Top 10 most notable Black Hat/Defcon stories

Las Vegas airport is now crowded with home-bound crackers, hackers and those who oppose them, as the annual Black Hat and Defcon conferences close for another year.

Black Hat kicked off at the start of last week, and is the serious side of the sessions. It begins with training for security professionals on current and future threats, and then opens out to general briefings for everyone. It's a mix of hackers, crackers, security executives and law enforcement.

Then Defcon begins and the crowd thins out. This is the event for the hackers and crackers, so the talks get more complex, the dress more outlandish and the partying more serious. Anyone who thinks that the geeks who come here are antisocial losers should go to a Defcon pool party; these people know how to rock.

I heard it said that, if the world really did want to stop computer hacking, a medium-sized nuclear warhead detonated over Las Vegas last week would have done a pretty good job. However, despite the attractions of nuking the place, in fact it would have made the computer crime problems worse.

No matter how the media views these people, the fact remains that they find the security holes that others miss, and their coming together to share knowledge is a good thing not a bad one. There are still far too many commercial companies out there that cover up security holes and hope no-one notices, rather than exposing them and finding a workaround.

So anyway, here's the most notable happenings of the events, some scary, some funny and some downright disturbing.

Honourable mention: Conversation
While the briefings can make you paranoid, the private conversations with people can be even more terrifying. You realise quite how vulnerable large areas of information technology are, and it's not something that means you sleep well at night.

That said, there's also fun to be had. The crowd at the Black Hat show are by and large highly intelligent people, and that always makes for good anecdotes.

Bruce Schneier gave a great example of why we are better than animals in that we have tamed our fight or flight reflex, so that if the boss gives us a dressing down we don't stab him or run away.

But Deb Radcliff, one of the best security journalists in the country, came out with a comment so funny that, if I'd been drinking a cup of tea at the time she would have been receiving a bill for a new laptop. This was an actual quote from someone she knew: "I'm not lying, I'm managing information!"

10. Internal hacks
Hackers are natural pranksters, like Loki and Brier Rabbit from legend. So it's natural that there would be many pranks played by members of the conference. After all, there's major kudos to be had in beating the professionals at their own game.

Even before Black Hat had kicked off in earnest there were already problems. Security researchers Kevin Mitnick and Dan Kaminsky had their servers hacked by a bunch of crackers who wanted to display their prowess. Kaminsky brushed it off as "drama" and said they got nothing of value.

There were also reports that someone was spoofing the Caesar's Palace Wi-Fi address, changing one digit in the hope that some poor soul would log on and open up their laptop to scrutiny. I didn't use Wi-Fi all week and all radio communication on my machine and phone stayed disabled.

Then at Defcon an ATM was found that was harvesting credit card information. It was rather poorly put together, but I wonder whether it was an attempt to steal money or just to get kudos.

9. Federal Aviation Administration hacking
If you're a nervous flier, the Federal Aviation Administration (FAA) hacking talk by Righter Kunkel would have given you nightmares.

The FAA controls all air traffic over the continental US and the consequences could be catastrophic if it was shut down in some way. Large-scale cancellation of flights would be inevitable, and any planes in the air would conceivably be left flying blind.

Kunkel, himself a pilot, found that getting into the system was easy, and required little more than a fake ID. The attacker could register for a flying-fitness medical certificate and use this to get a student pilot's certificate number. This would allow access to the FAA's flight plan submission system, since a full plan must be given before every flight.

By using denial-of-service methods an attacker could flood the FAA's computers with false flight plans using a simple script and shut down the network. There's more to it than that, and Kunkel rightly kept those details to himself, but it makes you think.