I guess this is a story because it's Black Hat and someone who wasn't supposed to be able to access this info did. However, conference attendee information is widely sold and shared as a matter of course. You shouldn't consider it as anything approaching confidential.
These days pretty much anyone going to a tech conference that allows any sort of salespeople to attend, or vendor booths, should expect a high degree of spam. Email I can deal with, when they get my direct cellular number and won't take no for an answer, that's when the vendor goes on the "never buy" list.
It's probably in some fine print somewhere. You can sometimes opt out of some sharing but exhibitors scan badges, you often get scanned when you attend breakouts, etc. Assume that any information you provide when registering for a typical conference (other than payment details obviously) will be widely shared.
You may not be able to get into sessions if your badge is "bad"?
Also, if you're at a show, presumably you're interested in at least of the vendors so may want to be on their lists. I get a huge amount of email from vendors because I attend so many events but it's not really that big a deal to just unsubscribe from anything I genuinely have zero interest in.
Having never been to a black hat conference, I’m surprised that such people would be so easily open to attack. Surely no one gives out their real email address or phone details at these events? I hope they don’t take critical hardware with them full of secrets to be happily liberated by someone more enthusiastic. They wouldn’t have “interesting” conversations in taxi/ubers, would they?
Maybe there are less black hats at these conferences than the numbers suggest.
There's this mystique around Black Hat but it's a 20,000 person security trade show. I imagine the vast bulk of attendees register with their work email and phone number just like they do for every other conference they attend.
Sort of.
But mostly not knowing any better and just going off the name. As others have said it’s apparently full of white hats with expense accounts.
Never been to either conf. I’m just a body with a pulse.
Black Hat is literally Defcon for people with expense accounts. The best Defcon talks are usually accepted Black Hat talks.
Defcon has become this enormous nerd Burning Man event, filling Caesars armpit-to-elbow with attendees trying to fight their way to various different "villages". But as it's become that, it has become less and less "black hat", and more and more just security's Comic Con.
But in the days before the two conferences diverged, it certainly was not the case that BH was more "white hat" than Defcon; BH was a way to pay offensive security people out of the expense accounts of defensive security people. And these days I have sort of a hard time believing any "real" black hat takes Defcon seriously.
It's been so long since there were prolific black hats, that you seem to have confused the definition of black hat and white hat with "offensive security" and "defensive security" ;)
Everyone working in offensive security is still a white hat. That's a legitimate profession. Black hats hack things without permission. That used to be big at Defcon, but I don't think it was ever really a Black Hat thing.
Black Hat is a corporate "vendor" conference. You're probably thinking of DEFCON. At DEFCON, you don't register. You pay them in cash, and they give you a (complex, hard to fake) badge. You wear the badge and they let you into the conference area. They don't want to know who you are, which nicely avoids the problems Black Hat was having.
Black Hat is the most important industry vulnerability research conference of the year. It is also very corporate, and for the last several years it's had a large trade-show vendor "expo". It's a big-business UBM conference and certainly makes money from vendors, but don't get confused; that stuff is all bolted on to the gigantic multi-track speaker conference.
There are, so far as I know, no pay-to-play Black Hat talks; all the listed briefings were picked by the review board.
On the plus side, if you have a talk that was accepted at Black Hat, you usually can just re-submit it to RSA.
It's been several years, but I remember the RSA conf held in early Spring usually had it's CFP deadline something like a 6 months before. So if you were speaking at BH, then around July/August you had everything ready to present, which was perfect timing to submit for the following year's RSA.
I don't know if they warn you when you get a ticket, but I think it's impossible to go to a conference at Black Hat's scale and not understand what's happening. Black Hat is a trade show (much more so than it used to be) --- the research component is set off from the "expo", but the expo is huge. If you're staying in the conference hotel, I think there's even direct targeted swag delivered to rooms and stuff? (I might be confusing that with RSA).
It's not great to just dump contact info --- that happened to RSA Security a couple years back and it was a story then --- but it's mostly an optics problem, I think.
I can confirm that it is possible to go to big conferences and be unaware that my contact information is being flung about! For proof of existence, I provide myself.
