By Kevin Rademacher <[email protected]>, LAS VEGAS SUN
Marcus Sachs, director of National Cyber Security for the U.S. Department of Homeland Security, and Kevin Mitnick, the nation’s most notorious hacker, shared a table for lunch on Thursday at Caesars Palace.
That was just one example of the rather strange mix of technology cultures that have come together in Las Vegas this week for a pair of security conventions.
Black Hat Briefings — a technology convention touting digital self defense — wrapped up on Thursday after catering to a crowd of business executives and sales people for three days. Organizers said the event drew record attendance of about 1,700 looking for up-to-date information on security.
A table away from Mitnick and Sachs, Donald Welch, an associate dean from the U.S. Military Academy at West Point, and Aqeel Zaman, a Toronto executive, traded business cards and shared concerns over protecting large computer systems.
“It’s a good place to get a lot of current information,” said Welch.
Sachs, in the Black Hat’s final keynote presentation, said system security has been a focal point of national defense since the mid-1990s.
“That was our soft underbelly,” he said, adding that the Sept. 11, 2001, terrorist attacks came as a shock because so many in the defense community were expecting terrorism in cyberspace.
“We were very shocked that the attack did not come from the cyber dimension and that it came instead in a physical attack,” he said.
Sachs emphasized that the nation has little choice but to address such security concerns, whether it’s an attack on national defense or malicious hackers defacing corporate websites or exploiting software vulnerabilities.
“Our nation is now in cyberspace,” he said. “We can’t go back. This is how we work, and we need to keep it safe.”
The government, however, can’t be relied on to maintain that security. Sachs said that effort will demand the attention of the private sector.
Those private sector entities policing cyberspace will include hackers, said organizers of Black Hat and its sister event Defcon, which begins today in Las Vegas.
Black Hat started seven years ago as a more “professional” sister event to the more informal hacker gathering gaining fame, Defcon. Organizers expect about half of the Black Hat attendees — some wearing T-shirts proclaiming: “I read your email.” — to stay in town for Defcon.
As security becomes a more important focus, B.K. DeLong, a spokesman for Black Hat and Defcon, said hackers are clearly serving a purpose.
“If you think about it, big companies like Microsoft really have no accountability, except to the hacker community,” he said, pointing to recent news reports that hackers have threatened to attack a flaw in the software giant’s Windows software.
It wasn’t until threats began surfacing that the flaw and a Microsoft patch to fix the error began to receive publicity, DeLong said. He downplayed speculation that a formal attack on Windows could originate from Defcon this weekend.
Still, even Sachs alluded to the role of hackers in system security in his speech.
“Sometimes that’s just what it takes, showing someone that their systems can be vulnerable,” he said after describing how he hacked into his daughter’s computer through the Internet to teach her a lesson about maintaining security.
Jeff Moss, founder of both conventions, also said the criminal connotations now associated with the term hacker is largely overplayed.
“You can be a good plumber or you can be a bad plumber,” he said. “You can be a good hacker or you can be a bad hacker. The issue is ‘Are you committing crimes with computers?’ ”
As Defcon gears up this afternoon, teams of hackers will be flexing their muscle as they hit the street of Las Vegas in a high-tech game of “Wardriving.”
As many of 12 teams, in cars decked out with antennas and laptop computers, will race around town trying to identify as many wireless Internet access points as possible around town. The team that identifies the most access points wins.
DeLong emphasized that nothing malicious will be taking place. The teams will just be identifying the access points, determining which are secure or unsecure, he said.
“They’re just seeing what they can find,” DeLong said. “Just basically collecting information.”
He did say that the Defcon convention has undergone an image makeover of sorts during the past two years. The event, which is in its 11th year, had started to deteriorate into more party than conference. A renewed emphasis on speakers and content has raised the level of professionalism, he said.
This year’s event, which is expected to draw as many as 5,000 attendees, will feature topics including network reconnaissance, corporate intelligence and copyright infringement.
“It’s a party, plus serious talks,” Moss said.
Moss said such a renewed focus makes sense as one-time hackers are increasingly becoming “security professionals.” The fears of cyberterrorism outlined by Sachs earlier in the day have led defense contractors to go to work on security.
“That’s trickling down to us now,” he said.