Jeff Moss
(Credit: Darington Forbes)Like many young hackers, Jeff Moss got his start copying computer games, learned how to program, and began to explore the world through a modem.
Unlike many young hackers, Moss has managed to turn his computer and social-networking skills into a business. He founded Defcon, the first major hacker conference and the largest in the world, as well as Black Hat, its more corporate counterpart. And now he is helping the U.S. government, as a member of the Homeland Security Advisory Council.
Moss talked to CNET News during National Cyber Security Awareness Month about his digital coming-of-age and how Google, Yahoo, Facebook, and other sites are putting consumer privacy at risk and jeopardizing social-justice movements around the world.
This is the final installment of a two-part Q&A with Moss. Part 1 ran on Friday.
Q: When you first started Defcon, that was what year again?
Moss: Ninety-two, '93. I think I started planning in '92 and it happened in '93.
So, things were different then. Can you talk about how the landscape has changed and what the real threats are now?
Moss: I'd say the biggest change is just that money got involved and once money was involved it changed everything. Actually that's not true. Technology grew up. So two things: money and technology. Technology grew up and a lot of the original motivations for hacking sort of changed, at least for my generation. When Internet access is essentially free and Unix is free and phone calls are essentially free and pennies on the minute, not dollars on the minute, why do you need to steal a phone call when it's free? Why do you need to break into a university to read man (manual) pages on Unix when you can download free security guides online?
You had to work so hard to learn something, and once you learned it you felt like it was yours. You made it yours by discovering it and figuring it out and sharing it with your friends. But now it's basically just handed to you on a Google search page so that motivation is just different now. Now it's not a question of figuring out how the SS7 phone switching network works. You can download 50 documents that tell you how it works. It's more about now the information is basically free what do you do with the information? How do you use it? Before it was about the quest for information; just getting your hands on the information was a victory.
As soon as people started making money on the Net...during the dot-com boom, that's when you could see the impact. Everybody needed somebody with Internet skills. And at that time it was hackers and early adopters. So all the early adopters could go out and get paid for their hobbies. That changed the nature of it too. It became a job as opposed to a hobby. When the criminals finally caught on that there was some real money with low risk and potential high reward...once nation states and organized crime groups got involved, that was the end of the age of innocence. It happened really quickly; 10 years or so. It used to be that you could probably defend against the bored college student and a couple of his buddies and you could do some defensive maneuvers and watch your log and know when somebody is poking around (your network) and have a pretty good handle on things.
Audio
Jeff Moss
This is an edited audio version
of the interview with CNET's Elinor Mills.
Download mp3 (3MB)
But the amount of noise and the amount of scanning and the amount of resources that people can put against you now, its kind of...(laughs) I used to always say that large governments, military, and an EDS or a Microsoft, they've got the in-house talent to defend themselves and the budget to do it if they have to. But the SMBs, the small and medium businesses, they don't have the talent or the budget or the experience, so those poor companies are at a disadvantage in this kind of world... The technology hasn't matured to where you just plug it in and it works. You still need a certain amount of high-end talent if you want to be secure. So we're not at the point where you buy a car and you've got the air bag. We're not there yet. Every year the bar keeps getting raised and it's a little bit harder to break in. But that just means that the better-funded organized crime groups and governments could potentially be the last ones left standing. And when the attacks get so sophisticated and so subtle your average sec guy is not going to necessarily have the computer skills to protect against it.
Is that an argument then for managed security services?
Moss: Hmm. Do you mean something like a Counterpane, the sort of centralized log management where they analyze everything?
Yeah.
Moss: That's essentially (similar to the idea of putting) your eggs in less baskets and have experts watch the logs. The DHS (Department of Homeland Security) is trying to do that with Einstein. It seems like that's a rational response to the problem. I'll have to think about that. The problem is by the time they notice something is the damage already done if they're infiltrating secrets, say, versus defacing your home page? If you look at the nature of the problems the organized crime groups generally want money and the government wants secrets and they go about their business differently because the goals are different. Maybe centralized services like that work better against one group than the other.
How did you first get into hacking and on to computer security? What got you interested in all this?
Moss: It was kind of random. My dad was a doctor at the University of San Francisco and the university was offering some discount if you bought an IBM, you could get it at some kind of educational discount...so they bought a pretty expensive computer back then for me and my sister to play with.
