Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Thursday, August 04, 2005

Hackers’ Prowess on Display at Defcon Conference

Even the ATM machines were suspect at this year’s Defcon conference, where hackers play intrusion games at the bleeding edge of computer security.
Anyone naive enough to access the Internet through the hotel’s unsecured wireless system could see their name and part of their passwords scrolling across a huge public screen. It was dubbed the “The Wall of Sheep.”  Among the exposed sheep were an engineer from Cisco Systems Inc., multiple employees from Apple Computer Inc. and a Harvard professor.

Defcon is a no-man’s land where customary adversaries—federal agents vs. digital mavericks—are supposed to share ideas about making the Internet a safer place.

This year’s hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person’s identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments—also came under scrutiny.  A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet (21 meters).  That’s important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd. 
RFID companies had said the signals didn’t reach more than 20 feet (six meters), said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

An annual highlight of the conference is the “Meet the Feds” panel, which this year included representatives from the FBI, NSA and the Treasury and Defense departments.  Morris and other panel members said they would love to hire the “best and brightest” hackers but cautioned that the offer wouldn’t be extended to lawbreakers.  During the session, Agent Jim Christy of the Defense Department’s Cyber Crime Center asked the audience to stand.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet.  That flaw was patched in April, but Lynn showed that Cisco hadn’t quite finished the repair job—that the same technique could be used to exploit other vulnerabilities in Cisco routers.  Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway.

“We’re never going to secure the Net if we don’t air and criticize vulnerabilities,” said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

During a session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

http://www.technologyreview.com/articles/05/08/ap/ap_080405.asp

Posted on 08/04
NewsPermalink