with Aaron Schaffer

LAS VEGAS — The Black Hat and Def Con conferences, which are typically crowded and bustling summer highlights for the cybersecurity community, are far more muted this year. 

Often dubbed “hacker summer camp,” the events were significantly rejiggered in recent weeks in response to the rapid spread of the delta variant — a dramatic example of how the coronavirus is still upending daily life in general and the cybersecurity industry in particular. 

In-person attendance at Black Hat, which began Wednesday, is about one-fourth of a typical year, though many more people are joining virtually by streaming keynote addresses and panel discussions. Def Con, which kicks off Thursday, is expecting about one-third to one-fourth of its normal in-person attendance as well. 

Top speakers that were planning to participate in person have pivoted to giving online addresses. That includes Department of Homeland Security Secretary Alejandro Mayorkas and Cybersecurity and Infrastructure Security Agency Director Jen Easterly, who will give virtual keynotes at the conferences.  

It’s the strangest Black Hat I’ve ever been to,” Jay Kaplan, co-founder of the cybersecurity firm Synack, told me. Kaplan has been attending the conferences, which are among the most prominent in the cybersecurity community, for more than a decade. 

“Talks that would normally have long lines you can just walk into. People are losing out on a lot of the relationship-building that would normally happen at a conference like this,” he said.

The halls and conference rooms at Black Hat normally have a Times Square level of activity. 

They were far more sedate on Wednesday, with pockets of mask-wearing attendees milling about. 

“It seems really chill,” Jeff Moss, who founded both conferences and continues to run Def Con, told me. “Normally there’s a crazy feeding-frenzy energy. This time seems much more like, ‘Hey, really good to see you again.’ ”

Cybersecurity companies that would normally be hawking their wares at Black Hat have instead bought banners urging people to visit their “virtual booths” online. 

Among those attending in person and virtually there was a general lament that a second year was passing without the mammoth Las Vegas get-together that has increasingly become a required visit for top cyber leaders in government and industry. 

You take covid and isolation and the pandemic in parallel with the increased and accelerating [cyber] threats and you've got a lot of very crispy, burned-out people who are missing that human connection,” Kymberlee Price, a member of the Black Hat review board who helped organize the conference, told me. 

She noted that there are benefits to the virtual conference, including being less distracted by the hubbub of the in-person gathering and meeting new people in online discussion forums. 

Here’s more from Rick McElroy, principal cybersecurity strategist for the company VMWare Carbon Black, on Twitter:

Def Con has changed more significantly than Black Hat during the pandemic. 

While Black Hat is a more traditional conference, Def Con is typically far looser. It includes large hands-on events where attendees try to hack into voting machines, medical equipment and other critical technology.

Versions of those hands-on events will still be around this year, but for far fewer people. 

The more traditional speeches and panel discussions, meanwhile, will all be livestreamed with a free online Q&A. That opens up the conference to a lot of people who couldn’t attend a live event because of the cost or distance, including many outside the United States. 

“The good news is the community is really forgiving and they know we're trying and they know we're not going to have a perfect event,” Moss told me. 

One of Def Con’s most famous and controversial components is the voting village, which was instrumental in exposing hackable vulnerabilities in commonly used voting machines. 

That has drawn the ire of voting machine companies, which complain that the hacks demonstrated at the conference wouldn’t be possible in real-world circumstances. The event nevertheless helped push the firms to conduct more rigorous cybersecurity testing and open their technology to vetting by outside experts. 

This year, the voting village will focus more on training and discussions focused on combating disinformation and conspiracy theories about election security such as those propagated by former president Donald Trump and his supporters. 

“The topic of election integrity has really been elevated to a new level of visibility,” Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, told me. He'll be giving a remote presentation at the conference about the rigors of election administration.

“We’ve seen vividly how inaccurate or actively propagated disinformation can tear apart our social fabric and literally lead to violence," he said, "so that public education is very important.” 

Here are more thoughts on this strange year at Black Hat and Def Con.

Mike Murray, founder of Scope Security:

Nikita Kronenberg, Def Con director of content and coordination:

Derek Johnson, senior reporter for SC Magazine:

Tony Anscombe, global security evangelist at the cyber firm ESET:

The keys

The White House called a ransomware group’s promise to not target some critical infrastructure a positive step.

The comments from ransomware gang BlackMatter are evidence that the Biden administration’s message that critical infrastructure should be off-limits to hackers is being taken seriously, deputy national security adviser Anne Neuberger said, the Record’s Martin Matishak reports. Biden said he gave Russian President Vladimir Putin a list of U.S. critical infrastructure sectors in June and threatened to impose consequences if they're hacked by Russia-based criminal gangs. 

The BlackMatter comments seem to comport with that effort, but “the proof will be in the pudding,” Neuberger said at the Aspen Security Forum. The hacking gang made the comments in an interview with the cyber firm Recorded Future. The company said it is focusing on hacking large Western companies but won’t target some critical infrastructure facilities because it will “attract unwanted attention.”

The comments drew some raised eyebrows from cyber watchers who thought Neuberger was giving too much credit to comments by one criminal gang. NBC News's Kevin Collier:

BlackMatter is a rebranded version of the Darkside hacking group that targeted Colonial Pipeline, according to an investigation by the firm Chainalysis. Darkside disappeared in May and BlackMatter emerged in July.

Neuberger also detailed why the White House chose not to ban cryptocurrency payments to hacking groups. The administration found that “if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” she said.

New hacking research is being unveiled at Black Hat and Def Con.

A French hacker found digital bugs in the systems used to manage Japanese “capsule hotels,” allowing him to “take control of any bedrooms I wanted from my laptop,” Wired’s Andy Greenberg reports. By exploiting the bugs, the hacker could control the lights, ventilation and bed-to-couch conversion system for any of the hotel’s tiny rooms. 

Another Black Hat presentation details a bug that affected Amazon and Google systems. By exploiting it, security researchers were able to collect data including user names from 15,000 organizations. The list included more than 100 government entities, according to the Record’s Catalin Cimpanu. Amazon and Google have updated their software to fix the bug, while a third company is working on a fix.

Hackers targeted diplomats using a Microsoft Exchange bug before the same bug was used in widespread cyberattacks in March.

The hackers stole documents and emails from six foreign ministries and eight energy companies, security researchers said. They used similar techniques as hackers responsible for a broader swath of Microsoft Exchange hacks this year, Bloomberg’s Kartikay Mehrotra reports. It’s not clear whether the same group was behind both hacks.

In March, Microsoft pinned the blame for some of the Exchange hacks on Hafnium, a group it said works for the Chinese government. China’s foreign ministry has denied responsibility.

Hill happenings

Industry report

Global cyberspace

Privacy patch

Cyber insecurity

Mentions

  • National cyber director Chris Inglis brought on John Costello as his chief of staff. Costello previously worked on the Cyberspace Solarium Commission and at the Department of Commerce and CISA.

Daybook

  • CISA Director Jen Easterly and Homeland Security Secretary Alejandro Mayorkas speak at the Black Hat hacking conference today.
  • Easterly, Mayorkas and CISA executive assistant director Eric Goldstein speak at the Def Con conference on Friday.

Secure log off