SFO laptop security breach: what a way to start Black Hat

The Black Hat cyber-security conference in Las Vegas gets underway tonight with a reception in a penthouse for speakers. But it’s so appropriate that the confab for security researchers is kicking off just as a big security breach hits the Transportation Security Association.

It seems a laptop with the sensitive information of 33,000 job applicants was stolen from the company that operates the “fast pass” security pre-screening authorization at San Francisco International Airport. Then it miraculously reappeared today, in a different place from where it was taken more than a week ago. The theft was serious enough that the TSA temporarily suspended new enrollments in Clear, the program that allows people to skip long security lines at airports.

This case is just one of many examples of laptop theft and the security risks that result from them. As I head into a conference known for its crowds of good and bad hackers, I’ll be keeping an eye on my laptop. And I’ll try to avoid being on “the Wall of Sheep,” which is the place where researchers show the usernames of people who have inadvertantly given away their passwords by using unsecured wireless networking.

Black Hat is a respectable cyber-security show at Caesar’s Palace with big sponsors such as Microsoft and Google. Lots of federal agents show up to communicate with the security researcher community. But they stick around for the wild and woolly Defcon show, a cash-only event at the Riviera Hotel. There, the federal agents speak on the “Meet the Feds” panel so they can make their own pitches: come work for us, don’t go to the dark side. It’s common for attendees at Defcon to have badges with only fake handles or first names.

One thing that’s good about the conference is that the researchers who speak here don’t hold back. Anyone with a security vulnerability is fair game for embarrassment at the show. Targets of security probes and related talks this year include Google Gadgets, Microsoft’s Windows Vista, Javascript, Cisco IOS, Bluetooth, VMware, …. You get the idea. Nothing is sacred. Nothing is full proof. People come here to learn how to plug the gaps in their security defenses.