Language Selection

English French German Italian Portuguese Spanish

Hackers Demonstrate Their Skills in Vegas

Filed under
Misc

Even the ATM machines were suspect at this year's Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, sending e-mails or answering cell phones could also be risky.

Defcon is a no-man's land where customary adversaries - feds vs. digital mavericks - are supposed to share ideas about making the Internet a safer place. But it's really a showcase for flexing hacker muscle.

This year's hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks. "Attack it like you would Microsoft or Linux he advised.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments_ also came under scrutiny.

A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet. That's important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.

RFID companies had said the signals didn't reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

"Our goal is to raise awareness," said Hering, 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."

Erik Michielsen, an analyst at ABI Research, chuckled when he heard the Flexilis claims. "These are great questions that need to be raised," he said, but RFID technology varies with the application, many of which are encrypted. Encryption technology uses an algorithm to scramble data to make it unreadable to everyone except the recipient.

Also on hand at the conference was Robert Morris Sr., former chief scientist for the National Security Agency, to lecture on the vulnerabilities of bank ATMs, which he predicted would become the next "pot of gold" for hackers.

The Internet has become "crime ridden slums," said Phil Zimmermann, a well-known cryptographer who spoke at the conference. Hackers and the computer security experts who make a living on tripping up systems say security would be better if people were less lazy.

To make their point, they pilfered Internet passwords from convention attendees.

Anyone naive enough to access the Internet through the hotel's unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen.

It was dubbed the "The Wall of Sheep."

Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.

An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, NSA, and the Treasury and Defense departments. Morris and other panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer wouldn't be extended to lawbreakers.

During the session, Agent Jim Christy of the Defense Department's Cyber Crime Center asked the audience to stand.

"If you've never broken the law, sit down," he said. Many sat down immediately - but a large number appeared to hesitate before everyone eventually took their seats.

OK, now we can turn off the cameras, Christy joked.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.

Lynn and other researchers at Internet Security Systems had discovered a way of exploiting a Cisco software vulnerability in order to seize control of a router. That flaw was patched in April, but Lynn showed that Cisco hadn't quite finished the repair job - that the same technique could be used to exploit other vulnerabilities in Cisco routers.

Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway. In the wake of his decision, Lynn has become the subject of an FBI probe, said his attorney Jennifer Granick.

Many at the conference praised Lynn.

"We're never going to secure the Net if we don't air and criticize vulnerabilities," said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

And the vulnerabilities are plenty.

