ALBANY -- Computer hacking will climb down from the headlines and into the Albany Capital Center next week, as local cybersecurity experts stage ANYCon, billed as the area’s first hacker conference.
It’s not an exaggeration or slander to call these experts hackers -- they have the same skillset as criminals stealing identities and crashing computers for illicit gain, but they are hired to do it legally, to expose weaknesses in their clients’ computer systems.
“White hat” hackers, those on the right side of the law, are the intended audience for the June 16-17 convention, but the organizer acknowledges there may be some black hat hackers in attendance, as well.
“It’s an interesting debate,” said Tyler Wrightson, owner of Leet Cyber Security and organizer of ANYCon. But ultimately, he thinks the debate about teaching black hats how to hack misses the point -- there already is a huge black hat hacker community, and they’ve proved very adept at sharing the latest tips and tricks among themselves. It’s crucial, he said, that the white hats keep up.
“Learning the offensive side of cybersecurity is absolutely necessary to defend against it,” Wrightson said. “It’s far more important to get the good people together in a crowd. You need to understand things to actually create good, strong defenses.”
ANYCon -- which stands simply for Albany Convention, in honor of Wrightson’s hometown -- is open to all but is targeted at cybersecurity industry professionals and students interested in the field, he said. More than 25 regional and national experts are lined up to speak, representing entities ranging from the U.S Army to Albany Law School. Topics will also include software and information security, but hacking is a main focus.
Wrightson has been in cybersecurity for two decades: three years as a hobby and the last 17 years as a professional. His business is entirely preventative -- he looks for the weaknesses in a client’s system and advises how to eliminate them. (“Hacking you before they do” is the Leet slogan.)
If someone comes to Leet with a computer infection or security breach, Leet refers them to a company that specializes in damage control.
“All we do is hack,” Wrightson said. “We get hired to identify those weaknesses before [black hat] hackers do.”
Cybersecurity is a rapidly growing field, he said, with essentially zero percent unemployment and room for perhaps a million new practitioners.
“Everyone has had technology thrown into their business,” he said. “You can’t not be connected to the Internet now. And it’s invaded people’s personal lives.”
With that sea change has come an entire category of criminals looking for illicit gain from all those computers.
They spread knowledge through chat rooms, message boards, the "dark web" and sometimes even face-to-face meetings, Wrightson said. They can be hard to combat because seeking or possessing the knowledge isn’t illegal -- misusing it is. Also, many are operating in countries that don’t do anything to stop them.
“I think our government is getting very good at responding to threats that operate in America, but that’s one of the challenges,” he said.
Government agencies and private entities keep tabs on black hat hackers and their activities, but they are a moving target -- hacking tools and techniques change weekly or even daily, Wrightson said.
“Even some of the things that are cutting-edge, they’ll be obsolete three months from now,” he explained.
His company works for firms and agencies of all sizes, and while the tactics and details of what Leet does for each client vary, the results don’t.
“The methods that we use basically work everywhere,” Wrightson said. “Hackers are like water; they’re going to follow the path of least resistance.”
Ransomware like the worldwide WannaCry hack last month is one of the major cybersecurity threats today, he said, but the current model -- where data on an infected computer is locked or encrypted so users can’t get at it unless they pay the hacker a ransom -- is just “the tip of the iceberg,” he said.
New types of ransomware will be deployed, Wrightson predicted, that will do things like leaving data accessible but completely scrambled -- patient names and treatment details switched in medical records, or numbers moved on financial data before it is released to regulators and stockholders.
“This is literally the easiest, most brute-force way to frighten anyone,” he said. “Criminals could do that today; it’s just a question of whether it’s worth their effort.”
This is the challenge of cybersecurity: As black hats follow the path of least resistance, white hats block them, and if they are successful, something else becomes the path of least resistance.
Effective cybersecurity and white hat hacking contain a large education component, Wrightson said: professionals have to constantly update their knowledge base.
It’s impossible to print an up-to-date textbook about the subject, and colleges don’t turn out graduates ready to immediately combat black-hat hackers through offensive security measures, he said. What colleges are good at is preparing people to move into the field, he added, by grounding them in network engineering, programming and network administration -- the fundamental infrastructure that black hats corrupt and white hats protect.
“We do have some really good pipelines of talent that are emerging, between all the colleges in the area,” Wrightson said.
He hopes to use ANYCon to further develop that talent.
“We want to make this a community event, where we stick a flag in the ground and say, ‘Albany has a very good budding cybersecurity community,’” he said.
Dave Kennedy, the founder and principal security consultant of TrustedSec, will be ANYCon’s keynote speaker. Kennedy is co-author of “Metasploit: The Penetration Tester’s Guide." He is also the creator of the Social-Engineer Toolkit and co-founder of the DerbyCon cybersecurity conference in Kentucky. He will speak about the current state of the cybersecurity industry and its impact on the world.
Two-day tickets are $125 for adults, $50 for students and free for those younger than 17.