If you deal at all with your schools, with your city government, with your local government, your state government, or are working for an association where this information is publicly available. You really need to start paying attention and getting the word out amongst your people that you are a target”, he adds.
Cybersecurity In Events: Conclusions
It’s time say goodbye to today’s episode of Event Tech Podcast. Cybersecurity in events is major. And as Brandt puts it, “the important thing is to make sure that cybersecurity is all of our responsibilities. It’s not just being taken care of by the white hats and by folks with the glasses down the hall. We need to make sure that we’re all doing our part to make sure that we’re keeping ourselves, our organizations and our attendees’ data as safe as possible”. Tune in next week for even more tech wisdom!
What Security Pros Need to Know About Black Hat and DEF CON
How Not Having Data Backups Will Ruin Your Event