How old were you?
Moss: I was right around 12 or 13.
And you are how old now?
Moss: Thirty-nine. And my sister wasn't interested in it. She ended up getting into music and it turned into my computer instead of the family's computer. I started off as a software pirate. You're 13 years old and your buddy gets a game for his birthday and I've got a game and there just weren't that many games on the PC back then. You could either just straight copy the game or if there was some sort of copy protection you saved up and bought a copy of 'Copy to PC' and you could copy each others' games. You would try to figure out why did that work. There wasn't a whole lot of programming books back then so I learned BASIC and I started learning assembly language.
And then to upgrade the machine you had to learn how to take apart the machine and it was much cheaper to buy memory and install it yourself than to buy a memory card. I had no money as a kid. So there were these overclocking kits you could buy for like $50 or $60. You could overclock your CPU to make it go 30 or 40 percent faster. Instead of going something like 6.55 or whatever megahertz, you could make it go 8 megahertz and that was awesome. So then you would figure out why does that work? What's going on there?
And then the huge revelation for me was getting a modem. Once I got an acoustic coupler modem, a 300-baud modem, that was the beginning of the end for me because all of a sudden I got to communicate (with others online). It started with my friends who had modems and I would use them over at their house and eventually I saved up and got my own. And you would be on these message bulletin board systems talking with people in the Bay Area. They didn't know your age or your gender or your education or anything and you're having conversations with grownups about grownup topics, drugs, technology, music, whatever it is. The sort of conversations you didn't have with your parents. You could overhear other people having conversations about (things). It was this great glimpse into the bigger world that was out there. And that really opened up my eyes. It was different from what we talked about at school. It was different from what you talked about with your friends, your parents. It was a whole other world and it just made you want to find more and more bulletin boards and more and more people. And that led to phone phreaking, trying to figure out how the phone systems worked and how to call longer distance and the cheapest way to do it. It was that exploration.
And it was all very random for me. I knew about the phone systems because I ran a bulletin board and I spent a lot of time dialing long distance to get onto different bulletin boards. And I knew about software programming but I didn't really know about hacking until a chance encounter with someone. And he had the opposite experience. He didn't know anything about phones and he didn't know anything about copy protection or reverse engineering that way, but he knew all about hacking. He knew all about networking, which is something I didn't know about because I didn't have a network in my house. Everything was point-to-point dial-up. Nothing was a network. So through him I learned about networking.
Things happened in my life at certain times. Very random. It was luck. I was lucky my parents bought that computer. It was lucky I learned about the modem and lucky I ran into that guy who taught me about hacking. I would love to say it was some master plan on my part, but it was a happy set of circumstances.
That reminds me of the Malcolm Gladwell book "Outliers" that I'm reading right now. It's very relevant to what you're talking about--that it's not just intelligence, but also opportunities that give people the ability to accomplish things.
Moss: Is that the book that talks about the 10,000 hours (the amount of time it takes to practice something in order to become a success at it)?
Yes.
Moss: Somebody told me about that and I totally believe it. If I think about it, I put in thousands and thousands and thousands of hours just talking to people and reading and programming and screwing around with computers and trial and error on phones and everything until it became sort of second nature. If you think about people who are really good with musical instruments, they put in tens of thousands of hours. Or (people) working on cars. I have a friend who is fantastic car guy and he grew up with a wrench in his hand. He innately understands how mechanical things work.... (These people) see the world differently (and have) developed a sixth sense toward it.
Do you have a sixth sense toward hacking?
Moss: Well, you have a sixth sense toward looming problems. Somebody announces an (integration) project and you just think to yourself "Oh, that's going to be a problem. How are they going to do that?" From a technology standpoint how are they ever going to get all those systems to work and from an HR or organizational standpoint, you just know it's not going to happen...
In the back of my head I wonder if we haven't embraced the Internet technologies (too) quickly. If you're going to touch these critical systems you need a different mentality. You need a different skill set. I don't know. For example, SCADA (Supervisory Control and Data Acquisition) systems are starting to be hooked up to Web interfaces and it makes central management really easy and it makes understanding and visualizing the process flow information really easy. So the managers hear that and think cost savings and ease of management and ease of visibility. I hear that and I think "Whoops, that's going to be a problem." You're joining these two networks with Web protocols that are essentially inherently insecure or are difficult to secure and then you go and listen to Moxie Marlinspike talk about the problems with SSL and you think to yourself, "That's a problem." You just get a sixth sense about things like that.
