Centric connect.engage.succeed

The paranoid's guide to a room full of hackers

Written by Cosmin Stefanica - 08 December 2016

Cosmin Stefanica
A while ago, I had the pleasure of attending DefCamp 2016 in Bucharest, one of the biggest information security and hacking conferences in Europe. Even though I know a bit about how to protect my data and my devices, this was my first time attending an event like this, so naturally, I gave in to the paranoia surrounding this topic.

You know what I'm talking about; nowadays you either see it all over the news or in your favorite TV shows. Some random company got hacked and their information was leaked to the public. Hacked e-mail accounts, leaked usernames and passwords, confidential data being released to the public, all of these make use of buzzwords that people are afraid of. And for good reason. You should protect your devices and data. But you shouldn't be paranoid about it. So what would happen if someone got dropped into a two-day conference filled with people that are literally paid to hack into your data and/or steal your information? Well, this is my story, and what I've learned from roaming the conference floor.

hacker

You’re only paranoid if they’re not out to get you...

First of all, if you were to hear about a hacker/InfoSec conference who would you think you'd see there? A bunch of hooded figures with rugged laptops trying to steal your personal information? Well, even though the black hoodie, backpack, and rugged business-class laptops (or the iFruit equivalent) seem to be part of the unofficial uniform, that is not always the case. You will also find men and women wearing collared shirts and wearing full business attire are also part of the ever-growing community of people interested in information security. Truth be told, in this day and age anyone could get into this if they wanted to, not just that weird neighbor you have that never seems to leave the house. So you might as well drop that stereotype, as it's no longer valid. The entire field of information security is vast. As a result, you see all kinds of security experts, from people that were once part of actual law enforcement that decided that they could merge computers with that and make a living out of it, to social engineering experts that could lie their way into heaven and hack St. Peter's bank account, if he had one. And you know you're around some very clever people when one of the guys holding a talk mentions that he needed a debugger for an embedded application so he just wrote his own. Because that's, like, totally easy for him. So you'd be correct in thinking that however you choose to protect your data, these guys will (if they haven't already) find a way to bypass that. Because that's what they love to do. Knowing that pretty much everyone can start "hacking" today if they wanted to, you might be thinking "Well, why would they hack me? I don't have a company, I'm nobody." Well, nowadays you'll find that question to no longer be relevant. Why? Because if you are the owner of any piece of technology that is connected to the internet and happens to have some personal data on it as well, they will either use the connection to the internet to hack some other poor person, mine bitcoin, or just sell your data to the highest bidder who will, in turn, either impersonate you or just send you spam mail about whatever spam mail is about. And don't think that you are safe just because your Smart TV or Smart Fridge is connected to a very secure access point.. There are people who have figured out how to hack their way into your cable TV receiver. And I'm not sure they make firewalls for those yet.

...but the world is not as grim as you’d think

If you've reached this point I am sure that you are at least a bit more paranoid than you were when you started reading. And that's okay. But the world is not as grim as you might think. The one thing that was obvious throughout the entire two days of the event is that these are the good guys. Sure, they love a challenge just about as much as anyone does, which becomes apparent when you see people that have brought a miniature version of a city's infrastructure to the event and just said, "This is the public IP address of this miniature town. Hack us!". But you will see that what they want to do is raise awareness. Not through fear-mongering and paranoia but through actual facts and solutions to whatever problems you might face. Sure, when you happen to see your username and part of a password on a big screen titled "WiFi Pwned Board", you might get scared. But you also realize that they use that to show you what might happen if you connect to those open WiFi access points in cafes and bars and stuff. I bet that after you saw that for the first time, you'd think twice before using unsecured WiFi ever again. You see vendors showing you hardware that's used to protect against network attacks and hardware that's used to attack networks, just so that they can make your company more secure than it was before. And the talks themselves show why it's important to be careful when you use the internet but even more so, be careful when you actually start researching what was behind attacks that happened in the past. You never know, you might just end up crossing paths with a government agent doing some espionage in his spare time.

In the end, it’s all about raising awareness

What I took away from two days of socializing with hackers and security specialists is this:

  • Hackers come in all shapes and sizes. The field of information security is huge and anyone can be a part of the community.
  • Open WiFi access points are bad and you should avoid them as if your life depends on it. Because in this day and age, your data represents your life.
  • Hacking isn't just about someone typing really fast on a computer. This is not the Matrix. There are two ways of hacking your way into a system, hacking the technology behind it or hacking the people who use said technology. That's where social engineering comes into play.
  • Curiosity is a gift and a curse. If you want to see how someone might hack your servers, that's very nice but please, for the sake of us all, if you find a dropped USB flash drive outside your office building, do not plug it into one of your company's computers. That's one of the easiest tricks in the book.
  • No matter how secure you might think you are, always keep in mind that one day, you will probably get hacked. And that is okay as long as you learn from your mistakes or better yet, try to learn from someone else's mistakes.
  • Know that security specialists are pretty much like dentists. They just want people to practice good data hygiene.

About Cosmin Stefanica

My story starts a few years ago, when I used to take apart toys just to see how they worked. Fast forward one and a half decades and I have a job in the testing industry, getting paid to do exactly what I love, breaking down applications to see how they work and making them better. And I sometimes get to write about my adventures, which is a win-win situation. Stick around and find out what I’m up to.

       
Comments
    Write Your Comment
    • Captcha image