The widespread release of sensitive information such as credit card and social security numbers has grabbed headlines, disrupting business for several major corporations. Over the past five years, well-respected companies including Sony, Target and Staples have been hacked.
As cyber criminals become more sophisticated, the impact of these breaches has spread beyond the general public. Recently, in one of the biggest, most spectacular U.S. cyber attacks, the personal data of 18 million current, prospective or former federal employees was successfully compromised.
While it may be comforting to think hackers only go after big-name companies and organizations, it would be a mistake to believe your conference is exempt from cyber security problems. In the past few years, there has been a number of high-profile conference breaches that should make meeting planners feel less secure. When the Linux Australia conference was hacked, the full contact information of delegates was exposed. The websites of the United Nations World Conference on International Telecommunications were shut down by outsiders. Even a fun-filled show such as New York Comic Con can become a victim—in this instance, attendee Twitter accounts were compromised and fake tweets issued.
These are just the incidents that made the news—countless other cases have surely gone unreported.
What Do They Want?
Who are these people who could potentially attack your site?
“There is no specific profile other than having a computer and knowledge. Hackers never discriminate,” says Larry Letow, CEO of Convergence Technology Consulting.
Keep in mind that many hackers are not your teenage wiz (think War Games). These people can more accurately be described as hobbyists than potential criminals. However, your most serious threats are typically hardened professionals with all the skills you would expect from your doctor or lawyer. Cyber pirates span the globe, so more often than not, you will have no idea who and where they are.
Hollywood has created the impression that hackers use expensive, specialized equipment. The truth is quite the opposite. Most tools cost under a couple of thousand dollars, sometimes much less. For example, the Pineapple Router designed to impersonate any open network sells for US$99.99. UberTooth costs just a little bit more, and can be used to hack into Bluetooth devices such as smartphones.
So what do these pirates want from conferences? Their goals vary, but here are some general areas of concern.
- Registration Lists. This is the most obvious target. Selling lists for the purposes of spamming is widespread, but cell phone data, addresses and phone numbers are even more valuable.
- Inside Access. In the case of the Linux conference hack, the people on the list were network system administrators and represented a strong target for accessing an institution’s infrastructure. “This access can then be spread into even worse scenarios such as ransomware attacks,” says Corbin Ball, CSP, CMP of Corbin Ball & Co.
- Room Block Poaching. By obtaining your registration lists, hotel room pirates can contact your attendees and “offer” prices below your block rates. Often, housing pirates will misrepresent themselves as speaking for your organization. They will contact attendees and urge them to book their rooms immediately, saying that the room block is either sold out or near capacity. These reservations will usually include steep cancellation fees so that the attendees cannot change plans if they discover they were misled. In the worst case, the housing pirates will use attendee credit card information without making any room reservations in return.
- Email Scams. Your registration lists make this easy. Hackers can do amazing things with emails. Phishing attacks are the most noteworthy, but misrepresentations can come in the name of your organization. For example, cyber pirates can issue a “conference survey” in your name, but with the real purpose of installing a virus on the respondents’ devices.
- Password Attacks. Similarly, imposter sites can force a user to create a password that can then be deployed for nefarious purposes, such as unauthorized purchases.
- Stealing Credit Cards. By impersonating your website or via a direct attack on the credit card process, success here can be quite lucrative.
- Politics. If you are hosting a controversial guest or speaker, your show may become a target for a denial-of-service attack or defaced website. You may think signing that big name is a coup, but it may have just turned you into a target.
- Ruining Your Reputation. This is similar, except the target is your show—the goal is to put the event in the news for the purposes of discouraging future attendees.
The nature of your show really does not matter. Sean Donahoo, CEO of Disruptive Solutions, says, “Hackers love enterprises that think they’re too small or uninteresting, as they make for very soft targets.”
Unwelcome Visitors at Your Show
The above threats revolve around your online presence, but things get really interesting when your show begins. Vulnerabilities are widespread and just one weak area can lead to disaster.
The registration area is usually where you welcome your attendees, but hackers may also find this a good location to start their shenanigans.
“Onsite computers for registration can be hacked to get credit card info as people register onsite. Most times these machines are not supervised. So, anyone could add devices to track keystrokes,” says Rod Stiegman, director of technology services for SmithBucklin Corporation. “There are human issues as well. Many attendees openly give out their credit card info or even write it down and hand it to temps working the event.”
