Language Selection

English French German Italian Portuguese Spanish

Hackers Demonstrate Their Skills in Vegas

Filed under
Misc

Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, sending e-mails or answering cell phones could also be risky.

Defcon is a no-man's land where customary adversaries - feds vs. digital mavericks - are supposed to share ideas about making the Internet a safer place. But it's really a showcase for flexing hacker muscle.

This year's hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks. "Attack it like you would Microsoft or Linux he advised.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments_ also came under scrutiny.

A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.

RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."

Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims. "These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.

Also on hand at the conference was Robert Morris Sr., former chief scientist for the National Security Agency, to lecture on the vulnerabilities of bank ATMs, which he predicted would become the next "pot of gold" for hackers.

The Internet has become "crime ridden slums," said Phil Zimmermann, a well-known cryptographer who spoke at the conference. Hackers and the computer security experts who make a living on tripping up systems say security would be better if people were less lazy.

To make their point, they pilfered Internet passwords from convention attendees.

Anyone naive enough to access the Internet through the hotel's unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen.

It was dubbed the "The Wall of Sheep."

Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.

An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, NSA, and the Treasury and Defense departments. Morris and other panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer wouldn't be extended to lawbreakers.

During the session, Agent Jim Christy of the Defense Department's Cyber Crime Center asked the audience to stand.

"If you've never broken the law, sit down," he said. Many sat down immediately - but a large number appeared to hesitate before everyone eventually took their seats.

OK, now we can turn off the cameras, Christy joked.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.

Lynn and other researchers at Internet Security Systems had discovered a way of exploiting a Cisco software vulnerability in order to seize control of a router. That flaw was patched in April, but Lynn showed that Cisco hadn't quite finished the repair job - that the same technique could be used to exploit other vulnerabilities in Cisco routers.

Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway. In the wake of his decision, Lynn has become the subject of an FBI probe, said his attorney Jennifer Granick.

Many at the conference praised Lynn.

"We're never going to secure the Net if we don't air and criticize vulnerabilities," said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

And the vulnerabilities are plenty.

During his session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

Associated Press

More in Tux Machines

Purism’s next product could be a smartphone that runs Linux/free software

Purism is a company that’s been developing laptops and tablets that run Linux-based, free and open source software for a few years. Now Purism is considering building a smartphone and the company is soliciting feedback from potential customers. The idea would be to release a Librem Phone that runs GNU/Linux rather than Android, and which offers security and privacy features to help set it apart from most other phones on the market. Read more

Cinnamon 3.2 in Linux Mint 18.1 Supports Vertical Panels, Better Accelerometers

After informing the community a few days ago about the Mintbox Mini Pro PC and the upcoming improvements and new features shipping with the XApps software projects in Linux Mint 18.1, Clement Lefebvre just published the monthly Linux Mint newsletter. Read more

Blender 2.78 Open-Source 3D Graphics Software Released with Spherical Stereo VR

Today, September 30, 2016, the Blender Foundation is proud to release Blender 2.78, the latest stable and most advanced version of the popular, open-source, free, and cross-platform Blender 3D modelling software. Blender 2.78 comes six months after the release of Blender 2.77, and it's a major update that adds numerous new features and improvements, among which we can mention rendering of spherical stereo images for VR (Virtual Reality), viewport rendering improvements, as well as brand new freehand curves drawing over surfaces. Moreover, the Grease Pencil received awesome improvements and it now doubles as both an animation and drawing tool, powerful new options have been added for B-Bones, it's now possible to import and export basic operators in the Alembic support, and the Cloth Physics feature received new Simulation Speed option and Dynamic Base Mesh support. Read more

