By Konstantinos Karagiannis, Principle Consultant, Ethical Hacking
It’s the most wonderful time of the year. No, get that Holiday melody out of your head. We’re talking about the summer’s Big Two hacking conferences: Defcon and Black Hat. The time when we, who spend too little time in the sun, select our crispest black t shirts, sharpen our card-counting skills, and descend upon Las Vegas for a few days of exposure to mostly digital sins.
Sure there’s partying and camaraderie in the desert, but we really are up to serious business in the air-conditioned halls of Caesar’s and the Rio. Typically, two things that have major impact on professional security happen as a result of these shows.
First, a lot of people change jobs. Some make new contacts that lead to offers. Others already had said offers and were biding their time to get the free trip in before giving notice. Not a bad time to hire a hacker (no, I’m not leaving BT).
Second, and of more interest to the industry as a whole, clients of ethical hackers will get more for their statement of work dollar almost immediately after the last attendee flies home. Hackers of all backgrounds present their latest zero-day exploits, security tools, and new testing techniques at these shows. Whether they do so to gain street cred or legitimately make the world of zeros and ones a safer place is irrelevant. For those of us who do this for a living, being the first to learn these techniques is our best way to stay at the true cutting edgeof what to look for on aclient engagement.
In the BT Ethical Hacking Center of Excellence (EHCOE) we pride ourselves on approaching each gig as a real attacker would. To maintain an edge we need to look for everything currently in the wild, which means our methodologies need constant fresh input. Attending Defcon in particular provides an amazing return on the investment of a modest registration fee and a long weekend. We walk away with about a dozen new flaws to hunt for the very next week on the job. All we need to do is some internal testing of the newly released attacks, followed by a write-up of the language we’ll use if we find these flaws and share them in a client report. This is what hacking for a living is about: learning new ways to capture our clients’ flags.
As I write, I’m getting ready to head to Vegas. I’ll know I’m finished packing when the darkness in my suitcase actually pulls in light from the room! In blogs to come, expect sanitized versions of a few of the newest flaws revealed at the shows … flaws that may lurkin your application or network right now. We’ll already be looking for them in other networks by then, of course…