Last week the high tech world got just a bit more dangerous - or a bit safer, depending on your perspective. And it was all because of research presented at computer security conferences Black Hat and Defcon. Here's the lowdown.
Dave Bullock/Wired" />
Every year computer security experts, from garage hackers to intelligence agents, descend on Las Vegas to attend Black Hat and Defcon. At these events, you can learn highly technical details about the Android operating system and Microsoft's internal network - or you can learn how to fool biometric locks and crank call BP. These are the premiere conferences for exchanging information about keeping data secure. But they're also where concerned geeks stand up in front of thousands of people to whistleblow about bad privacy and security practices at major companies (or governments).
For all those reasons and more, announcements from last week's conferences are certain to change the future. At least, if you own a computer that's attached to the internet. (And by computer, I mean phone.) Without further ado, here are seven hacks (and one goof) announced at Black Hat and Defcon that you should know about.
This was certainly the flashiest news to come out of DefCon. Hacker Barnaby Jack bought some used ATMs on eBay, and managed to figure out a quick way to do what John Connor did in Terminator 2: Use a cheap computer to riffle through ATM passwords and get some quick cash. It's a scary little trick, and we posted a video of the hack earlier this week:
2. Remember how your mom taught you that HTTPS means the website you're visiting is secure? Well, she was wrong.
When you log into your bank, or enter your credit card information in a form, you're always supposed to check to be sure that the URL of the page starts with HTTPS. When it does, that means you're using a secure information-exchange protocol called SSL, which prevents online bad guys from snarfing your password and credit card numbers. But it turns out there's a simple, non-technical trick that you can use to undermine SSL. You see, the security of SSL relies on "certificate authorities," (CAs) companies that hand out authentication certificates to website owners that verify, for example, that Bank of America is who it says it is online. Which means that your security is only as trustworthy as these CAs, which are only flimsily regulated. It turns out that a lot of them will hand out certs to pretty much anybody with cash.
Technologists Peter Eckersley (Electronic Frontier Foundation) and Jesse Burns (iSec Partners) explained in their Defcon presentation that they spent months scanning the entire internet, looking for who is giving out certs and to whom. (Slides for their presentation are here.) They discovered something disturbing: There are actually over 1,000 entities online, including Google and the DHS, who own what are called "subordinate CAs," special certs that allow them to hand out other certs to anybody they want.
Because these subordinate CA owners are poorly regulated, their power is potentially quite dangerous. If I have a subordinate CA, I can literally make any computer look like any other one online: I can turn my mob buddy's server Evilintentions.com into Yourbank.com. So you go to visit your bank, you wind up at "https://www.yourbank.com," and everything looks secure, right? Hell, anybody would give it their password and credit card number. But actually you were at evilintentions.com, who got a cert from me saying it was yourbank.com. Now you're screwed.
Using a subordinate CA, you could even make a US government computer look like it's a Chinese government computer online. There's no evidence that anyone has done this, but Eckersley and Burns proved that it's very possible someone could be doing it right now. (Caveat: Some of the research for this project was done in my house.)
Several researchers are working on how to hack into people's phone conversations on the commonly-used GSM network. The Financial Times reports:
Speaking at the second day of the Black Hat technology security conference in Las Vegas, researcher Karsten Nohl, who had previously reported that he had cracked GSM encryption, said he was distributing the tools free in order to pressure carriers to make fairly simple changes to fix the vulnerability.The industry association asked for the same software changes in 2008, but Mr Nohl said he hadn't found any carrier that had adopted them.
The tools include shortcuts for crunching vast amounts of data in order to identify the key on each mobile phone that encrypts calls. Using the techniques Mr Nohl outlined in his presentation, hackers could listen in on one side of a conversation from miles away and from both sides if they were within 100 to 300 meters, he said. The method only works over 2G networks, but many 3G phones drop back to 2G in areas where there is no 3G service.
And, reporting on another presentation (excerpted in the video above - check out those antennae on the stage) Wired's Kim Zetter writes:
The low-cost, home-brewed device, developed by researcher Chris Paget, mimics more expensive devices already used by intelligence and law enforcement agencies – called IMSI catchers – that can capture phone ID data and content. The devices essentially spoof a legitimate GSM tower and entice cell phones to send them data by emitting a signal that's stronger than legitimate towers in the area.
"If you have the ability to deliver a reasonably strong signal, then those around are owned," Paget said.
"In my experience it's generally the iPhones that connect most easily," he said. "It's actually been the bane of my existence trying to keep the damned iPhones away."
People connected to Paget's system would get a warning message, but they could dial out as normal, but anyone trying to call them would go straight to voicemail. Paget didn't record or play back any calls, but he could have.
Oh, iPhone - you are such an unfaithful device.
With so many homes being controlled by computerized meters hooked into smart grids, it's suddenly possible for computer experts to hack into your utilities, like water and electricity. Technology Review's Erica Naoni writes:
Shawn Moyer, who practices network security for Agura Digital Security, says he's concerned that utilities don't have expertise in network security. For example, he says, many advertise that they offer encryption in their smart-grid products, but on further inspection, there are problems with how that encryption is implemented.
Moyer and Keltner revealed a proof-of-concept smart-grid attack at Black Hat. They used a customizable piece of radio equipment and some freely available software to find smart meters on a network and circumvent the encryption used to protect them. If an attacker were to do the same, they say, it would be possible to issue commands that could misreport data to the utility or shut off power to some users.
