Cloud
8/20/2014
03:10 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Website Attack Attempts Via Vegas Rose During Black Hat, DEF CON

Data snapshot from Imperva shows major jump in malicious activity during security and hacker conferences in Sin City.

On a "normal" day, an average of 20 malicious web traffic events originating in Las Vegas hit Imperva's security customers. During Black Hat USA and DEF CON earlier this month, that number jumped more than 100 times the volume, according to a snapshot of data the firm compiled.

Barry Shteiman, director of security strategy at Imperva, was curious about just how much more malicious activity really does occur during big hacker-heavy conferences like Black Hat and DEF CON, so he measured the malicious traffic coming from Las Vegas the week of the two major shows and found the number reached a high of 2,612 web attacks aimed at its customers.

"I decided to test for attack traffic originating in Las Vegas during BlackHat and Defcon, and a month prior to that in order to correlate to baseline. In order to do that, we collected all of the security events during that time period from our Community Defense system, mapped Geo IPs for Nevada state, and Las Vegas specifically, then we queried the Community Defense data set for all source IPs that were in the US," Shteiman wrote in a blog post today. "Finally, we summarized by date and where the city itself is Las Vegas."

He says there also was a spike in attack volume during the NAACP's conference in Vegas in July. That means that "either that a large crowd in a conference scale event may cause a growth in attack volume due to malware on computers, or attackers are attending the conference and performing their attacks from there," he says.

With Black Hat and DEF CON, an increase in attack traffic wouldn't be too surprising in general. But the jump he spotted was intriguing: "They have some of the brightest security/hacking minds in the world attending. Those guys who read every link before they click, run custom operating systems in cases and are generally very aware to security and thereforeare less likely to be drive-by victims of hacking -- for that reason, seeing numbers that high is more substantial at a hacker conference than in other conferences," he says.

The attack volume rose at the start of Black Hat, dropped toward the end, and then began to increase at the start of DEF CON, he says. "A day after everything ends, the numbers are back to norm," he says.

Shteiman warns that the data is more of an "interesting snapshot" than a true trend, but it makes you think. His full post with data and graphics is here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/24/2014 | 6:10:57 PM
Re: Odd
It is an interesting stat, but I read it as the transition from one show to the other. 
DFER1
50%
50%
DFER1,
User Rank: Apprentice
8/22/2014 | 6:23:02 PM
Odd
One part of the article doesn't make any sense: "The attack volume rose at the start of Black Hat, dropped toward the end, and then began to increase at the start of DEF CON".

Black Hat and DEF CON overlap!  Thursday is the last day of BH and the first day of DEF CON.  That little fact makes me doubt the whole article, not to mention the source of the data is a security vendor.
bshteiman
50%
50%
bshteiman,
User Rank: Apprentice
8/21/2014 | 2:59:23 PM
Re: Correlations
I believe that there is always a certain climb of traffic/attack traffic when a big conference is in town, since many people come with their internet-needy computers, and those may be infected by malware etc...

In a hacker conference, its different. since A. the users are more security savvy and security-space-educated and are less likely to produce hijacked traffic. therefor it is more likely that attack traffic is generated from that unique crowd.

Barry Shteiman.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
8/21/2014 | 8:51:52 AM
Correlations
For BlackHat and DefCon this makes sense. An area is most vulnerable when there are less people patrolling it. This principle is followed here. But for what reason might there be a spike in volume for the NAACP conference?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?