By: Lisa Z. Leighton
In today’s digital world, where each person’s online footprint seems to go on forever, hackers are also becoming omnipresent and prolific. Some threaten the safety of bank accounts and databases, others social media accounts or email address lists, but still others called “white hat hackers” are doing good — for local businesses and individuals. A local computer services company, MePush, employs one such friendly hacker.
Cyber Security Manager, Michael Frauenhoffer, is the company’s in-house forensic security expert. He graduated from Bloomsburg University with a degree in Digital Forensics after spending some time using his expertise in the military and cyber defense sectors.
In a week, he is heading to the world’s longest running and largest underground hacking conference in Las Vegas, Nevada.
The underground hacking conference, called DEF CON, was started in 1992 by Jeff Moss, also known as Dark Tangent online. Moss is a globally respected American hacker and computer and internet security expert.
Frauenhoffer says he is excited to experience, “the bleeding edge of the cyber security world [at DEF CON] so I can bring the information back to help MePush’s clients.”
On the surface, DEF CON appears to be a relatively standard conference – with workshops, live talks and vendors, but intertwined in the mix is a robust social scene (yes, even hackers like to have fun) plus hacking contests and “villages” for focused learning.
“Village” topics are unique interests ranging from biohacking to social engineering, the Internet of Things, artificial intelligence, tamper evidence, data duplication, voting machine hacking, soldering skills, ethics, laser cutting, car hacking, pocket hacking, industrial control systems, lock picking, and dozens of other trending topics in the underground world of hacking. Village topics are submitted in advance in a highly competitive application process vetted by conference organizers.
The conference also features hacking competitions. Yes, you read that correctly. Hackers duke it out to see who can break into a system, or dismantle a system entirely, in the shortest amount of time and in the most inconspicuous way. Conference attendees who wish to compete in hacking competitions at the event competed in pre-qualification rounds earlier this summer.
Registrations are not accepted in advance; they are taken in cash at the door so credit card and personal information are not stored or shared by DEF CON organizers. Attendees are advised to take their personal security seriously and not bring credit cards or personal devices with them for fear of being compromised. In fact, some attendees are hacked at the conference during workshops and lectures to serve as “examples” in the name of learning.
DEF CON takes the issue seriously, of course, and has a robust Code of Conduct (CoC) stating that “people are acting in good faith and not creating intentionally elaborate, dishonest or disingenuous claims of harm…DEF CON has several structural factors that are to our advantage when dealing with people intent on disruption. This is not our first conference, and as such we have a department dedicated to dealing with this problem. We have also had time to plan with hotel and casino security should we need their involvement. We take this issue very seriously and choose to err on the side of removing people, rather than allow them to spoil the conference for those who just want to contribute in a positive way.”
When Frauenhoffer returns, he will likely have a plethora of ideas to apply to MePush’s business clients in three key cybersecurity areas:
Frauenhoffer says, “compliance isn’t a once-and-done effort; it takes daily, weekly, and monthly follow-up. That’s where MePush really excels – ensuring that our clients become and stay compliant.” MePush specializes in PCI and HIPAA compliance, as well as military and Department of Defense compliance.
Put simply, penetration services are an offensive way for businesses to ensure that systems are secure. Frauenhoffer quite literally hacks his way into secure systems to find the gaps that need to be filled and areas where data could be exploited, so additional security measures can be applied.
We’ve all received them – emails that look legitimate enough to click on, but a twinge of doubt makes you wonder if the email is in fact coming from the president of your company or your long lost family member. Click on the link and your account is compromised almost immediately. MePush offers a service where companies can hire them to send out a seemingly-legitimate-looking email that is actually a phishing campaign. MePush tracks how many people click on the link and report back to the company on the number of clicks. This can help an organization gauge where they need to improve employee education about phishing attempts.