For hackers, humans are easiest targets

A DEFCON badge holds secrets too.

At the annual gathering in Las Vegas for hackers and cybersecurity experts, people got a look at the newest hacks and vulnerable technologies, from breaking into Tesla cars to holding hostage a fancy new home thermostat until a homeowner pays a ransom. Despite the digital skills hackers showed off for taking control of computer systems, humans remain the single easiest way to break into any computer network.

The back-to-back Black Hat and DEFCON conferences are annual events in the glittering desert city, bringing together researchers, government, big private firms and digital scofflaws to showcase the latest in how to break – and fix – computer networks.

Cayman’s Micho Schumann, a principal with KPMG and a computer security expert, made his annual pilgrimage to the week of conferences. Schumann described the first conference, Black Hat, as always “more buttoned-down and corporate.” The second, DEFCON, is not so formal, and “is disorganized in a good way,” he said, more a reflection of the freewheeling hacker culture in the popular imagination.

These conferences, especially DEFCON, always make a splash in the world media, with researchers from academia and private labs showing how to hack into everything from phones to cars.

“There’s always lots of forward-looking stuff – what’s going on and where are the risks,” he said.

The demonstrations during the week show just what’s possible as people try to poke security holes in anything that is connected to the Internet. Even the routine boarding pass to get on an airplane is open to attack, Schumann said. Based on a demonstration from the week, he explained, “all I need is your boarding pass number and I can probably cancel your ticket.”

A cancelled boarding pass would be annoying, but could probably be fixed after a couple of hours in line or on the phone. One of the hacks Schumann highlighted in an interview after the conference was on a new state-of-the-art electronic safe. He said researchers demonstrated how they could pick up the frequencies of the electronic signals in an expensive new safe and figure out the combination to break in.

“This ties back to physical security,” Schumann said, which is something he preaches to clients who hire him to make sure their networks are locked down as tightly as possible.

He said this is why companies need to train staff to think, what is this guy doing in my server room? Or, why is this person calling to ask about my operating system?

Kevin Mitnick, left, an infamous hacker who served five years in prison and now consults on computer security, with KPMG's Micho Schumann at the Black Hat conference in Las Vegas earlier this month.
Kevin Mitnick, left, an infamous hacker who served five years in prison and now consults on computer security, with KPMG’s Micho Schumann at the Black Hat conference in Las Vegas earlier this month.

People are the weakest link in any cybersecurity program, he said. They can steal data like Edward Snowden took from the U.S. National Security Agency, or they can unwittingly give away key security details to a caller pretending to be from the company’s IT department. Evidence of human error is all around the conference.

Schumann said that for a week at the conference hotel – this year it was Paris on the Las Vegas Strip – becomes “the most hostile WiFi network in the world.” Essentially, he said, “The hotel WiFi is condemned for the week.” But that doesn’t stop some from using it. During DEFCON, he said, there is the “Wall of Sheep,” a large monitor listing in real time the usernames and passwords of people logging into their accounts over the hotel’s wireless network.

This shows that even at the world’s largest gathering of hackers each year, people are still not practicing basic computer security.

There’s even a social engineering competition at DEFCON where people are assigned a company, do a little background research, and then call up the company and see how much information they can get out of whoever picks up the phone. Competitors sit in a soundproof booth at the conference while the audio is played to the raucous crowd.

A USA Today story highlighted some of the “social engineering” hacks from the competition this year. The second-place winner, the newspaper wrote, “called a large financial services firm and posed as a young, new employee coming to headquarters for training. She needed information about the company’s security to reassure her overprotective parents she’d be safe in the big city, she said.

The newspaper reports that the contestant, Rachel Tobac, was so effective that “the person she got on the phone ‘even put me on hold and went out to ask the name of the security guard.’”

The human element, Schumann said, is always the most vulnerable. He noted, however, that in his daily work of firming up computer networks for clients in the Caribbean and around the world, executives are starting to take notice and put more resources and attention to the technology and employee training needed to keep a network as secure as possible.