During his session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

Associated Press

More in Tux Machines

OSS Leftovers

  • Berkeley launches RISELab, enabling computers to make intelligent real-time decisions
  • Amazon, Google, Huawei, and Microsoft sponsor UC Berkeley RISELab, AMPLab's successor
  • Brotli: A new compression algorithm for faster Internet
    Brotli is a new open source compression algorithm designed to enable an Internet that's faster for users. Modern web pages can often be made up of dozens of megabytes of HTML, CSS, and JavaScript, and that's before accounting for images, videos, or other large file content, which all makes for hefty downloads. Such loads are why pages are transferred in compressed formats; they significantly reduce the time required between a website visitor requesting a web page and that page appearing fully loaded on the screen and ready for use. While the Brotli algorithm was announced by Google in September 2015, only recently have the majority of web browsers have adopted it. The HTTP servers Apache and nginx now offer Brotli compression as an option. Besides Google, other commercial vendors (such as Cloudflare and DreamHost) have begun to deploy support for Brotli as well.
  • New Year’s resolution: Donate to 1 free software project every month
    Free and open source software is an absolutely critical part of our world—and the future of technology and computing. One problem that consistently plagues many free software projects, though, is the challenge of funding ongoing development (and support and documentation). With that in mind, I have finally settled on a New Year’s resolution for 2017: to donate to one free software project (or group) every month—or the whole year. After all, these projects are saving me a boatload of money because I don’t need to buy expensive, proprietary packages to accomplish the same things.
  • Toyota and Ford Promote Open Source Smartphone Interfaces
    Ford and Toyota have formed a four-automaker consortium to speed up the deployment of open source software for connected in-car systems, according to a report by Bloomberg. The SmartDeviceLink Consortium, which includes Mazda, PSA Group, Fuji, and Suzuki, aims to prevent Apple and Google from controlling how drivers connect smartphones to their vehicles. Suppliers Elektrobit, Harma, Luxoft, QNX, and Xevo have also joined the organization, which is named after an open source version of Ford’s AppLink connectivity interface, a system used in over 5 million vehicles globally.
  • What your code repository says about you
    "You only get one chance to make a first impression," the old saying goes. It's cliche, but nevertheless sound, practical advice. In the realm of open source, it can make the difference between a project that succeeds and a project that fails. That's why making a positive first impression when you release a repo to the world is essential—at least if your motivations involve gaining users, building a community of contributors, and attracting valuable feedback.
  • The Open Source Way of Reaching Across Languages
    I don’t speak Spanish, but that doesn’t mean I can’t learn some important things from this video. The visuals alone are quite instructive. At my public library job, I mentor a number of wonderful Latino youth. One of them might ask me about open source CAD software — and I’ll direct them right to this FOSS Force article. Of course, I subscribed to the YouTube channel of the creator of this video, and also clicked on its like button. If the screencast creator comes back to look at this video in February, they’ll find that they have a number of new subscribers, a number of likes for the video and the video view count might be more than 100. All those indicators will be encouragement for them to make their next open source screencast. And so it goes. That’s how we support each other in the open source world.
  • School systems desperate for standards-aligned curricula find hope
    Open Up Resources is a nonprofit collaborative formed by 13 U.S. states that creates high-quality, standards-aligned open educational resources (OERs) that are openly licensed under CC BY-SA 4.0. Unlike other providers, Open Up Resources provides curriculum-scale OER options; they believe that while many people seem to know where to find supplemental materials, most curriculum directors would not know where to look if they were planning a textbook adoption next year.
  • Visual Studio Test joins Microsoft's open source push [Ed: More openwashing of proprietary software from Microsoft, which interjects surveillance into compiled code]
  • Microsoft Open-Sources DirectX Shader Compiler [Ed: Windows lock-in.]

Red Hat's Survey in India

From Raspberry Pi to Supercomputers to the Cloud: The Linux Operating System

Linux is widely used in corporations now as the basis for everything from file servers to web servers to network security servers. The no-cost as well as commercial availability of distributions makes it an obvious choice in many scenarios. Distributions of Linux now power machines as small as the tiny Raspberry Pi to the largest supercomputers in the world. There is a wide variety of minimal and security hardened distributions, some of them designed for GPU workloads. Read more

IBM’s Systems With GNU/Linux

  • IBM Gives Power Systems Rebates For Linux Workloads
    Big Blue has made no secret whatsoever that it wants to ride the Linux wave up with the Power Systems platform, and its marketeers are doing what they can to sweeten the hardware deals as best they can without adversely affecting the top and bottom line at IBM in general and the Power Systems division in particular to help that Linux cause along.
  • Drilling Down Into IBM’s System Group
    The most obvious thing is that IBM’s revenues and profits continue to shrink, but the downside is getting smaller and smaller, and we think that IBM’s core systems business will start to level out this year and maybe even grow by the third or fourth quarter, depending on when Power9-based Power Systems and z14-based System z mainframes hit the market. In the final period of 2016, IBM’s overall revenues were $21.77 billion, down 1.1 percent from a year ago, and net income rose by nearly a point to $4.5 billion. This is sure a lot better than a year ago, when IBM’s revenues fell by 8.4 percent to $22 billion and its net income fell by 18.6 percent to $4.46 billion. For the full 2016 year, IBM’s revenues were off 2.1 percent to $79.85 billion, but its “real” systems business, which includes servers, storage, switching, systems software, databases, transaction monitors, and tech support and financing for its own iron, fell by 8.3 percent to $26.1 billion. (That’s our estimate; IBM does not break out sales this way, but we have some pretty good guesses on how it all breaks down.)