Every year thousands of self-styled “underground” computer hackers converge on Las Vegas for their annual convention, called DEFCON. This year’s convention had intriguing presentations, such as “Hacking.net applications: The black arts” and “Steal everything, kill everyone, cause total financial ruin.”

The speakers have names like “Freaksworth,” “Moxie Marlinspike” and “Skunkworks.”

While DEFCON may seem on the surface like a Vegas party for geeks, there is very important information being presented at it that IT and security specialists at businesses, banks and financial services should know about.

Understanding the world of IT security from the point of view of hackers is invaluable. And attending events like DEFCON is becoming crucial to IT security specialists as more business operations move onto the Web and into the Cloud.

Of the many fascinating presentations I attended at this year’s DEFCON, three were particularly relevant to security issues facing financial institutions today:

SSL Authentication

Secure Sockets Layer Authentication is a measure for managing the security of message transmissions on the Internet. For example, if you pull up a website on your browser and that browser authenticates the security of the site, that site is then allowed to load. The security of the websites visited by your browser is authenticated by third-party services like Comodo or Verisign. This system of security authentication worked well when the Internet was growing, but with 350 million sites on the web today, there are serious challenges to authenticating websites properly.

The system of authenticating the security of websites has become increasingly convoluted, less secure, and therefore, less reliable. This means that hackers can create false websites that fool your browser into thinking they are secure, which puts very important data at risk of theft or manipulation.

The good news is that, with the help of “white hat” hackers, specialists are developing a solution to this serious problem by creating a system of independent “notaries” that will move away from the more centralized and rigid system of certificate authorities to one that is more agile, current and creates more trust. The end result will be that your data will be safer.

Chip and PIN

Financial institutions in Europe have been issuing credit cards with a smart chip inside, rather than the magnetic strip on the back. This smart chip includes encrypted information about the cardholder, including their PIN number. Instead of providing a signature at a point of sale, the cardholder must enter their PIN. If the card is stolen, the thief cannot just forge a signature as they would with a magnetic strip card, they must know the PIN. This is touted as a very secure system for card issuers and cardholders that also provides convenience and quicker transactions.

There are, however, vulnerabilities that are already evident in Europe.

Card skimmers, illegal machines that gather card information when placed in ATMs and points of sale by information thieves, can trick the card into divulging all of its owner’s information – including the PIN. The companies that maintain the chip and PIN systems are denying there is a problem, but according to the presenters at DEFCON, this is happening now in Europe, and the practice is growing rapidly.

Hacktivism

When hackers feel that a company has been unethical, they may decide to become vigilantes and hack into that company’s databases to expose information that could be damaging to its public image. WikiLeaks is an example of a high profile “hacktivist” at work.

Although those who practice “hacktivism” believe they are somehow doing justice, there is a dialogue in the hacker community around whether or not this is justifiable.

The major takeaway from the panel discussion at DEFCON was that companies should do their very best to secure their information, while also being as transparent as possible regarding business practices and bad news. Hacktivists tend to target companies that appear to bury bad news or try to cover up a crisis.

It’s another reason to always make sure that your systems are as secure as possible.

As more business and commerce is done online, we must be increasingly aware of the threats and vulnerabilities that can cause businesses to suffer major losses both financially and to their reputations. By keeping an eye on the hacker community, the business community can work to avoid breaches in security.

Ryan Rodrigue is an IT assurance supervisor at Wolf & Company and regularly
attends the DEFCON convention. mail: rrodrigue@wolfandco.com