I've never picked a lock in my life...until today. I had the chance to attend ShowMeCon, and one of the expo booths was a hands-on experience for lock-picking. The experience was really cool, and it reminded me of the great things you can learn when you support local security conferences. ShowMeCon is the premier hacking and security conference in the St Louis area. They had lots of great speakers and tons of great information to learn.
I heard one speaker outline the details of how he used social engineering techniques to pose as a pest control bug spray guy and walked right into the vault of more than one bank in the Las Vegas, NV area. He was hired by the bank president to test the security of the bank. The first branch he walked in, he simply said he was there to spray for bugs, and the bank employees escorted him straight to the vault...no questions asked! Needless to say, the bank president was none too pleased with the performance of his employees. The power of social engineering and the impact of human emotion was clearly shown during his presentation. It was great.
I also heard from Dan Tentler who was hired by a journalist to hack into his life. The journalist was doing a documentary on how easy it is to ruin someone's life through hacking, and the journalist was the guinea pig in this case. The presentation by the hacker was fantastic, and he showed just how incredibly simple it is to take control of someone else's life. My favorite part of the presentation was when he showed emails from him to the journalist that included pictures of the journalist taken from the webcam of his own MacBook Pro. The journalist was pretty freaked out when he saw the pictures of himself...taken from his own computer. The documentary is very interesting and can be found here.
Kevin Johnson also spoke on the subject of ethics in security research. He did a great job of explaining how modern bug bounties impact the security perception of corporations today. He successfully incorporated several "My Cousin Vinny" examples (which is a rare and awesome talent), and he also talked about being branded "that guy" when your company screws up a security related incident. To emphasize his point, he referenced an incident back in the 1970's where a beached whale was found on the shores of Florence, Oregon. To clean up the whale carcass, the head engineer on the job decided to use a massive amount of dynamite to blow the whale to bits so that seagulls and other scavengers would eat the pieces over time. As it turns out, the idea did not go as planned. And, the engineer on site was forever known as "the whale guy". Check out the video here. And, don't be that guy.
Other topics included credit card token manipulation, breaking cipher block chain encryption modes through collision attacks, antivirus evasion, and red team/blue team techniques for hacking and defense.
The conference was well worth the price of admission, and I would highly encourage any and all of you to take advantage of security conferences in your area. Who knows, you might just learn some new tricks like I did. That lock I'm holding in the picture below is the actual evidence of my mad picking skillz. And that other unlocked yellow one on the table...yeah, I got that one too!