How experts stay safe at the Black Hat security conference

Elizabeth Weise | USA TODAY

SAN FRANCISCO — Pen and paper instead of a laptop. Cash instead of credit cards. Face-to-face chats instead of cell phones. That's the drill for the most cautious at two big computer security conferences taking place this week in Las Vegas.

It's where security professionals need to be — and why they need to be on their toes, said Richard Blech, CEO of Secure Channels, a digital information security company based in Irvine, Calif.

Black Hat, which begins Tuesday, will fill the Mandalay Bay hotel with upwards of 9,000 security executives, hackers, academics, and government and law enforcement staffers.

It's immediately followed by Def Con, a more hacker-oriented conference held at the Paris and Bally's hotels. Last year, Def Con attracted nearly 16,000 people.

Both feature demonstrations, lectures and presentations about the most cutting-edge computer security issues — and are attended by thousands of people with the tools and the knowledge to break into just about any system imaginable. These very skilled attendees sometimes like to show off their skills, others are looking for bragging right. And because it's an event that brings in high-level government and corporate staff, there's also plenty of data and networks to entice the nefarious.

It's one-stop shopping, a place were every major security executive is gathered. "You don't have to travel around the globe or hunt them down on the Internet — they're all here," said Brad Taylor, CEO of security company Proficio in Carlsbad, Calif

That means "the rules are a little different," said Stan Black, chief security officer for Citrix in Fort Lauderdale, Fla. For example, he's bringing his schedule printed out on a piece of paper so he doesn't have to turn on his cell phone to check it.

The most wary will also turn off Wi-Fi, power down Bluetooth and book hotel rooms halfway across town.

The threats include everything from "script kiddies" — unskilled hackers who use other people’s programs to attack dangerous systems — to nation-state actors out to pry loose sensitive information from large international corporations.

"And they're all staying in the same hotel," said Steve McGregory, director of threat and application intelligence for Ixia, a security firm in Calabasas, Calif..

Jon Miller, vice president of the security firm Cylance in Irvine, Calif., doesn't see the hacking at Black Hat as malicious so much as simply intellectually curious. But he still turns off Wi-Fi and Bluetooth on his phone and only logs on to the Internet from his hotel room using a virtual private network.

"And all my communications are encrypted," he said.

Taylor's not even sure how safe VPNs will be. "I'm just a little concerned that somebody's got something they've figured out — and this is the time they'll use it," he said.

Perhaps the biggest danger is the one most people wouldn't think twice about — using the hotel or conference Wi-Fi to connect to the Internet. "And that means Starbucks, too," Taylor said.

At DefCon, that's made abundantly clear by what's known as the "Wall of Sheep." Most years a self-appointed group of attendees monitor the conference Wi-Fi system and post a continuous stream of passwords, IDs and other information unwittingly transmitted in the open by those not using safe computing techniques.

To guard against having their cell phones hacked, some attendees use "burner phones" instead. These are cheap, pre-paid cell phones that contain none of their personal information. They just throw them away when they're done with the conference.

With multiple sessions demonstrating how easy it is to read credit card data remotely with an electromagnetic sniffer, lots people leave their credit cards back in their hotel room safe.

"They can just be standing behind you in the line. They come up to you and kind of bump into you and they're electronically lifting the information, it just takes second," Blech said.

He counsels staff and clients to keep their credit cards in specially shielded envelopes to or stack them one on top of the other so the signals are jumbled up.

Laptops are such a treasure trove of information that many conference-goers leave theirs at home, bringing only a "sterile" machine that contains nothing but the presentations they're making. No email. No Web browsers. No personal files.

Even though his machines are encrypted "and have all the security they should have," Brad Taylor at Proficio only plans to carry a clean iPad.

"If somebody's got something new and they're testing it out, I don't want to be one of the people who gets hit," he said.

All of this makes Black Hat and Def Con somewhat daunting to attend, but that's the world these security professionals live in every day.

Having to protect a single laptop isn't that big a deal, Black said. "We get over 20,000 unauthorized probes on our system every minute," he said.

Follow USA TODAY reporter Elizabeth Weise on Twitter: @eweise