Author: admini

Defcon is a no-man’s land where customary adversaries — federal agents vs. digital mavericks — are supposed to share ideas about making the Internet a safer place.

This year’s hot topics included a demonstration of just how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person’s identity by scanning such things as thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but a security analyst who goes by the name Zamboni challenged hackers to bypass biometrics by attacking their backend systems networks.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items including retail merchandise, animals and U.S. military shipments– also came under scrutiny. A group of twentysomethings from Southern California climbed onto the hotel roof to show that RFID tags could be read from as far as 69 feet (21 meters). That’s important because the tags have been proposed for such things as U.S. passports, and critics have raised fears that kidnappers could use RFID readers to pick traveling U.S. citizens out of a crowd.
RFID companies had said the signals didn’t reach more than 20 feet (six meters), said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

An annual highlight of the conference is the “Meet the Feds” panel, which this year included representatives from the FBI, NSA and the Treasury and Defense departments. Morris and other panel members said they would love to hire the “best and brightest” hackers but cautioned that the offer wouldn’t be extended to lawbreakers. During the session, Agent Jim Christy of the Defense Department’s Cyber Crime Center asked the audience to stand.

Some federal agents were indeed taking careful notes, though, when researcher Michael Lynn set the tone for the conference by publicizing earlier in the week a vulnerability in Cisco routers that he said could allow hackers to virtually shut down the Internet. That flaw was patched in April, but Lynn showed that Cisco hadn’t quite finished the repair job — that the same technique could be used to exploit other vulnerabilities in Cisco routers. Cisco and ISS went to court to try to stop Lynn from going public, but Lynn quit ISS and spoke anyway.

“We’re never going to secure the Net if we don’t air and criticize vulnerabilities,” said David Cowan, a managing partner at venture capital firm Bessemer Venture Partners.

During a session on ATM machines, Morris said thieves have been able to dupe people out of their bank cards and passwords by changing the software in old ATM machines bought off eBay for as little as $1,000 and placing the machines out in public venues.

http://www.technologyreview.com/articles/05/08/ap/ap_080405.asp

The computer that ships in the kit features a security chip called the Trusted Platform Module (TPM). The TPM is an open industry standard governed by the Trusted Computing Group, a non-profit organisation which develops security standards. Apple did not respond to questions about the TPM in time for this story’s posting.

The chips inclusion with the new Apple hardware doesn’t come as a complete surprise. It has been previously suggested that Apple could use the TPM to prevent that computer users install the OS X operating system on a non-Mac PC such as a models made by Dell or HP.

“The TPM is going to be the barrier for moving the Macintosh software to any PC,” Martin Reynolds, a research fellow with analyst firm Gartner told vnunet.com. Each TPM chip contains an encrypted serial number that allows the operating system to verify if it’s running on Apple made hardware. Hackers in theory could forge the serial number, said Reynolds, fooling the software into believing that its running on Mac hardware even when it isn’t.

The security chips currently are included with some PCs for the enterprise market from IBM/Lenovo and HP. They use the TPM to security store passwords or encrypt data.

The upcoming Windows Vista relies on the TPM for a technology dubbed Secure Startup, which blocks access to the computer if the content of the hard drive is compromised. This prevents a laptop thief from swapping out the hard drive, or booting the system from a floppy disk to circumvent security features.

In the future software developers could also use the chip as an anti piracy device, Reynolds suggested. The vendor then would link the TPM identification number to the software registration key. But the TPM has also gained notoriety because it is seen as a way to invade the user’s privacy. The identifying number build into the chip can be used to limit the fair use of digital media by enforcing digital rights management technologies, or could track users online. The fear of such scenarios however is overstated, said Reynolds. Privacy infringing schemes are uncovered sooner or later at great expense to the computer maker. “There are things that manufacturers could do with the TPM that is very much against the interest of the user. But in practice, the manufactures have found that it is best not to do that.”

http://www.vnunet.com/vnunet/news/2140687/apple-embraces-controversial