Breaking things--that's what the very bright and super curious do; they look beyond the obvious to see what's truly lurking beneath the surface. On Wednesday and Thursday, attendees at Black Hat D.C. 2008 got a window into the latest research being done on Web applications, wireless, and embedded technologies.
On Wednesday, researchers David Hulton and "Steve" showed how with about $1,000 with of equipment they can decrypt A5/1 cellular GSM traffic in less than a hour. Following that, Adam Laurie reprised his popular RFIDiots talk from last year's Black Hat briefings with a new program that allows him to read the data off smart credit cards "hands free."
Wednesday night included a social. There was also a speaker from the Washington, D.C.-based Spy Museum with stories of real-life spies.
On Thursday, Tiller Beauchamp and David Weston gave a presentation on DTrace, a security research application that is now available within Mac OS X Leopard and coming soon to various distributions of Linux. Following that, Zac Franken reprised his previous talk on biometric and token-based access control systems with new information on work access cards. After lunch, talks included Chris Wysopal on classification and detection of backdoors, Jason Larson on SCADA security, and Jon Oberheide on exploiting virtual machine migrations.
Update on February 22, 2008, at 3:20 p.m PST: This blog has been updated to include a response from American Express.
WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.
As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.
Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.
As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.
"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place."
The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.
An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.
Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.
Washington D.C. -- On Wednesday, in a talk at Black Hat D.C. 2008, two researchers set out to see whether phishing sites were created by the "Einsteinian, ninja hackers that the media makes them out to be."
In a talk titled "Bad Sushi: Beating Phishers at their own game," Nitesh Dhanjani and Billy Rios found not a sophisticated gang of elite coders, but hundreds of bad coders all copying one another, and often stealing from each other.
Dhanjani and Rios expressed disapproval of antiphishing products that use black lists to block known phishing sites. One, because some legitimate server admins might have their compromised account password visible on such lists. Two, because the researchers were able to open those lists and see the servers that were being compromised.
They followed one of the servers that had shown up on one black list multiple times. What they found was a poorly configured Internet-facing server, one that was easily compromised, and therefore hosting several phishing sites.
Once they found a compromised Web server, they then wondered: how hard is it to create an authentic-looking phishing site? Dhanjani and Rios found kits online, prepackaged with images and forms from Bank of America, Citibank, and PayPal, among others. Just install one of these kits on a compromised server and you're in business.
Looking deeper into the code used in these kits, they found that one kit had been copied many times, with different images. Moreover, the creator of the kit was skimming off the people using the kit; every time someone fell for a phishing site, their personal data not only went to the phisher who put up the site, but also to the author who wrote the kit.
With personal information flowing in, what does the average phisher do next? Dhanjani and Rios googled to find sites trading personal data--not a surprising find. What they found was that U.S. and U.K. IDs often sold for much less than European and Asian data. They could not account for the difference.
They also found forums and sites dedicated to ATM "skimming." Skimming is the physical use of secondary readers and keypads on ATMs used to capture account numbers and PINs. Often the ATM transaction goes through, and the customer doesn't realize the account has been compromised until later.
Dhanjani and Rios suggested that site administrators should lock down their sites so that phishing kits don't take root. They also suggested that sites require more security in order to raise the bar. By requiring a customer to use two-factor authentication, or a persistent cookie, many of the financial phishing sites would cease to be effective, they said.
Washington D.C. -- Like the Bank of America brand name, the United States Internal Revenue Service is a brand that also needs online protection. On Wednesday, Special Agent Andy Fried with the U.S. Treasury Department gave a second keynote address to start off Black Hat DC 2008. He said as of February 19 this year, there were 1,630 phishing sites using the IRS name or logo, marking a 12 percent to 17 percent increase over last year.
Although the IRS phishing sites may be taken down with an hour or so, that's still long enough for a victim to volunteer personal information online. Fried stated that the IRS does not contact people via e-mail. He also noted that many of the phishing sites and e-mails came "out of Eastern Europe."
While he was concerned about ordinary people getting hit, he called upon the antivirus community to immunize their applications before the IRS staff reported for work in the morning. His concern was the IRS itself, which, in the morning would start to get forwarded examples of the e-mail and could potentially infect the IRS with malware.
In January 2008, Fried said that the IRS reached a full one percent of all spam traded on the Internet--a record for the agency.
Fried also warned against using peer-to-peer applications on the same desktop with your tax information on it. He and his investigators will periodically fire up LimeWire and find hundreds of copies of people's tax returns available for downloading. "If you don't know what you are doing with P2P," said Fried, "don't use it."
Fried said he expected more IRS-themed Internet activity in May when the U.S. government plans to issue tax rebates to qualified individuals, but declined to specify what he expected.
WASHINGTON--On Wednesday, Black Hat D.C. 2008 gets under way, after two days of intense training sessions. The D.C. Black Hat security conference is much smaller than the summer Black Hat USA in Las Vegas. But what D.C. lacks in size, it makes up for in sessions and talks.
On tap for Wednesday is a keynote speech from Jerry Dixon, former director of the National Cyber Security Division, Department of Homeland Security. Following the keynote address will be two parallel tracks of programming--Web app and wireless--including presentations from Chuck Willis of Mandiant on forensic challenges of cross site scripting, Adam Laurie on practical RFID hacking, Nitesh Dhanjani and Billy Rios on beating phishers, Sachin Joglekar and Sundeep Patwardhan on attacks on VoIP through IPSec tunnels, and Neal Krawetz on image analysis.
Thursday will continue with two parallel tracks--defense and hardware/embedded--and will include Christopher Tarnovsky discussing security failures in secure devices, Zac Franken on biometrics, as well as others.
Throughout the two-day event there will be various birds-of-a-feather talks, opportunities to talk to session speakers, and on Wednesday evening, additional speakers.
- prev
- 1
- next