(And I'm someone who gives out custom email addresses for all signups anyway, so I'm not totally naïve.)
Indeed. I suppose if I'd been to a bunch of them I would have ended up noticing the spam and putting two and two together, but that would be a bit late.
Even though it is not that surprising in that we know it happens, it is a little surprising that you pay a large amount of money to attend something then you , on top of that, are essentially having your data sold on.
It's one thing to attend a "free" event that makes a return by monetizing attendee data, and another to have an expensive event that does it.
One of the reasons I'm such a fan of BSides events which, generally, aren't expensive to attend and don't sell your data on.
(disclaimer - I've organized a couple of BSides events)
The whole thing is a bit of a self-perpetuating racket. It doesn't do to squint too hard at the value delivered by participating when your job depends on not doing so. And a huge amount of mutual back-scratching goes on with sponsorships and other elements of these shows.
I say this as someone who participates in all this regularly. I much prefer smaller and less overtly commercial events in general.
It's a bit more than that. Sure nothing overly sensitive was exposed, but it is more about the underlying system. The 'what-if'. What if sensitive information like PII was apart of that data set? Then all of it would have been exposed. That sure the conference was full of security professionals, but what level of expertise and competency is actually running the show?
PII certainly was part of the data set. Just nothing that was sensitive. I don't disagree though. Certainly if plaintext payment information were part of the same record, that would be an issue.
The conference is over, but it's certainly be more of a social engineering risk if it were used beforehand (especially people attending as aliases printed on their badges).
Yep, most attendees seem to be unaware, but a big part of their sponsor/exhibitor pitch involves selling access to this data. Most booths have a gimmick, such as a giveaway or party invite, which requires scanning your ID badge. That scan transfers all of your personal info, including employer and job title, straight into their CRM. At BlackHat, despite the large price tag, attendees are the product, and vendors are the customers.
If you've ever pitched a booth at a trade show like Black Hat --- I've never done Black Hat, but I've done RSA --- you know that you can just get the attendee list. It costs money but it's a product that is for sale. The point of the scan is not to collect as much personal information as possible, but rather to get a list of people who are interested in what you're selling; the scan is (very very flimsy first-pass) lead qualification.
>but rather to get a list of people who are interested in what you're selling
Which makes swag sorta problematic. On the one hand, it drives booth traffic and some of those people may be exposed to your company or a product who hadn't been previously. On the other hand, I've seen lines of people clogging up booths and the vast bulk of them just want a T-shirt or to be entered in a drawing for a drone or whatever. You end up with scans that are 90% just people who wanted a freebie and have zero interest in your product.
At which point the conference organizers are smoking cigars made out of rolled hundred dollar bills and laughing at how they played both the attendees and the vendors! The American Way.
Make no mistake. Everyone is in on the game to various degrees. The conference venue, event teams and the companies that specialize in helping put booths together, even the attendees for whom in many cases conferences are something of a perk.
Agreed... any time you are transfering money from your account to someone else's, there's a strong chance you are getting the raw end of the deal unless you know exactly what you are doing.
I'm not so sure there's a raw end of the deal here so much as that there's a whole ecosystem of things related to trade shows that no one wants to end even though it's arguably not an especially efficient use of dollars at the end of the day. But it's been a thing for decades in many industries and no one really wants to end it, whether vendors, attendees, or the vast number of companies, venues, and unions that support it.
Whenever I read about things like this I just immediately assume the accidental data exposure was at the behest of an intelligence agency using an insider.
It's amazing the number of things you can find by simply enumerating through a sequential series of integers, in what is basically a "gimme data" request to some public facing data endpoint.
I assume you did not mean it like that, but 13 months in prison is nothing to get snarky about.
If I had to go to prison for 13 months - even if it was for something as silly as this example -, I'd most likely be out of a job and have a prior on my record, which would probably make it very hard to find a new job equivalent to the one I hold now.
13 months in prison can easily destroy somebody's professional existence, not to mention, if applicable, marriage/relationship and family.