Imagine a utility virus that could spread from house to house on the smart grid, shutting down everybody's electricity along the way. You are looking down the barrel of your own future.
Russian criminals have automated their money-making scams in ways that boggle the mind. According to The Register:
The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks, Joe Stewart, director of malware research for Atlanta-based SecureWorks, told The Register. It then scrapes online job sites for email addresses of people looking for work and sends personalized messages offering them positions performing financial transactions for an international company. The scammers then use stolen credit card data to ship near exact replicas of the checks to those who respond . . . Ironically, many of the check images were downloaded from services that merchants use to prevent check fraud. One of the sites was breached using a SQL injection attack. In other cases, they were accessed using account credentials from legitimate users that were stolen using the Zeus and Gozi password-stealing trojans.
"They're actually abusing anti-fraud systems in order to commit fraud," Stewart said. "The systems that are designed to prevent check fraud are actually being used to help the bad guys commit check fraud."
I love the idea that people are being swindled via an automated system. I welcome our botnet overlords, and all that.
Atomic Fireball" />
Should you really trust every app you install on your phone? Nope - some of them are plundering your personal information and beaming it to potential bad guys. Two researchers revealed that they'd researched one seemingly benign wallpaper app for Android, and found that it was sending phone numbers and subscriber information (like names and addresses) to a remote computer. Venture Beat's Dean Takahashi summed up the threat:
Apps that seem good but are really stealing your personal information are a big risk at a time when mobile apps are exploding on smartphones, said John Hering, chief executive, and Kevin MaHaffey, chief technology officer at Lookout, in their talk at the Black Hat security conference in Las Vegas . . . "Even good apps can be modified to turn bad after a lot of people download it," MaHaffey said. "Users absolutely have to pay attention to what they download. And developers have to be responsible about the data that they collect and how they use it."
The app in question came from Jackeey Wallpaper, and it was uploaded to the Android Market, where users can download it and use it to decorate their phones that run the Google Android operating system. It includes branded wallpapers from My Little Pony and Star Wars, to name just a couple.
Lookout notes it . . . collects your phone number, subscriber identification, and even your voicemail phone number, as long as they are programmed automatically into your phone. It sends the data to a web site, www.imnet.us. That site is evidently owned by someone in Shenzhen, China. The app has been downloaded anywhere from 1.1 million to 4.6 million times.
Google has responded by saying that it has investigated these wallpapers, and that they are not threats. Regardless of whether this particular app has now been sanitized, these researchers still demonstrated that My Little Pony could be stealing your data.
7. There is a network of spies and counterspies on the internet, and they really are out to get you.
Two troubling pieces of information came out during the conference, both related to how human intelligence gathering has changed (or hasn't) in the information age. Technologist Jacob Appelbaum, who works with the nonprofit Tor Project and volunteers with Wikileaks, was detained at the US border before being allowed to continue to Las Vegas to give his talk at Defcon. C|Net's Elinor Mills reports:
Appelbaum, a U.S. citizen, was taken into a room and frisked, and his bag was searched. Receipts from his bag were photocopied, and his laptop was inspected, the sources said. Officials from Immigration and Customs Enforcement, and from the U.S. Army then told him that he was not under arrest but was being detained, the sources said. The officials asked questions about Wikileaks, asked for his opinions about the wars in Iraq and Afghanistan, and asked where Wikileaks founder Julian Assange could be found, but Appelbaum declined to comment without a lawyer present, according to the sources. Appelbaum was not permitted to make a phone call, the sources said. After about three hours, Appelbaum was given his laptop back, but the agents kept his three mobile phones, sources said.
Intelligence agents tried to question him again during the conference. His crime? Being associated with projects devoted to information transparency (Wikileaks) and anonymity (Tor, which incidentally has received funding from the US Navy, so go figure). It seems that the US government wanted to send the message that supporting the efforts of whistleblowers online is beyond the pale. Below, you can see Appelbaum (right) with Electronic Frontier Foundation technologist Seth Schoen, along with some of their dangerous hacker tools (including soy milk).
But other kinds of online whistleblowing are being encouraged by the government. At least that's one way to interpret the announcements from an internet surveillance nonprofit called Project Vigilant, which is apparently monitoring internet traffic at 12 ISPs, and claims it has hundreds of "volunteers" reporting "human intelligence" which Vigilant gives to the US government. Project Vigilant founder Chet Uber says hacker Adrian Lamo is one of their "volunteers" and announced at Defcon that they are actively recruiting more. It's like crowdsourcing, but for spies!
Dave Bullock/Wired" />
This may be a silly hack, but that doesn't mean it isn't futuristic.
Every year, Defcon badges and party invitations get more and more elaborate. This year, hardware hacker Joe Grand, who has designed the programmable Defcon badges for several years running, finally managed to add a tiny persistent display screen (as he explains in the video below, prices came down enough to make it cost-effective). The badge is a completely hackable development environment, and Defcon participants are invited to do the most creative things possible with their badges.
Also this year, the exclusive Ninja Networks party gave out pricey programmable invites, which attendees hacked the hell out of in order to get into the shinding - which was lubricated with a rumored $150 thousand worth of Facebook-sponsored booze. I think we all look forward to a future when getting into exclusive nightclubs and parties requires fancy hacking skills, rather than fancy designer clothes.