If you have kiosks, attackers can easily install viruses or even replace your form with their own screens to capture personal information and credit cards. Even QR codes can be an issue—one can easily be created to redirect to an imposter site that looks like your conference web pages.
The most dangerous threats are actually with the Wi-Fi networks at your venue and related hotels. Wi-Fi is a premium for travelers, so free hotspots can be especially tempting. Unfortunately, it is very easy for an attacker to create a hotspot that seems safe. For example, they can use host names such as “Starbucks” or “Convention Center.” This tactic can easily deceive even people who are technically oriented.
The meeting venue is not the only facility of concern. Most people are used to logging into hotel Wi-Fi via some kind of popup login page. Unfortunately, this too is relatively easy to impersonate. I was told about a CIO who was tricked by this technique and ended up giving hackers all the information they needed to break into her corporation’s internal network. Cell phone usage can also be compromised when attackers place their own “cell phone tower” near your conference to intercept phone activity.
Mobile apps have created yet another platform for the pirates.
“By their very nature, native apps store potentially sensitive data on the handset, and these are relatively easy to hack into if they are not encrypted and stored correctly,” Stiegman says.
Even promotional giveaways can be a problem. For example, there have been numerous cases where hackers left thumb drives with a supposed company logo at various locations at a conference. Thinking that these were free promotional items, people with security clearance took these to their offices and—wham-o!—the hackers were inside secret military facilities. The U.S. Department of Defense has banned thumb drives as a result of these Trojan horse breaches.
Be aware of free phone charging stations. A “juice jacker” can be used to break into a smartphone that is taking advantage of the service.
What if You Are Attacked?
Being the victim of a successful cyber attack is one of the worst nightmares an organization can face. You will need to pull all compromised systems offline immediately as well as conduct a full audit of your entire environment. This can be quite expensive, so your organization might want to consider data breach insurance.
It is best to not pretend to the outside world that nothing happened.
“I believe in full transparency,” Ball says. “If there is a hack that impacts attendees, they should be notified to the threat and the actions they should take as well as the actions the event host is taking to remedy the problem.”
This does not mean that releasing the news will not be painful—it will be. Having a good public relations team in place will certainly help the cause. You will probably need to craft a carefully worded message to present to your attendees and any other potentially impacted parties.
Taking Proactive Measures
The good news is that there are a lot of things you can do to reduce the possibility of an attack.
The most basic step is on your desktop. Hackers often break into a site by simply trying common passwords or basic variations of personal information (such as your birthday). All accounts should have “strong” passwords—a minimum of eight characters and a mix of upper- and lower-case letters as well as at least one number. You should also keep up to date with all software patches, especially for your browsers and operating system.
Your software vendors need to be fully cognizant of the need for high security. Any products that manage money, such as online registration, need to be PCI compliant. All online forms should be SSL (https on the browser line), which means that all data transmitted is encrypted. Note that unencrypted data can be viewed by cyber thieves who are plugged into internet routes. Even simple forms such as surveys should be SSL encoded.
A lot of conferences are accustomed to posting their attendee lists online to attract people to their show. It is time to seriously re-evaluate this policy—especially if you have hotel room blocks. It will not help if your lists simply do not contain phone or email info. In most cases, simply Googling a person can reveal email and contact information. You may want to consider replacing these screens with a simpler list, such as organizations participating.
To make your onsite facilities secure, you will need to educate your support staff. They need to know the threats that exist and the appropriate steps to combat them. This knowledge extends to your vendors’ staffs, especially the venues and hotels. The facilities, in particular, will need to have an IT organization in place that can monitor the wireless networks and be on the lookout for unauthorized access points. All of your wireless networks should be encrypted.
Onsite you will also need good physical security to protect key locations such as registration areas, as well as looking for unauthorized visitors. If you are using kiosks and related devices, you need to make sure USB ports are disabled and that people cannot simply exit from the running program to get at the operating system.
If you have a large show or one that is in the public spotlight, you really should consider having a cyber security professional review your vulnerabilities.
“The bottom line is that in an industry that seems to plan for everything, there is scant attention paid to this very large and very real threat to events and attendees,” Donahoo says.
Originally Appeared as cover article for The Meeting Professional October 2016 issue