Defcon 16 Las Vegas

Probably one of the coolest badges from my 15 years of attending various conferences and tradeshows is the hackable badge from this years Defcon 16 Aug 8-10 @ the Riviera Hotel & Casino in Las Vegas.

While there were many sessions with broad IT implications, the below sessions summarize  some of those that could be targeted towards the hospitality industry:

Bringing Sexy Back: Breaking in with Style, David Maynor & Robert Graham

• Scenario: Russian czar hires developers with a 1 million budget and wants to break in to your company
• Approach 1: Put iPhone in box, attach external power supply, turn on, Fedex to target company, while box is in mail room TTY to phone bypass physical security, attack wireless network
• Approach 2: “Spear Phishing” – Start fake company, get domain name, get SSL certificate, send “New 401(k) Provider” e-mail to target company, link to bogus website, sign malicious ActiveX control so there aren’t warnings when they download

Big Picture, Mike Renlund

• Digital Cinema is the first major upgrade to a movie’s image in more than 50 years and it has brought a new standard of quality and security into the local movie theater complex. This presentation covered  the changes from film, image, sound and new security methods to prevent piracy. If guests are happy to pay higher rates if there is a commensurate increase in the quality of amenities, size of room, technology and services combined with providing an experience-based differentiator- are you offering digital and high definition TV to your guests?

Compromising Windows Based Internet Kiosks, Paul Craig

• Internet kiosks have become common place in today’s resorts and elsewhere. Kiosks are used by thousands of users daily from all different walks of life. Internet kiosk terminals often implement custom browser software which rely on propietary security mechanisms and access controls. Kiosk users are typically prohibited from accessing the Kiosk’s local files or the surrounding local network- or are they? The last thing a hotelier wants is a kiosk on property with an inappropriate image being displayed to every passerby or worse.

Anatonmy of a Subway Hack, Zack Anderson, RJ Ryan, Alessandro Chiesa

• While this topic was halted by a last minute court injunction the material is available on the internet and the theme for hospitality holds true- Pay attention to how and what your business applications are encoding on the various magstripe and smartcard cards that are used throughout traditional properties by traditional applications.

ID Card Security, Doug Farre

• A review of the latest ID technologies such as biometrics, RFID and again, the theme for hospitality holds true- Pay attention to how and what your business applications are encoding on the various magstripe and smartcard cards that are used throughout traditional properties by traditional applications.

VoIPer- Smashing the VoIP stack, NNP

• With Voice over Internet Protocol (VoIP) devices finding their way into the majority of major enterprises and many new resorts and residential installations, the possibile consequences of a security vulnerability that can be leveraged by those will bad intent are ever increasing.  While the security of data and voice traffic has been extensively promoted and tested, the security of the devices themselves have been poorly tested.  A remote vulnerability in a VoIP device could subvert all other VoIP security.  You can no longer just put a phone on the guest desk and bedside table.

Buying time- what is your data worth, Adam Bregenzer

• As computing power continues to grow along with distributed tools such as rainbow tables to further assist with brute force attacking of systems a need to re-examine your policies and controls has been ….

Developments in Cisco IOS forensics, Felix Lindner

• Attacks on network infrastructure are not new. However, network security is only as strong as the weakest link and many organizations still have not looked at or upgraded (hardware or software) the most popular and widely used routing platform (Cisco IOS & Cisco routers) across the globe within their own organizations.

Shifting the focus on WiFi Security, Thomas d’Otreppe de Bouvette & Rick Farina

• According to AAA Diamond Ratings Guide “75% of all Business travelers travel with laptops”. The pervasiveness of WiFi sets the guest expectation of this property ammenity.  A paradigm shift is underway of WiFi attacks away from the access point and focusing toward the clients using the WiFi services. How secure is the corporate WiFi network and connecting devices?

Virtually Hacking, John Fitzpatrick

• With VMWare becoming an integral part of many organizations it is important that the security level of its deployment is assessed appropriately and ideally incorporated into its design.