So we've covered a lot of ground here. Is there anything else to discuss about computer security, cybersecurity, your background?
Moss: I have a current rant I've been going on about. It's my low-hanging fruit rant. Six months ago there was an open letter to Google asking them to please make everything HTTPS (Hypertext Transfer Protocol Secure) by default and I was a signer on that letter. It was another one of those (proposals that) made total sense. Why isn't there a push to just make everything HTTPS by default? Because everybody's browsers work with it. Computers are fast enough now. Home PCs are fast enough that the extra encryption doesn't even faze them. Why not start getting rid of HTTP and moving to HTTPS? That seems like a pretty low-hanging fruit, easy to do. If you can't do that what makes you think you are going to be able to do more complicated things?
And if you look at what we rely on, we rely on the Web, which isn't secure. We rely on DNS (domain name system), which isn't secure and we rely on e-mail, which isn't secure. The three foundational things we've been using since the dawn of time aren't secure and there doesn't seem to be a big push to fix any of it. These big companies that are encouraging us to put our lives online, the Yahoos, the YouTubes of the world, they're not doing their bit to secure it.
The thing that really kind of pissed me off, during the whole Iranian revolution or protest over the election you saw all these people just pouring their hearts out on these different social sites and their political beliefs out over unsecured http. And the government is sitting there just collecting it all, recording it. And sooner or later they'll come knock on people's doors. It really drove home we are beyond sharing pictures of fluffy cats and the social sites are now being used to organize political movements and social-justice issues.
If that kind of stuff is going to happen you've got to do it in a secure fashion or you're being negligent. Because if it was SSL (Secure Sockets Layer) between say the dissidents in Iran and some social site they would know your IP (Internet Protocol) address connected to Facebook, for example. And they would know that you transferred a couple hundred thousand bytes (of data) but they wouldn't know your log in, they wouldn't know your friends, they wouldn't see what you are posting. They wouldn't know any of that. That seems like a good thing if you are concerned about the well-being of your citizens. A lot of problems would go away if everything were just SSL by default. A lot of the privacy concerns would go away. Every time I get a chance to talk to somebody at one of the big social sites I give them some grief and say, "How come you aren't doing this? Why do you protect my log in but you don't bother to protect the rest of my session?" It's super frustrating.
Jeff Moss, founder of Black Hat and Defcon.
(Credit: Darington Forbes)As a hacker and organizer of Defcon, an event where computer security vulnerabilities and exploits are routinely unveiled, Jeff Moss seemed an unusual choice when he was named to the Homeland Security Advisory Council in June.
But his background and lack of government experience brings a fresh, outsider's perspective to a public sector plagued by a fast-changing threat landscape, perpetual turf wars, and bureaucratic inertia.
With National Cyber Security Awareness Month under way, CNET News discussed with Moss his new role, his thoughts on the national ID card debate, and how the government wants to use social media sites for public emergency alerts. This edited interview is the first of two parts. Part two will run on Monday.
Q: So, how's it going on the Homeland Security Advisory Council?
Moss: It's going pretty well, it's pretty exciting actually. Recently we did a recommendation, I'm sure you read about it, the homeland security color codes. There are the five color codes. Normally the country is on like yellow or orange. I think we've only been to red once. But we've never been to the two lowest, blue and green. So the system was up for review. It turns out that the color codes work really well for industry and government. They have procedures in place. They do things automatically when the color codes are changed. It is actually successful for them but for the third group that uses them, civilians, it actually doesn't work well at all.
Right. We don't understand it. We're like, what does it mean? Is it real?
Moss: How does it give us any actionable information? How should we change our behavior based on it? That's what came out of the report was that it's very hard for civilians to do anything with it and it causes confusion, and it's the No. 1 source of ridicule. The system needs to stay because it's valuable for the other two groups, but it needs to change was the conclusion of the report. So they had a couple of recommendations and one was to just get rid of the two lowest colors because honestly we've never been at them; make the new normal orange. Three levels is probably more realistic than having five. The U.K. doesn't have five either, I think they have three.
