It’s Time For DEF CON: Where’s Your Computer Security Expert?

By James R. Lint
Faculty Member, School of Business, American Military University

It is that time of the year. Hackers, corporate computer security personnel, network penetration testers and federal government computer security professionals are going to Las Vegas for DEF CON 24, running from August 4-7.

Origins of DEF CON

DEF CON is one of the oldest and largest hacker conferences. It started out as a 1992 Las Vegas party for a friend of DEF CON’s founder, Jeff Moss. The event was so popular that people wanted to hold it again.

There are many discussions about how the name DEF CON originated. One story says that the name came from the Matthew Broderick movie “WarGames,” featuring a teen hacker. The movie used the military term “DEFCON,” meaning “Defense Condition.” The other story is that the “DEF” is from the #3 key on a phone. The “CON” came from “conventions.”

Quirks of DEF CON

DEF CON does not allow the use of credit cards to pay or pre-register. This rule is to appease the concerns of the registrants. In the beginning, there were individuals who were very talented with phones and computers, and maybe some of their skills were unlawful. One of the registrants’ worst fears was that the FBI would collect the information on their registration forms and use that information to arrest people.

But the lack of registration caused consternation for other participants. In later years, many federal employees and investigators wanted to learn about the techniques of the hacker community. The lack of a registration receipt made it difficult for them to be reimbursed for attending DEF CON.

DEF CON Appeal’s to Computer Security Experts

DEF CON is a great learning and networking place for everyone. As a retired federal employee, I look forward to DEF CON to see my federal friends.

DEF CON is a place to discover out-of-the-box thinkers who may have ideas for computer security that have not been explored. For example, NSA General Keith Alexander spoke at DEF CON in 2013. He planted the seed in the hacker community that they should explore working for the U.S. government.

Many government employees support this hiring effort. As a nation, it is critical for us to grow this type of talent in computer security. Those future employees will work with large budgets and impact international operations.

DEF CON is also a target-rich recruiting event. The FBI will have a booth at DEF CON, staffed by FBI professionals assigned to the FBI Cyber Division. They will also provide special 10-15 minute presentations on FBI cyber capabilities and recruitment efforts.

Furthermore, this conference appeals to former military service members transitioning to corporate computer security. They want to learn the newest computer security defense measures and see the corporate security programs that are offered.

DEF CON Affects the Future of Computer Security

My first DEF CON was in 2005. Since then, the computer security industry has seen computer whiz kids graduate from college and create excellent computer penetration testing companies.

These network penetration testers, also known as white hat hackers, test computer systems for high pay. Many high-security companies are required to have penetration testing every six to 12 months to maintain their insurance. This is the evolution of “evil hackers” to well-paid corporate penetration testers.

DEF CON 24 is the birth of new ideas and new connections. Ideas and conversations held while participants are standing in line or in hallways will inspire new companies, new techniques, and maybe new industries.

Story was originally published at:

‘BSides’ Las Vegas Offers Fresh Cybersecurity Insights from Industry Leaders

By James R. Lint
Faculty Member, School of Business, American Military University

Overview: On August 2nd and 3rd, BSides Las Vegas held its eighth annual information security conference at the Tuscany Suites in Las Vegas. BSides is a community event organized and run by volunteers. The following is a survey of some of the many strategies, insights and experts that enriched the entire two-day experience for cybersecurity professionals.

BSides Keynote Speaker Dr. Lorrie Cranor Discusses Misconceptions in Password Security

The conference kicked off with an outstanding keynote speaker, Dr. Lorrie Cranor, Chief Technologist of the U.S. Federal Trade Commission. Having written over 150 research papers, she’s also a professor in the School of Computer Science and the Engineering and Public Policy Department at Carnegie Mellon University, and Director of the Carnegie Mellon Usable Privacy and Security Laboratory.

A thought leader in the information security industry, Dr. Cranor puts forth revolutionary ideas—especially in changing conventional security practices such as the mandatory password changes conducted in many organizations. Her research data shows that changing passwords is not as effective as one might think. Keylogger software programs detect password changes and can instantly compromise the new password.

She discussed a report by the University of North Carolina that studied 10,000 defunct accounts. The study found that people apply changes in predictable ways, making it easier for UNC to determine future passwords using an algorithm.

The UNC study discovered that users who are annoyed when they must frequently change passwords were statistically shown to create weaker passwords. Consequently, the weaker security choices of some users endangered cybersecurity for all users in an organization.

Dr. Cranor addressed misconceptions on password strength, noting that using keyboard patterns on any mobile device, including diagonal patterns, does not provide security for users. She discredited the infamous belief that an exclamation point at the end of a password offers greater security. To increase information security for passwords, Dr. Cranor recommended that users avoid common words or names and add digits and symbols to increase a password’s strength.

Dr. Cranor also presented an interesting bit of research that asked people to decide which password was more secure: “ILoveYou88” or “IEatKale88”? The Password “IEatKale88” is 4 trillion times more secure than “ILoveYou88”. It’s interesting to note how “super” common “ILoveYou” is as a password.

Expert Haydn Johnson Talks about Organizational Confusion with Information Security

Network penetration tester and vulnerability assessment expert Haydn Johnson of KPMG Canada spoke about his interesting concerns commonly used information security terms, such as penetration testing, vulnerability assessments and red teams. Managers who contract security testing and assessment services often confuse these terms and have unrealistic expectations about system and network security, he noted.

Johnson described concerns about how to modify scanning tools to keep up with new security vulnerabilities. He advised that information security companies should differentiate themselves from their competition in the future by providing much-needed education to customers about business risks and the impact of security vulnerabilities.

