“You are about to enter one of the most hostile environments in the world,” Black Hat’s registration confirmation says. “Here are some safety tips to keep in mind:
■ Hackers are in Vegas and like to play.
■ Do not use the ATM machines anywhere near the conference.
■ Don’t use the Wi-Fi network unless you are a security expert.
■ Change your passwords immediately after leaving Vegas.
■ Everything can be hacked, including your brain.”
The attendees at the Black Hat USA security conference at Caesars Palace don’t appear to be particularly hostile.
They’re a mix of clean-shaven reps in company polos, long-haired hackers wearing black from head to toe, a couple of attendees with punky hair, a la “The Girl with the Dragon Tattoo,” and a sea of everyday people found at any convention.
The only show of hostility were hecklers during the morning keynote speech by Army Gen. Keith Alexander, head of the National Security Agency.
The Associated Press reported that Alexander defended the NSA’s surveillance methods and said it does not listen to phone calls or read emails.
The audience laughed when someone suggested that Alexander read the Constitution. He replied that the heckler should, too.
Barring that, the first day of the high-tech convention was peaceful, at least on the surface.
At a quick glance, the schedule seems intimidating, meant only for the computer-programming elite. Descriptions such as “dissecting CSRF attacks,” “Teridian SoC exploitation” and “virtual deobfuscator” sound more like futuristic torture methods than anything the real world might care about.
But a closer inspection of the high-tech talks reveals tips average households can use.
Jay Radcliffe’s briefing, for example, focused on protecting personal medical devices against glitches. Radcliffe’s employer, InGuardians, works with the Food and Drug Administration to help researchers document and disclose medical device vulnerabilities.
Radcliffe, a diabetic, outlined an incident in which a bug in his Animus Ping insulin pump almost killed him.
A faulty reading showed his blood sugar to be low when in fact it was high. Had he not suspected the error, he said, he might have overdosed on insulin.
That was the first time he encountered the glitch, but since then, it’s happened a handful of times, he said.
Radcliffe, an employee of InGuardians information security company, reported the incident to the Food and Drug Administration and was told the vendor would be notified and would contact him in 45 days — a long time to live with a faulty device, he pointed out.
True to schedule, Animus called 45 days later. The first call, Radcliffe said, was polite, but in later calls the company blamed him for not following instructions correctly.
“Because I don’t know how to use a computer,” the computer specialist said.
Information about the sudden reset, Animus said, was in the manual.
It was, but when Radcliffe asked Animus to identify a situation in which the feature would be helpful, the company declined, he said.
Animus refused to update the program, and patching the software would void the device’s warranty.
In a perfect world, Radcliffe said, vendors, buyers and medical administrators would work together to ensure product updates.
Today, buyers should wield their influence and request devices that allow for software updates.
“We need to make sure security is part of the buying criteria,” Radcliffe said.
What scares him more than his insulin pump’s failure are patent-pending medical devices that can be controlled online.
“If that’s what the consumer wants, that’s what’s going to drive the market,” he said.
In another presentation that would interest an everyday consumer, Drew Porter and Stephen Smith outlined how easy it is to bypass a home security system.
Typical home security systems have three main components — door and window sensors, motion detectors and a keypad — all of which are fairly easy to hack. Simple magnets can disengage door and window sensors, they said.
Holding a lighter up to a motion sensor will disable it for three seconds, while another longer-lasting infrared light is set up.
Hiding behind a sheet of cardboard or polystyrene foam also will fool a sensor by blocking body heat.
During that time, a thief can access the keypad and reroute the signal to a rogue cellular network, effectively disabling the system.
“Your house is literally hopeless because it can’t send anything,” Porter said.
Luckily, said the security analysts with Bishop Fox, there are fixes.
There are new motion detectors that aren’t confused by infrared signals, and sometimes simply changing a sensor’s location can improve its performance. Sensors don’t work particularly well when placed too high, they said.
Keypads can report intrusions using dual technology, such as cell and land line, or cellular network and broadband, the combination of which makes hacking more difficult.
Window and door sensors, they said, are a little trickier to improve and probably require reinvention.
Luckily, there’s always a backup to backup security, Porter and Smith said, as they queued up example slides.
Ever owned a guard dog, they asked. A gun?
Contact Review-Journal writer Kristy Totten at KTotten@Reviewjournal.com