Language Selection

English French German Italian Portuguese Spanish

Hackers Demonstrate Their Skills in Vegas

Filed under
Misc

Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, sending e-mails or answering cell phones could also be risky.

Defcon is a no-man's land where customary adversaries - feds vs. digital mavericks - are supposed to share ideas about making the Internet a safer place. But it's really a showcase for flexing hacker muscle.

This year's hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks. "Attack it like you would Microsoft or Linux he advised.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments_ also came under scrutiny.

A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.

RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."

Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims. "These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.

Also on hand at the conference was Robert Morris Sr., former chief scientist for the National Security Agency, to lecture on the vulnerabilities of bank ATMs, which he predicted would become the next "pot of gold" for hackers.

The Internet has become "crime ridden slums," said Phil Zimmermann, a well-known cryptographer who spoke at the conference. Hackers and the computer security experts who make a living on tripping up systems say security would be better if people were less lazy.

To make their point, they pilfered Internet passwords from convention attendees.

Anyone naive enough to access the Internet through the hotel's unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen.

It was dubbed the "The Wall of Sheep."

Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.

An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, NSA, and the Treasury and Defense departments. Morris and other panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer wouldn't be extended to lawbreakers.

During the session, Agent Jim Christy of the Defense Department's Cyber Crime Center asked the audience to stand.

"If you've never broken the law, sit down," he said. Many sat down immediately - but a large number appeared to hesitate before everyone eventually took their seats.

OK, now we can turn off the cameras, Christy joked.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.

Lynn and other researchers at Internet Security Systems had discovered a way of exploiting a Cisco software vulnerability in order to seize control of a router. That flaw was patched in April, but Lynn showed that Cisco hadn't quite finished the repair job - that the same technique could be used to exploit other vulnerabilities in Cisco routers.

Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway. In the wake of his decision, Lynn has become the subject of an FBI probe, said his attorney Jennifer Granick.

Many at the conference praised Lynn.

"We're never going to secure the Net if we don't air and criticize vulnerabilities," said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

And the vulnerabilities are plenty.

During his session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

Associated Press

More in Tux Machines

Leftovers: OSS

  • Anonymous Open Source Projects
    He made it clear he is not advocating for this view, just a thought experiment. I had, well, a few thoughts on this. I tend to think of open source projects in three broad buckets. Firstly, we have the overall workflow in which the community works together to build things. This is your code review processes, issue management, translations workflow, event strategy, governance, and other pieces. Secondly, there are the individual contributions. This is how we assess what we want to build, what quality looks like, how we build modularity, and other elements. Thirdly, there is identity which covers the identity of the project and the individuals who contribute to it. Solomon taps into this third component.
  • Ostatic and Archphile Are Dead
    I’ve been meaning to write about the demise of Ostatic for a month or so now, but it’s not easy to put together an article when you have absolutely no facts. I first noticed the site was gone a month or so back, when an attempt to reach it turned up one of those “this site can’t be reached” error messages. With a little checking, I was able to verify that the site has indeed gone dark, with writers for the site evidently losing access to their content without notice. Other than that, I’ve been able to find out nothing. Even the site’s ownership is shrouded in mystery. The domain name is registered to OStatic Inc, but with absolutely no information about who’s behind the corporation, which has a listed address of 500 Beale Street in San Francisco. I made an attempt to reach someone using the telephone number included in the results of a “whois” search, but have never received a reply from the voicemail message I left. Back in the days when FOSS Force was first getting cranked up, Ostatic was something of a goto site for news and commentary on Linux and open source. This hasn’t been so true lately, although Susan Linton — the original publisher of Tux Machines — continued to post her informative and entertaining news roundup column on the site until early February — presumably until the end. I’ve reached out to Ms. Linton, hoping to find out more about the demise of Ostatic, but haven’t received a reply. Her column will certainly be missed.
  • This Week In Creative Commons History
    Since I'm here at the Creative Commons 2017 Global Summit this weekend, I want to take a break from our usual Techdirt history posts and highlight the new State Of The Commons report that has been released. These annual reports are a key part of the CC community — here at Techdirt, most of our readers already understand the importance of the free culture licensing options that CC provides to creators, but it's important to step back and look at just how much content is being created and shared thanks to this system. It also provides some good insight into exactly how people are using CC licenses, through both data and (moreso than in previous years) close-up case studies. In the coming week we'll be taking a deeper dive into some of the specifics of the report and this year's summit, but for now I want to highlight a few key points — and encourage you to check out the full report for yourself.
  • ASU’s open-source 'library of the stars' to be enhanced by NSF grant
  • ASU wins record 14 NSF career awards
    Arizona State University has earned 14 National Science Foundation early career faculty awards, ranking second among all university recipients for 2017 and setting an ASU record. The awards total $7 million in funding for the ASU researchers over five years.

R1Soft's Backup Backport, TrustZone CryptoCell in Linux

  • CloudLinux 6 Gets New Beta Kernel to Backport a Fix for R1Soft's Backup Solution
    After announcing earlier this week the availability of a new Beta kernel for CloudLinux 7 and CloudLinux 6 Hybrid users, CloudLinux's Mykola Naugolnyi is now informing us about the release of a Beta kernel for CloudLinux 6 users. The updated CloudLinux 6 Beta kernel is tagged as build 2.6.32-673.26.1.lve1.4.26 and it's here to replace kernel 2.6.32-673.26.1.lve1.4.25. It is available right now for download from CloudLinux's updates-testing repository and backports a fix (CKSIX-109) for R1Soft's backup solution from CloudLinux 7's kernel.
  • Linux 4.12 To Begin Supporting TrustZone CryptoCell
    The upcoming Linux 4.12 kernel cycle plans to introduce support for CryptoCell hardware within ARM's TrustZone.

Lakka 2.0 stable release!

After 6 months of community testing, we are proud to announce Lakka 2.0! This new version of Lakka is based on LibreELEC instead of OpenELEC. Almost every package has been updated! We are now using RetroArch 1.5.0, which includes so many changes that listing everything in a single blogpost is rather difficult. Read more Also: LibreELEC-Based Lakka 2.0 Officially Released with Raspberry Pi Zero W Support

Leftovers: Gaming