Cloud
8/20/2014
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Website Attack Attempts Via Vegas Rose During Black Hat, DEF CON

Data snapshot from Imperva shows major jump in malicious activity during security and hacker conferences in Sin City.

On a "normal" day, an average of 20 malicious web traffic events originating in Las Vegas hit Imperva's security customers. During Black Hat USA and DEF CON earlier this month, that number jumped more than 100 times the volume, according to a snapshot of data the firm compiled.

Barry Shteiman, director of security strategy at Imperva, was curious about just how much more malicious activity really does occur during big hacker-heavy conferences like Black Hat and DEF CON, so he measured the malicious traffic coming from Las Vegas the week of the two major shows and found the number reached a high of 2,612 web attacks aimed at its customers.

"I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline. In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US," Shteiman wrote in a blog post today. "Finally, we summarized by date and where the city itself is Las Vegas."

He says there also was a spike in attack volume during the NAACP's conference in Vegas in July. That means that "either that a large crowd in a conference scale event may cause a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there," he says.

With Black Hat and DEF CON, an increase in attack traffic wouldn't be too surprising in general. But the jump he spotted was intriguing: "They have some of the brightest security/hacking minds in the world attending. Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and thereforeare less likely to be drive-by victims of hacking -- for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences," he says.

The attack volume rose at the start of Black Hat, dropped toward the end, and then began to increase at the start of DEF CON, he says. "A day after everything ends, the numbers are back to norm," he says.

Shteiman warns that the data is more of an "interesting snapshot" than a true trend, but it makes you think. His full post with data and graphics is here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/24/2014 | 6:10:57 PM
Re: Odd
It is an interesting stat, but I read it as the transition from one show to the other. 
DFER1
50%
50%
DFER1,
User Rank: Apprentice
8/22/2014 | 6:23:02 PM
Odd
One part of the article doesn't make any sense: "The attack volume rose at the start of Black Hat, dropped toward the end, and then began to increase at the start of DEF CON".

Black Hat and DEF CON overlap!  Thursday is the last day of BH and the first day of DEF CON.  That little fact makes me doubt the whole article, not to mention the source of the data is a security vendor.
bshteiman
50%
50%
bshteiman,
User Rank: Apprentice
8/21/2014 | 2:59:23 PM
Re: Correlations
I believe that there is always a certain climb of traffic/attack traffic when a big conference is in town, since many people come with their internet-needy computers, and those may be infected by malware etc...

In a hacker conference, its different. since A. the users are more security savvy and security-space-educated and are less likely to produce hijacked traffic. therefor it is more likely that attack traffic is generated from that unique crowd.

Barry Shteiman.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/21/2014 | 8:51:52 AM
Correlations
For BlackHat and DefCon this makes sense. An area is most vulnerable when there are less people patrolling it. This principle is followed here. But for what reason might there be a spike in volume for the NAACP conference?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1978
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Simple PHP Agenda 2.2.8 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add an administrator via a request to auth/process.php, (2) delete an administrator via a request to auth/admi...

CVE-2015-0741
Published: 2015-05-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(1) and earlier allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut04596.

CVE-2015-0742
Published: 2015-05-21
The Protocol Independent Multicast (PIM) application in Cisco Adaptive Security Appliance (ASA) Software 9.2(0.0), 9.2(0.104), 9.2(3.1), 9.2(3.4), 9.3(1.105), 9.3(2.100), 9.4(0.115), 100.13(0.21), 100.13(20.3), 100.13(21.9), and 100.14(1.1) does not properly implement multicast-forwarding registrati...

CVE-2015-0746
Published: 2015-05-21
The REST API in Cisco Access Control Server (ACS) 5.5(0.46.2) allows remote attackers to cause a denial of service (API outage) by sending many requests, aka Bug ID CSCut62022.

CVE-2015-0915
Published: 2015-05-21
Cross-site scripting (XSS) vulnerability in RAKUS MailDealer 11.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted attachment filename.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.