OSS Leftovers

  • Tools for writing the next best seller
    I am using bibisco in conjunction with LibreOffice on my Ubuntu 16.04 Asus laptop that I converted over from Windows 7 to develop my characters, scenes, and plot. I tried Manuskript, but find that I like bibisco better, although the results are similar. For one, it gives helpful prompts.
  • GNOME Calendar App to Feature a New Sidebar, Week View & Attendees in GNOME 3.24
    GNOME developer Georges Stavracas wrote an in-depth blog post the other day to inform the GNOME, Linux, and Open Source communities about the upcoming improvements and new features coming to the GNOME Calendar apps. Now that some of us are already enjoying the recently released GNOME 3.22 desktop environment, the GNOME developers are hard at work to improve the GNOME apps and core components by either adding new exciting features and technologies or improving existing ones.
  • PHP version 5.6.27RC1 and 7.0.12RC1
  • Kubernetes Arrives in New Flavors
    Kubernetes has taken center stage in recent days, and, as we’ve been noting in recent posts, the open source container cluster manager is heading in new directions. Google has just announced the release of Kubernetes 1.4, which makes the tool much easier to install. Meanwhile, Canonical has now launched its own distribution of Kubernetes, with enterprise support, across a range of public clouds and private infrastructure. It's Kubernetes at the core, but features a number of extra bells and whistles.
  • 2016 Women in Open Source Award Winners
    We hope you enjoy and are inspired by this short video celebrating Preeti Murthy and Jessica McKellar, the winners of this year’s Red Hat Women in Open Source Awards.
  • Tech, talent and tools: The secret to monetizing open-source
    “In California during the gold rush, you didn’t make money digging for gold; you made money selling shovels,” said Mehta. A fitting metaphor for the idea that investing in talent and tools, especially tools, is how to turn a profit. The actual data, databases, algorithms and so on would be open source. Money would come from the tools to use that technology to benefit specific areas, such as automation of healthcare. And healthcare is a good place to start. “Big Data is all about making life cheaper, better. … If we forget about how to solve problems for humans, we’ve lost. We want to be known for enriching life,” said Mehta.
  • Changing the way we design for the web
    On the one hand, open source should mean lower cost of entry for people from poorer communities (like me, growing up). But on the other, I feel it is hard to contribute when under- or unemployed. I had a grant to work on the Web Animations API documentation, but I can't do as much as I'd like with other animation features (motion paths, advanced timing functions) because I need to spend a lot of time working on my own business, getting paid. Essentially this leads to an awkward model where the only contributors are employed programmers—and when it comes to open source animation or design APIs, platforms, etc, this lack of user input really starts to show. Or, the only products with thriving open source development teams are those that have financially lucrative futures, turning the open source software (OSS) model into a capitalist one.
  • Leaders in Data Management and Open Source Innovation to Gather for Postgres Vision 2016
  • CloudReady by neverware
    I thought I would put together a quick “installation” review of a product called CloudReady by neverware. What is CloudReady? CloudReady is basically a project to bring Chromium OS to those who would like to convert traditional laptops into Chromebook-like devices. I stumbled on them several months ago and finally decided to see how hard it was to install Chromium OS and how functional it actually was as a Chromebook-like device. I have a few low end (netbook-like) devices and I have been trying to figure out how I could make them functional for my boys, I thought this might be the solution.
  • Mozilla tells Firefox OS devs to fork off if they want to chase open web apps vision
    The Mozilla Foundation's Firefox development team has decided enough is enough and will stop supporting Windows XP and Vista in March 2017 and also bin Firefox OS. The OS first. In this post Mozillans Ari Jaaksi and David Bryant, respectively the head of connected devices and veep for platform engineering, write that “By the end of 2015 Mozilla leadership had come to the conclusion that our then Firefox OS initiative of shipping phones with commercial partners would not bring Mozilla the returns we sought.” That decision means that “as of the end of July 2016 have stopped all commercial development on Firefox OS.”
  • Cloudera Delivers Release Built on Apache Spark 2.0, and Advances Kudu
    Cloudera, focused on Apache Hadoop and other open source technologies,has announced its release built on the Apache Spark 2.0 (Beta), with enhancements to the API experience, performance improvements, and enhanced machine learning capabilities. The company is also working with the community to continue developing Apache Kudu 1.0, recently released by the Apache Software Foundation, which we covered here. Kudu is an open source columnar storage engine built for the Apache Hadoop ecosystem designed to enable flexible, high-performance analytic pipelines. Taken together, Cloudera's new tools are giving it more diverse kinds of presence on the Big Data scene. Cloudera claims it was the first Hadoop big data analytics vendor to deliver a commercially supported version of Spark, and has participated actively in the open source community to enhance Spark for the enterprise through its One Platform Initiative. "With Spark 2.0, organizations are better able to take advantage of streaming data, develop richer machine learning models, and deploy them in real time, enabling more workloads to go into production," the company reports.
  • Cloudera Delivers Enterprise-Grade Real-Time Streaming and Machine Learning with Apache Spark 2.0 and Drives Community Innovation with Apache Kudu 1.0
  • INSIDE Secure and Marvell Deliver Open Source Open Data Plane Security VPN Solution [Ed: “open source Open Data Plane (ODP) security API” sounds like nonsensical openwashing]
    INSIDE Secure (Paris:INSD), at the heart of security solutions for mobile and connected devices and network equipment, today announced the Marvell-INSIDE Secure solution, a collaboration that provides open source Open Data Plane (ODP) security API support on Marvell’s ARMADA® 8K and ARMADA 7K System-on-Chip (SoC) families with embedded INSIDE Secure Security Protocol Accelerator IP technology. The Marvell-INSIDE Secure solution provides customers with an easy and efficient way to secure their high-speed networking applications with access to all of the ARM ecosystem’s software support.
  • GE, Bosch Combine Resources to Bolster IoT
  • OpenBSD 6.0 Limited Edition CD set (signed by developers)
    Five OpenBSD 6.0 CD-ROM copies were signed by 40 developers during the g2k16 Hackathon in Cambridge, UK. Those copies are being auctioned sequentially on ebay. All proceeds will be donated to the OpenBSD Foundation to support and further the development of free software based on the OpenBSD operating system.
  • Friday Working together for Free Software Directory IRC meetup: September 30th
  • Machine Learning with Python
    I first heard the term “machine learning” a few years ago, and to be honest, I basically ignored it that time. I knew that it was a powerful technique, and I knew that it was in vogue, but I didn’t know what it really was— what problems it was designed to solve, how it solved them and how it related to the other sorts of issues I was working on in my professional (consulting) life and in my graduate-school research. But in the past few years, machine learning has become a topic that most will avoid at their professional peril. Despite the scary-sounding name, the ideas behind machine learning aren’t that difficult to understand. Moreover, a great deal of open-source software makes it possible for anyone to use machine learning in their own work or research. I don’t think it’s an overstatement to say that machine learning already is having a huge impact on the computer industry and on our day-to-day lives.