Language Selection

English French German Italian Portuguese Spanish

Hackers Demonstrate Their Skills in Vegas

Filed under
Misc

Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, sending e-mails or answering cell phones could also be risky.

Defcon is a no-man's land where customary adversaries - feds vs. digital mavericks - are supposed to share ideas about making the Internet a safer place. But it's really a showcase for flexing hacker muscle.

This year's hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks. "Attack it like you would Microsoft or Linux he advised.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments_ also came under scrutiny.

A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.

RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."

Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims. "These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.

Also on hand at the conference was Robert Morris Sr., former chief scientist for the National Security Agency, to lecture on the vulnerabilities of bank ATMs, which he predicted would become the next "pot of gold" for hackers.

The Internet has become "crime ridden slums," said Phil Zimmermann, a well-known cryptographer who spoke at the conference. Hackers and the computer security experts who make a living on tripping up systems say security would be better if people were less lazy.

To make their point, they pilfered Internet passwords from convention attendees.

Anyone naive enough to access the Internet through the hotel's unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen.

It was dubbed the "The Wall of Sheep."

Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.

An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, NSA, and the Treasury and Defense departments. Morris and other panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer wouldn't be extended to lawbreakers.

During the session, Agent Jim Christy of the Defense Department's Cyber Crime Center asked the audience to stand.

"If you've never broken the law, sit down," he said. Many sat down immediately - but a large number appeared to hesitate before everyone eventually took their seats.

OK, now we can turn off the cameras, Christy joked.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.

Lynn and other researchers at Internet Security Systems had discovered a way of exploiting a Cisco software vulnerability in order to seize control of a router. That flaw was patched in April, but Lynn showed that Cisco hadn't quite finished the repair job - that the same technique could be used to exploit other vulnerabilities in Cisco routers.

Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway. In the wake of his decision, Lynn has become the subject of an FBI probe, said his attorney Jennifer Granick.

Many at the conference praised Lynn.

"We're never going to secure the Net if we don't air and criticize vulnerabilities," said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

And the vulnerabilities are plenty.

During his session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

Associated Press

More in Tux Machines

Developer lowers Drupal's barrier to entry

From a consumer perspective, I'd like open source to be ubiquitous to the point of invisibility. Using recent Ubuntu distros, I'm always shocked at how professional the environment feels. Just five years ago, you'd need to hunt down drivers and do a bunch of fiddling to get basic things like a sound card working. Now there are so many pushbutton ways to deploy open source tech, from OSes to CMS distros on Pantheon to buying an Android-powered mobile phone. We're not quite to the point where CMS users can feel like open source is transparent; there's still a huge investment in vendors to give you the expertise to manage your Drupal or WordPress site, for example. But we're closer than we were a decade ago, and that's pretty exciting. Read more

Intel invests $60 million in drone venture

Intel is investing $60 million in UAV firm Yuneec, whose prosumer “Typhoon” drones use Android-based controllers. Intel Corp. CEO Brian Krzanich and Yuneec International CEO Tian Yu took to YouTube to announce an Intel investment of more than $60 million in the Hong Kong based company to help develop drone technology. No more details were provided except for Krzanich’s claim that “We’ve got drones on our road map that are going to truly change the world and revolutionize the industry.” One possibility is that Intel plans to equip the drones with its RealSense 3D cameras (see farther below). Read more

today's howtos

Security Leftovers

  • London Calling: Two-Factor Authentication Phishing From Iran
    This report describes an elaborate phishing campaign against targets in Iran’s diaspora, and at least one Western activist. The ongoing attacks attempt to circumvent the extra protections conferred by two-factor authentication in Gmail, and rely heavily on phone-call based phishing and “real time” login attempts by the attackers. Most of the attacks begin with a phone call from a UK phone number, with attackers speaking in either English or Farsi. The attacks point to extensive knowledge of the targets’ activities, and share infrastructure and tactics with campaigns previously linked to Iranian threat actors. We have documented a growing number of these attacks, and have received reports that we cannot confirm of targets and victims of highly similar attacks, including in Iran. The report includes extra detail to help potential targets recognize similar attacks. The report closes with some security suggestions, highlighting the importance of two-factor authentication.
  • Ins0mnia: Unlimited Background Time and Covert Execution on Non-Jailbroken iOS Devices
    FireEye mobile researchers discovered a security vulnerability that allowed an iOS application to continue to run, for an unlimited amount of time, even if the application was terminated by the user and not visible in the task switcher. This flaw allowed any iOS application to bypass Apple background restrictions. We call this vulnerability Ins0mnia.
  • Why is the smart home insecure? Because almost nobody cares
    It's easy to laugh-and-point at Samsung over its latest smart-thing disaster: after all, it should have already learned its lesson from the Smart TV debacle, right? Except, of course, that wherever you see “Smart Home”, “Internet of Things”, “cloud” and “connected” in the same press release, there's a security debacle coming. It might be Nest, WeMo, security systems, or home gateways – but it's all the same.
  • Critical PayPal XSS vulnerability left accounts open to attack
    PayPal has patched a security vulnerability which could have been used by hackers to steal users' login details, as well as to access unencrypted credit card information. A cross site scripting bug was discovered by Egyptian 'vulnerabilities hunter' Ebrahim Hegazy -- ironically on PayPal's Secure Payments subdomain.
  • Important Notice Regarding Public Availability of Stable Patches
    Grsecurity has existed for over 14 years now. During this time it has been the premier solution for hardening Linux against security exploits and served as a role model for many mainstream commercial applications elsewhere. All modern OSes took our lead and implemented to varying degrees a number of security defenses we pioneered; some have even been burned into silicon in newer processors. Over the past decade, these defenses (a small portion of those we've created and have yet to release) have single-handedly caused the greatest increase in security for users worldwide.
  • Finland detains Russian accused of U.S. malware crimes
    Finland confirmed on Thursday it has detained a Russian citizen, Maxim Senakh, at the request of U.S. federal authorities on computer fraud charges, in a move that Russia calls illegal.
  • Finland confirms arrest of Russian citizen accused of crimes in the US
    Finnish authorities have confirmed the detention of Maxim Senakh, a Russian citizen accused of committing malware crimes in the US. The Russian Foreign Ministry has expressed concern and called on Finland to respect international law.
  • More than 80% of healthcare IT leaders say their systems have been compromised
    Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey by KPMG. The KPMG report also states that only half of those executives feel that they are adequately prepared to prevent future attacks. The attacks place sensitive patient data at risk of exposure, KPMG said. The 2015 KPMG Healthcare Cybersecurity Survey polled 223 CIOs, CTOs, chief security officers and chief compliance officers at healthcare providers and health plans.
  • Removal of SSLv3 from LibreSSL
  • Kansas seeks to block release of voting machine paper tapes
    The top election official in Kansas has asked a Sedgwick County judge to block the release of voting machine tapes sought by a Wichita mathematician who is researching statistical anomalies favoring Republicans in counts coming from large precincts in the November 2014 general election.