Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/16/2012
04:54 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

AT&T To Sponsor Zero-Day Contest For Kids

Second annual DefCon Kids highlights mobile app security, responsible disclosure, social engineering, and other topics aimed at teaching the ways of white-hat hacking

AT&T has joined forces with an 11-year-old hacker -- that's right, 11 -- and DefCon Kids in sponsoring a hacking contest during the second annual conference that runs in conjunction with the adult Def Con later this month in Las Vegas. Whoever finds the most zero-day bugs in mobile apps wins an iPad and $1,000, courtesy of DefCon Kids.

Inspiration for the competition came out of a new class of mobile vulnerabilities that the young hacker, who goes by "CyFi," reported last year to AT&T. After getting bored with her progress in one of her favorite mobile app games, CyFi discovered a so-called "time-travel" flaw in her mobile gaming app that let her move time ahead on the device so she could further progress in the game. That meant she didn't have to wait for things to happen in the game, for example. These bugs affect any app on any mobile tablet and smartphone operating system platform.

DefCon Kid CyFi Defcon Kids
Photo credit: Seth Rosenblatt, CNET. Courtesy of DefCon Kids.

AT&T helped CyFi notify all of the affected mobile app developers last year, but only a few have actually fixed the bug. DefCon Kids plans to run the hacking contest until most of the app developers finally fix the problem, which could be for some time given that most mobile app developers are not yet security-savvy. The first-place winner gets a new iPad and $1,000, and during the conference CyFi will name the apps that still contain the vulnerability -- details she has kept under wraps until now.

DefCon Kids, which launched last year for kids to learn about white-hat hacking during the grown-ups' Def Con conference, is featuring some big-name speakers again this year. Among its headliners are science-fiction author Cory Doctorow, hardware hacker (and Def Con badge creator) Joe Grand, Electronic Frontier Foundation lawyer Marcia Hoffman, and Wired editor-in-chief Chris Anderson. Aside from AT&T, other partners in the July 27 to 29 event at the Rio Hotel & Casino include the National Security Agency (NSA), the Defense Department, AllClear ID, HacKid, Max Kelly, and the EFF.

"It teaches them to hack for good and not for evil. It keeps the good name of the hacking world alive," says FS, a 17-year-old hacker who will speak at DefCon Kids again this year. FS, a high school student who gets hired for white-hat hacking gigs on the side, says DefCon Kids keeps kids out of trouble by showing them how white-hat hacking is "cool."

"It takes the coolest people in Def Con who teach them and show them how doing hacking in a good way is still cool and you can still be a bad-ass," says FS, who will do a presentation to the kids about Def Con's famous Wall of Sheep, where users who dare to jump unprotected onto the conference's WiFi network get publicly outed.

Christofer Hoff, a security expert who founded HacKid, says DefCon Kids schools youths to "do no harm," and if it's not yours and you don't have permission to break something, don't. Hoff says this year's conference is bigger and was retooled a bit to give the kids more time with speakers, as well as a few field trips and more interactivity so they get to move around a bit (but still within the confines of the conference).

Among the hot topics this year will be responsible disclosure, he says. "If you find things are wrong [with software, you will learn] how you deal with it and how to get it fixed and not just break it," says Hoff, who will bring along some of his daughters to DefCon Kids again this year.

Hoff's 9-year-old daughter, Cl0ver, is scheduled to deliver a talk at DefCon Kids with him, but so far, her topic remains a mystery. "She has yet to inform me," he says.

Sci-fi author Doctorow, who is also editor at BoingBoing, will have his 4-year-old daughter in tow at DefCon Kids to try her hand at a little lock-picking, one of the more popular activities for the kids. Doctorow will give a talk called "Hacking your School's Network," but it's not what you think: He says he wants to teach kids how many school systems' filtering applications are actually backfiring and not truly protecting kids.

"Everybody wants to just block the stuff. The problem is that doesn't solve the problem," Doctorow says. "There needs to be a systemic change in the way censor stuff works, not just for educational reasons, but also for privacy reasons."

Not only do kids find creative ways to get around their schools' censorware, but they can also inadvertently get themselves into privacy trouble, for example, by handing over information to proxies that have not been vetted, according to Doctorow. "You're then driving them from safe behaviors to unsafe behaviors," he says.

And many of the censorware providers also sell their technology to dictatorships nations that practice Internet censorship, such as China and Syria, he says. "Their secondary market is repackaging it for schools," he says.

Kid Schmooze
DefCon Kids this year also will hold its second Social Engineering Capture the Flag contest, a kid-friendly version of Def Con's wildly successful SE CTF. Chris Hadnagy, who heads up both social engineering events for Def Con, says he and his team have kicked it up a notch for this year's contest. "The biggest complaint from kids last year was it was too easy," Hadnagy says.

[ Client management billing platform WHMCS last week notified customers that hacker group UGNazi fooled its Web hosting firm into providing the hackers with administrative credentials. See Social Engineers Steal 500,000 Customers' Data From WHMCS. ]

"Without giving it away, the first set of ciphers will make the kids run around trying to find people and [execute certain tasks] to get their next clue. Once they do that, the next clues will be pieces" to more difficult challenges, Hadnagy says. The contest will encompass 20 kids divided into 10 teams, ranging in age from 7 to 16, he says.

And if the demographics are indicative of the future, the future looks bright for women in security: Half of last year's DefCon Kids' attendees were girls. Meanwhile, the organizers expect about 200 to 300 attendees for the kid con this year.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16029
PUBLISHED: 2020-01-26
A vulnerability in the application programming interface (API) of Cisco Smart Software Manager On-Prem could allow an unauthenticated, remote attacker to change user account information which can prevent users from logging in, resulting in a denial of service (DoS) condition of the web interface. Th...
CVE-2020-3115
PUBLISHED: 2020-01-26
A vulnerability in the CLI of the Cisco SD-WAN Solution vManage software could allow an authenticated, local attacker to elevate privileges to root-level privileges on the underlying operating system. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerabi...
CVE-2020-3121
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Small Business Smart and Managed Switches could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. The vulnerability is due to insufficient validation of user-supplie...
CVE-2020-3129
PUBLISHED: 2020-01-26
A vulnerability in the web-based management interface of Cisco Unity Connection Software could allow an authenticated, remote attacker to perform a stored cross-site scripting (XSS) attack. The vulnerability is due to insufficient input validation by the web-based management interface. An attacker c...
CVE-2020-3131
PUBLISHED: 2020-01-26
[CVE-2020-3131_su] A vulnerability in the Cisco Webex Teams client for Windows could allow an authenticated, remote attacker to cause the client to crash, resulting in a denial of service (DoS) condition. The attacker needs a valid developer account to exploit this vulnerability. The vulnerability i...