Joe "Kingpin" Grand, the designer of the Defcon badges, wearing one of the highly coveted Uber badges that winners of certain contests are awarded that grants life-time access to Defcon. The art on the badge is by Eddie Mize.
(Credit: Eddie Mize)Most badges from conferences and trade shows end up in the trash. Not so the badges from the Defcon security show, which are stylized, mysterious, and highly customized electronics equipment designed to be hacked.
Instead, they end up as collector's items. Bidding on eBay for a Defcon 17 badge from last weekend had reached $81 on Tuesday with three days to go, while a 2007 badge was at $33.99.
The Defcon badges and badge hacking contest, both highly anticipated at the conference each summer, not only give the hackers a mental challenge to figure out what the devices are capable of doing, but they serve as tools for participants to demonstrate their talent at coming up with innovative hacks.
"Each year we push the limits of printed circuit board design techniques and try to show off devices and technologies attendees might not have seen before," Joe "Kingpin" Grand, who has designed the Defcon badges for the past four years, said in an interview on Tuesday. "We are doing things on circuit boards now that clearly have never been done before."
This year's badge was the most sophisticated yet. It doesn't just have a circuit board on it; it is the circuit board. It runs on a 3-volt battery and has a built-in microphone and a multicolored LED (red, green and blue) that reacts to sound by changing color and brightness and by blinking.
The microphone picks up noises, such as conversation and music, and the LED pulses to it. The LED will even flash "SOS" in Morse code when the sound is extremely loud for a period of time--an eardrum protection feature that would surely be useful at the Defcon parties where loud Techno music is the standard.
The badge also has a battery-saving feature and goes to sleep if the environment is quiet, waking occasionally to listen for sound before hibernating some more if it remains still.
The microphone is not a recording device (as some suspected), but the badge can be modified to capture sound for playback. One hacker did just that by attaching an SD (Secure Digital) card reader to the back and modifying the code so it would store the microphone input, Grand said. That effectively turned the badge into a bug that could be used to eavesdrop on unsuspecting bystanders.
The design is slick and aesthetically pleasing and the badge itself is thin, light, and not bulky. The front has multiple layers of silk screen graphics.
There are seven different types of badge for the different participants: Human, Press, Speaker, Vendor, Contests, Goon (security) and Uber, which is a highly coveted badge that winners of certain contests receive, giving them lifetime access to Defcon. Each type of badge has its own shape. Like a puzzle, they form an image when assembled all together.
Soldering wires to pins and pads
Grand, whose Grand Idea Studio develops and licenses electronic products, chose an MC56F8006 Digital Signal Controller manufactured by Motorola spin-off Freescale for the processing. He surrounded the chip with test points that provide access to interfaces on the chip.
Hackers can wire three of the test points to the corresponding test points on other badges enabling a multi-badge communications interface for creating a network of badges that can blink in unison. If any badges are connected, the Human badge becomes the master and controls the LED output of all of them.
The Defcon 17 press badge hides some nifty features.
(Credit: James Martin/CNET News)The badges, which were manufactured in China and held up in U.S. Customs until shortly before the show started on Friday, include a Static Serial Bootloader that allow attendees to load on their own programs and firmware. All it requires is a simple connection to a PC and a terminal program, like HyperTerminal, to upload custom code, Grand said.
He designed in some hidden features, as well. For instance, if a certain frequency of high-pitched sound--a 1,000 Hertz sine wave generated from a computer or iPhone, say-- is emitted near the microphone, the badge will blink a secret in Morse code. The message is the URL for a formerly secret Web site that has additional information on the badges.
While this year's badge was designed as a sound-activated LED gadget, last year's badge functioned as a TVBGone, able to remotely turn TVs off, as well as a file sharing device. They had an SD memory card so that badge holders could transmit files and receive them from other badges over infrared. In 2007, the LEDs scrolled a programmable message on the badge.
With the contest, Grand and other judges, including Defcon founder Jeff Moss, are looking for the most creative, unique or mischievous badge hacks and modifications that weren't intended.
The first place winner of the Defcon badge hacking contest went to Zoz Brooks, who has a Ph.D in electrical engineering and computer science from MIT and was one of Grand's co-stars on the Discovery Channel TV series "Prototype This."
Brooks modified a hat into an anti-surveillance device by wiring up the brim with LEDs. When you turn on a device controlled by the badge all the lights blink at a certain frequency that generates enough optical noise to defeat facial recognition systems.