I once heard of a very major website essentially being DOS-ed because a scrapper was enumerating IDs in the URL. (Can't say the name because I signed an NDA.) The engineers involved all assumed the scraping was legitimate indexing by a 3rd party or researcher.
Because real black hats don't spend multiple thousands of dollars to go to BH, unless they also have a corporate day job. In which case, they have no reason not to use their real name. Otherwise it gets a little awkward to meet your co-workers for a MS -sponsored happy hour with a con badge that says "Mr. ThE PlaGUe"
But even if your a civilian player you might say I am "John" from Att or BT - but that's not your real name and you actually work for the security group.
It's worth noting that Black Hat was spun off from Def Con to get corporations to allow employees to expense it. Often speakers at Black Hat also present at Def Con. Def Con as a matter of policy does not collect any information about its attendees [0].
62 comments
[ 2.0 ms ] story [ 129 ms ] threadIs that something people get warned when buying a ticket?
edit: https://www.blackhat.com/us-18/registration-terms.html#priva... links to https://legal.us.ubm.com/privacy-policy/#Choices which someone smarter than me should interpret.
Also, if you're at a show, presumably you're interested in at least of the vendors so may want to be on their lists. I get a huge amount of email from vendors because I attend so many events but it's not really that big a deal to just unsubscribe from anything I genuinely have zero interest in.
Maybe there are less black hats at these conferences than the numbers suggest.
You may be thinking of DEFCON?
It's possible that some might suggest that Black Hat Briefings might be easily googled.
Defcon has become this enormous nerd Burning Man event, filling Caesars armpit-to-elbow with attendees trying to fight their way to various different "villages". But as it's become that, it has become less and less "black hat", and more and more just security's Comic Con.
But in the days before the two conferences diverged, it certainly was not the case that BH was more "white hat" than Defcon; BH was a way to pay offensive security people out of the expense accounts of defensive security people. And these days I have sort of a hard time believing any "real" black hat takes Defcon seriously.
BlackHat - the Burning Man and Comic Con of information security for serious professionals.
Needs to be fleshed out with a bit of Renfaire, SXSW and Anthrocon, perhaps.
Everyone working in offensive security is still a white hat. That's a legitimate profession. Black hats hack things without permission. That used to be big at Defcon, but I don't think it was ever really a Black Hat thing.
Unless they run out of those, then they just give you a paper card that you wear on some string or something.
There are, so far as I know, no pay-to-play Black Hat talks; all the listed briefings were picked by the review board.
It's been several years, but I remember the RSA conf held in early Spring usually had it's CFP deadline something like a 6 months before. So if you were speaking at BH, then around July/August you had everything ready to present, which was perfect timing to submit for the following year's RSA.
I’m now imagining a place full of sharks with smaller fish swimming around waiting for their credit cards to get caught in a net.
It's not great to just dump contact info --- that happened to RSA Security a couple years back and it was a story then --- but it's mostly an optics problem, I think.
I can confirm that it is possible to go to big conferences and be unaware that my contact information is being flung about! For proof of existence, I provide myself.
(And I'm someone who gives out custom email addresses for all signups anyway, so I'm not totally naïve.)
It's one thing to attend a "free" event that makes a return by monetizing attendee data, and another to have an expensive event that does it.
One of the reasons I'm such a fan of BSides events which, generally, aren't expensive to attend and don't sell your data on.
(disclaimer - I've organized a couple of BSides events)
I say this as someone who participates in all this regularly. I much prefer smaller and less overtly commercial events in general.
Which makes swag sorta problematic. On the one hand, it drives booth traffic and some of those people may be exposed to your company or a product who hadn't been previously. On the other hand, I've seen lines of people clogging up booths and the vast bulk of them just want a T-shirt or to be entered in a drawing for a drone or whatever. You end up with scans that are 90% just people who wanted a freebie and have zero interest in your product.
/s
If I had to go to prison for 13 months - even if it was for something as silly as this example -, I'd most likely be out of a job and have a prior on my record, which would probably make it very hard to find a new job equivalent to the one I hold now.
13 months in prison can easily destroy somebody's professional existence, not to mention, if applicable, marriage/relationship and family.
[0] Read the fine print: https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20rec...