Cybersecurity Research Expert Keren Elazari Calls for Better Computer Software Content Identification

Another thought-provoking speaker was Keren Elazari, a senior cybersecurity researcher and computer security expert from the Balvatnick Interdisciplinary Cyber Research Center at Tel Aviv University in Israel. Elazari facilitates hacker/security researcher conferences in Israel and spoke during I Am The Cavalry’s track at the BSides conference.

Elazari discussed why security research matters for the coming decades and emphasized that third-party computer software needs to be better identified to determine potential vulnerabilities. She drew a startling comparison—while candy bar labels are required to list all of their ingredients, software has no labels that explain elements of the software code.

There’s danger in buying unfamiliar software. Large, multimillion-dollar companies may purchase smaller software companies, yet not have intimate knowledge of their acquisitions’ third-party software, which could contain harmful viruses.

Other noteworthy topics by Elazari included how “Hacker Heroes” wield their skills for the greater good. They have the knowledge to report on vulnerabilities and assist in the software patch to repair the problem.

BSides Conference Showcases Information Security Nonprofits

One of the interesting tables on display at BSides was The Open Web Application Security Project (OWASP), a nonprofit focused on improving the security of software. Their mission is to make software security visible, so that individuals and organizations are able to make informed decisions.

OWASP is in a unique position to provide impartial, practical information about application security to individuals, corporations, universities, government agencies and other worldwide organizations. Operating as a worldwide community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

OWASP will hold a conference in Washington, DC in October 2016, and another conference in Belfast, Ireland, in 2017. Additionally, OWASP has programs to attract women into the application security career field.They also have projects working with military veterans to boost awareness of the critical need for the application security career field.

Similarly, I Am The Cavalry is a grassroots organization that is focused on issues where computer security intersects with public safety and human lives. I Am The Cavalry’s primary concerns are medical devices, automobiles, home electronics and public infrastructure.

During the conference, I Am The Cavalry offered a choice of speakers, including Keren Elazari, for the “I Am The Calvary” track of discussion sessions. The entire track was excellently managed and facilitated by Joshua Corman and Beau Woods.

With such a diverse choice of speakers and presentations at BSides, it’s hard to see everything. However, this conference offers something for everyone and is well worth attending.

Story was originally published at:

Navy Cryptology
The Evolution of Navy Cryptology

BY U.S. NAVY – MARCH 11, 2016
By Vice Adm. Jan E. Tighe
Commander, Fleet Cyber Command, U.S. 10th Fleet

Eighty-one years ago today, the first unified organization coordinating Navy Cryptology, the Communications Security Group, was established. From Station HYPO, OP-20-G and the On the Roof Gang, to the present day, our community has continued to evolve to meet and defeat the threats we face.

The transition of the Information Dominance Corps to the Information Warfare Community in concert with the CNO’s Design for Maritime Superiority has given us another opportunity to formalize our evolution, and to deliberately examine our community identity. A great deal of our heritage can be traced to the Naval Security Group, and our collective identification as Navy cryptologists.

To that end, and based on thoughtful input from the affected members of our community, the name of some of our officer designators (181X, 681X, 781X) will be changing to cryptologic warfare officer. This choice honors our cryptologic heritage, reflects what we do, recognizes the military effects we deliver in the converged domain and more closely ties our officer corps with our enlisted and civilian force counterparts. Cryptologic warfare officers, together with cyber warfare engineers, cyber warrant officers, cryptologic technicians (interpretive, maintenance, networks, collection and technical) and civilians, engaged in cryptologic missions are a unified community—unified through understanding, unified in action and unified by name.

We are Navy cryptologists.

Whether we are executing mission under joint commanders, fleet commanders, Director of the National Security Agency (DIRNSA), or the Commander, United States Cyber Command (USCYBERCOM); and whether significant portions of our missions are organized under Communications Security Group, Naval Security Group, Naval Network Warfare Command or today’s Fleet Cyber Command/10th Fleet, we have our own enduring identity, culture and ethos.

We are the Navy cryptologic community.

On behalf of maritime and joint commanders, we execute cryptologic warfare, which encompasses signals intelligence (SIGINT), cyberspace operations and electronic warfare (EW) operations in order to deliver effects through sea, air, land, space and cyber domains at all levels of war.

As a symbol of what we do, I would also like to share with you our new Navy cryptologic community seal. While not a representative of a Navy organization or command in the traditional sense, this seal represents our own rich heritage, who we are and where we are going. It represents us.

The Naval officer crest and our cryptologic technician insignia, with its lightning bolt and quill, represent and respect our long history. These symbols have stood from the earliest days of our community to the present day.

The binary background overlaid on the globe represents our part in the larger information warfare community, whose seal shares the same symbolism, as well as our core expertise in cyber, along with our global reach.

The skeleton key reminds us that we are relied upon to unlock and solve puzzles, and in many cases find missing pieces to paint a complete picture of our Nation’s adversaries. The key is engraved with the date symbolic of our collective establishment as a naval profession: March 11, 1935.

The chain binds us all together — officer, enlisted, and civilian — and binds our core missions — SIGINT, Cyber, and EW — to us, and us to them. The three stars also symbolize these three core missions. Through the converged domain, we enable and deliver effects to the commander and fellow warfighters. Our Community Vision, an update to our 2012 Foundational Principles, is also under construction and I will share it with you as soon as it is complete.

Please join me in embracing this next evolution of our community, which has stood on the shoulders of giants, both seen and unseen. Today, you who serve in the Navy cryptologic community will be those giants upon whom future generations of Navy cryptologists stand.

The Future of Cryptology | The Lint Center for National Security Studies