For the second part of his project, Brooks modified a badge from last year's Defcon to create a device that can help someone escape detection by infrared motion detection sensors that are temperature sensitive. He added a temperature sensor to the badge that indicates when the room is warm enough for someone to start moving so as not to trigger the motion sensor. A motor on the badge controls two foot-shaped pieces of plastic so that they move at the pace needed to evade detection--two inches per second, giving an indication of how slow someone's feet need to move.
The second place winner of the Defcon badge hacking contest went to a group that created what they called a "Sound-Fearing Blimp." They wrote custom software for the badges and hung three of them to the bottom of a toy blimp. Each badge measured the sound level coming from its microphone and set the speed of its individual drive motor accordingly, steering the blimp away from areas with greater noise levels. The badges were connected together to communicate between themselves.
Third place went to "Solder Guy," who added a speaker and keypad and turned the badge into a multi-function dialer that in the vein of classic phone phreaking could be used for making free long distance calls as a blue box. "He didn't demonstrate that part because technically it would be illegal," Grand said.
One of the more unusual of the 23 contest submissions was a badge as polygraph device. It used galvanic skin response and measured the heart rate to try to determine whether an individual was answering honestly or not to questions posed.
"It didn't place, but it was neat," Grand said. "They tested it on me (with only about five questions)...and it seemed to work. It was convincing."
Hacking the Defcon badges
Defcon badges, designed to be hacked, get turned into a polygraph, blue box dialer, sound sensitive blimp navigator and a device for defeating facial recognition systems.• Photos: Defcon badge inspires hacks
(Posted in InSecurity Complex by Elinor Mills)
August 5, 2009 4:00 AM PDT
Hanging with hackers can make you paranoid
Compromised ATMs, virus-infected USB drives, badges with built-in microphones and security experts getting hacked--no wonder it's scary going to Black Hat and Defcon.• Defcon: What to leave at home and other do's and don'ts
(Posted in InSecurity Complex by Elinor Mills)
August 4, 2009 4:00 AM PDT
Using software updates to spread malware
Researchers warn that attackers could put malware on machines by intercepting software updates on Wi-Fi networks.(Posted in InSecurity Complex by Elinor Mills)
August 1, 2009 4:17 PM PDT
Researchers offer tools for eavesdropping, video hijacking
UCSniff can be used to spy on video conference calls while VideoJak allows for hijacking of video streams.(Posted in InSecurity Complex by Elinor Mills)
July 31, 2009 5:51 PM PDT
Apple fixes iPhone SMS flaw
Vulnerability in iPhone software allowed hackers to take control of the device via an SMS message, as demonstrated at Black Hat.• Apple cautions iPhone users about jailbreaking
(Posted in Security by Jim Dalrymple)
July 31, 2009 11:50 AM PDT
An SMS can force a URL or app on smartphones
The onslaught of SMS attacks continues at Black Hat with the third of a handful of mobile-related talks.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 7:28 PM PDT
Hackers claim to bypass S.F. e-parking meters
A trio of programmers and engineers say they can bypass the security mechanisms of the city's electronic parking meters and create "prepaid" cards with a value of $999.99.(Posted in Security by Declan McCullagh)
July 30, 2009 2:15 PM PDT
Researchers can attack mobile phones via spoofed SMS messages
Phones that support MMS on GSM networks are vulnerable to new SMS spoofing attacks, researchers say at Black Hat.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 1:53 PM PDT
Flaws in domain name verification uncovered
Dan Kaminsky and Moxie Marlinspike explain how flaws in the way domain names are verified on the Internet could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 1:14 AM PDT
Researchers attack my iPhone via SMS
Two security researchers prove to a reporter during Black Hat that they can indeed "Pwn" her iPhone by just sending a text message.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 8:51 PM PDT
Ex-Google CIO breaks his own security rules
Douglas Merrill talks about being CIO at Google and an exec at EMI, and how more companies need to foster innovation, letting employees use Google Calendar if they want.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 5:11 PM PDT
Security experts' sites hacked on eve of conference
Attackers post e-mails, passwords, and other sensitive data stolen from security experts and others on hacked site of Dan Kaminsky.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 3:13 PM PDT
Clampi Trojan stealing online bank data
Security researcher warns that two-year-old Trojan has infected hundreds of thousands of PCs and is stealing log-in credentials when victims log into bank and other Web sites.• Spam and malware at all-time highs
• Report finds fake antivirus on the rise
