Fake Security Conferences

Turns out there are two different conferences with the title International Conference on Cyber Security (ICCS 2016), one real and one fake. Richard Clayton has the story.

Posted on May 2, 2016 at 3:45 PM • 15 Comments

Comments

wowMay 2, 2016 7:05 PM

Aren't all conferences honeypots so to speak? I mean, if the purpose of going to a conference is to connect with people, consider yourself connected with them all... that's all that the government is interested in is your "metadata" i.e. your connections anyway... right? :) So if there's one terrorist in that crowd... yep! you are too! See you in prison man!

By the way, I'm not actually trying to spread fear of conferences with this kind of talk, I'm trying to get people to understand how bad what our government is doing is, and get people off their duff to do something about it.

DV Henkel-WallaceMay 2, 2016 8:42 PM

Best Phishing Ever!

Bonus points for it being run by W.A.S.T.E. The Tristero trolls the FBI...I hope Pynchon learns about this.

Jon ForrestMay 2, 2016 9:50 PM

I remember the scandal that resulted in 2005(?) when the SGIgen program (https://pdos.csail.mit.edu/archive/scigen/) generated some random CS research papers that were accepted by a conference. Just for yuks, I decided to check out the conference that accepted the papers. The conference announcement contained about as much bogus verbiage as the research papers it accepted.

I've always wondered if, along with the bogus CS research paper generator, somebody had also written a bogus CS conference announcement generator.

Green SquirrelMay 3, 2016 1:56 AM

I think Richard Clayton has been a bit over optimistic about at least one of the other ICCS2016 conferences.

Not only does the Zurich one scream scam, but the one at Rajasthan Technical University doesnt fill me with confidence.

By the way, its a shame we are so pedantic that an Indian conference with one US mention gets away with calling itself international.

WooMay 3, 2016 6:46 AM

I don't really get the point of that list of conventions...
Dorint is too big to have to use such a scam to lure potential conf visitors to their hotels.
Or are these conferences set up by scammers trying to collect entry fees? Who falls for such a thing?

Free Vacations!May 3, 2016 9:08 AM

Maybe the scam is not on the attendees, but those who would employ the attendees and pay for travel to "conferences"

I've heard of some positions that require several visits to conferences each year. Why not do a fake one and spend the time vacationing in Zurich instead?? All expenses paid!

Green SquirrelMay 3, 2016 9:33 AM

@Woo

I agree that it probably isnt a scam set up by Dorint, but given that they have less than 20 meeting rooms, it seems absurd to think 160 conferences could be going on at the same time.

Added to which, they only have around 160 seats in the restaurant so you'd have to hope around 1 diner per conference.....

A quick check of their online booking implies that they still have a lot of vacancies 21 - 22 July (235 rooms in total...)

M. WelinderMay 3, 2016 9:42 AM

What call the other one fake?

Anyone attending will learn something relevant.

Clive RobinsonMay 3, 2016 10:52 AM

@ Bruce,

As I have mentioned on this blog before there are a number of dubious conferances in varioud parts of the world,

India being a case in point, in order to graduate a number of Indian institutions require the potential graduate to "present a paper at an international confrance"...

So guess what there are now quite a few "International Conferences" in Idia but... Those who want to pit forward a paper have to sign up to special package deal that costs (for Indian students) an eye watering amount of money...

It's also interesting to note that the Conferance Board gets payed very nicely for reviewing papers etc etc. Some say that this can be around a third of a normal Proffs annual salary, so a nice little earner for some.

I'll not say they are a scam, I'll let others make their own minds up on that...

Z.LozinskiMay 3, 2016 11:12 AM

There is a related development in telecoms. There are three types of conference, with different audiences. Academic conferences with a mostly academic audience; Industry conferences with with a mix of operators/service providers and vendors; there are also conferences like Usenix, NANOG.

The academic conferences were, and still are, run by ACM, IEEE etc. Ditto Usenix/NANOG which are run by their founders. The interesting development are the industry conferences. Over the last 20 years, the business model for the industry conferences has changed. Originally they invited a mix of operators and vendors, and charged the attendees. The reason for the popularity was smaller operators who wanted to understand new and emerging technologies. (Think Mobile Payments, LTE, SDN, 5G etc. There also was an implicit ban on pure sales presentations). Now, many offer "sponsorships" to vendors with eye-watering charges, and the promise of a "speaking opportunity".

A back of the envelope calculation suggests that this has doubled the revenue the organisers receive from a typical event. What is less clear is how many of the attendees realise that their attention is being sold in this way.

Who?May 3, 2016 12:18 PM

I come from academia. I will not be surprised if the goal of this conference is publishing the "academic work" of some stupid apes to swell their CVs and allow them get a good and well-paid position at a university. While there, if they can get some money from people that is not aware of the scam and pay for participating in the conference...

Universities should stop the game of numbers and start looking at the real value of the research of their members. But it is easier just counting the number of papers.

Rick TaggardMay 3, 2016 12:26 PM

@Who?

I was just discussing the difference of conference presentations in the comp sec industry versus academia with a professor.

(Yes the two sometimes merge.)

In comp sec, at our major conferences, anyway, presentations are deeply vetted by boards filled with comp sec luminaries. So, they tend to be high quality. This is often indirect marketing. Your company looks good by your speaking. You look good. And you get a free trip and room, as well as assured social fun.

According to the material, you may get new job offers.

But really only jobs wanting people to focus full time on conference work look at the numbers. And even then, they do look at the content, before hiring.

(Personally, I just do conference work for fun. Great excuse to make a scene.)

ScottMay 3, 2016 12:45 PM

If indeed that conference is fake, I wonder what the objective of setting it up would be: perhaps the registration process requires "attendees" to provide valuable personal information? Could any account passwords be used on other websites with an email address?

Sometimes I wonder if being a security researcher/analyst might actually be a security threat. If you have the knowledge to bring down networks and steal information, you could be on a list as potential threat to national security (for any nation), because usually some piece of the government lives in paranoia like that. Sometimes being paranoid is their job.

You can comb linkedin if you want, but, to take things to an extreme, what happened to German scientists during WWII? Is somebody keeping a close eye on who signs up for these conferences?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.