Privacy Is Serious Business At Black Hat Security Conference
LOURDES GARCIA-NAVARRO, HOST:
This is WEEKEND EDITION from NPR News. I'm Lourdes Garcia-Navarro. It seems like not a week goes by that we don't hear about a major crime on the Internet - credit card data stolen, our home computers infected with bad software that we never downloaded. The problems of cyber security seem big but also really abstract. All this week, NPR's Aarti Shahani has been in Las Vegas with thousands of experts for whom these problems are very real. Hi, Aarti.
AARTI SHAHANI, BYLINE: Hi.
GARCIA-NAVARRO: So we heard this week about the supposed theft of 1.2 billion usernames and passwords. That's billion with a B. That sounds like a big problem to me. Do the experts there think so?
SHAHANI: Yes and no. It's important to keep in mind about the Russian hack that it was not independently verified. And so we don't actually know what the company has in its databases, who exactly was hacked, whether the passwords and usernames are old - from five years ago - or recent. So we have to put that in perspective.
GARCIA-NAVARRO: Yeah, it seems like we're hearing about these security threats all the time. I mean, they're in the news everyday. How real are they or do they just get a lot of attention?
SHAHANI: They definitely are real. And part of what's happening here this week in Vegas is some of the best minds in the industry are trying to come up with solutions. And, you know, some of the solutions that I've actually seen this year that I found interesting - and the variety that I've seen here is - for example, this company Tanium is working on real-time detection - meaning that, you know, it's not good enough to find out you've been breached 5 weeks or even 5 days later. To know when it's happening will actually help you to respond. So they're trying to work on systems that help corporations to do that. And apparently it's a very hard problem - to even know that you've been breached. Another company that I ran into called Pindrop - which maybe I'm interested in because I'm a broadcaster. They focus on phone fraud. So apparently, when you're getting a call - let's say you're working at a bank or something. And you get a call from someone who says that they're the account holder. Through an analysis of the quality of their phone call, you can tell if they're on a Skype line or a regular line and, you know, are they calling from Nigeria or Minnesota.
GARCIA-NAVARRO: There's two conferences. There's the Black Hat one that we've just been talking about. But there's also DefCon, the original conference for underground hackers. What was that scene like?
SHAHANI: Oh, I really like the scene at DefCon. I don't think there's a single corner of the U.S. or, you know, maybe even the world, where people take their privacy more seriously.
GARCIA-NAVARRO: People pay their own way, right? Why do they go?
SHAHANI: Well, people come here for a mix of reasons, OK? Some people are coming here for skills building. There are little villages in DefCon - as they're called. So one village, for example, teaches you how to break locks. Another village is focused on social engineering. And that's when you can learn to how to use the deep web - the parts of the web that are not on Google - to fish for information, which is a great tool for a journalist to have. Other people come here for recruitment. While this is a very countercultural space and you have, you know, mohawks and tattoos - even face tattoos - you know, this is also a place where the establishment comes over to look for their next talent. So you actually have a lot of side-conversations between people that look very different. And you can tell that people are talking about jobs and career.
GARCIA-NAVARRO: Have they played spot the fed this year? I mean, has there been any government presence - any NSA on site?
SHAHANI: Last year, the NSA was very much the talk of the town, particularly with the Snowden revelations. I think that this year the assumption is yes, obviously the government is here. Obviously, the NSA is here. That's been the case for a long time. But an interesting kind of government presence, for example, is the FTC - the Federal Trade Commission - is here. And they're actually sponsoring a hackathon - a competition - because they're trying to recruit hackers to help them with the problem of phone fraud. And I think the fact that there's another kind of government agency here illustrates a bigger problem that we have across government agencies, which is that there's one that is hyper-concentrated with cyber security knowledge. And then every other agency is just, you know, really limping along trying to do some basics and not having very many resources.
GARCIA-NAVARRO: NPR's Aarti Shahani joining us from Las Vegas. Thank you, Aarti.
SHAHANI: Thank you.