(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 11:30 AM PDT
Microsoft offers patches to ward off ActiveX attacks
In rare out-of-cycle security update, Microsoft fixes hole that put IE users at risk of attacks via ActiveX and other controls.• Single misplaced '&' caused latest IE exploit
(Posted in InSecurity Complex by Elinor Mills)
July 28, 2009 11:04 AM PDT
Microsoft says security programs are paying off
Company releases progress report on three programs launched a year ago to identify security holes and patch them faster.(Posted in InSecurity Complex by Elinor Mills)
July 27, 2009 1:17 PM PDT
From iPhones to smart grids at Black Hat, Defcon
Security pros to swap data on hacking everything from phones to critical infrastructure at Black Hat and its less corporate sister show Defcon, where geek games and mayhem rule.(Posted in InSecurity Complex by Elinor Mills)
July 27, 2009 4:00 AM PDT
HP researchers develop browser-based darknet
Darknets, encrypted peer-to-peer networks, are normally difficult to set up and maintain. But two researchers plan to demonstrate a less complicated one at Black Hat.(Posted in Security by Tom Espiner)
July 25, 2009 3:58 PM PDT
Researchers to offer tool for breaking into Oracle databases
Free tools for breaking into Oracle databases will be released at Black Hat and Defcon next week.(Posted in InSecurity Complex by Elinor Mills)
July 23, 2009 12:04 PM PDT
previous coverage
ATM vendor gets security talk pulled from conferences
Juniper Networks cancels researcher's talk at Black Hat and Defcon about ATM insecurities after a vendor complains.(Posted in InSecurity Complex by Elinor Mills)
July 1, 2009 12:30 PM PDT
Hacker named to Homeland Security Advisory Council
Hacker and Defcon founder Jeff Moss joins former FBI, CIA directors on Homeland Security Advisory Council.(Posted in InSecurity Complex by Elinor Mills)
June 5, 2009 5:27 PM PDT
At a hacker conference no one is safe.
When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.
Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.
The Riviera Hotel room key customized for Defcon attendees. What else does it do?
(Credit: James Martin/CNET News)The evolving demographic of Defcon attendees shows that the hacker community, like all of us, is aging. But it's also a reflection of how the threat landscape has changed. Web site defacements have given way to much more serious risks like financial fraud and unaddressed critical infrastructure weaknesses. It's a cornucopia of phishing e-mails, cross-site scripting attacks that poke holes in trusted Web sites, and criminals harvesting credit card numbers and selling them on the underground equivalent of eBay with guarantees of service and support.
Defcon and Black Hat, the pricier and more corporate sister confab held the two days preceding Defcon ($120 for Defcon registration versus $1,395 to $2,095 for phased registration at Black Hat), offer a forum for researchers to share information about vulnerabilities they find in software, hardware and systems.
Targeted this year were everything from the iPhone and surveillance video feeds to e-parking meters and security underlying the Domain Name System.
Vendors and users weren't the only ones who need worry. Attendees had plenty to fear and security experts themselves weren't spared.
On July 27, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)
There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.
Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being hacked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.
Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.
This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe they were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.
I had a panic of my own at Defcon this year. I was connected to the Internet using an EVDO wireless card and a virtual private network and was startled a short while later when a Web page opened up out of the blue and I noticed the VPN was disconnected. Granted it looked like a legitimate page for my wireless carrier, but not wanting to take any chances I immediately logged off.
(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)
Unfortunately, I had neglected to disable the Wi-Fi on the laptop. Because Windows XP event logging is lacking, it's not clear whether someone may have spoofed the name of a wireless network the laptop is configured to automatically connect to. Time to call the help desk.
At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.
Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: "Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here."
There is no evidence that the fake Riviera ATM was planted by anyone at Defcon, and in all likelihood the hacked Rio ATM was not associated with the hacker show.
However, a small group of Defcon attendees was seen hacking into an ATM at the Artisan hotel where a "Ninja" party was being held on Saturday night and it appeared they had the ATM in administrator mode and were trying to change settings, several sources said.
Heightening the paranoia at Defcon was the report from event organizers on Saturday that there was a confirmed Trojan on the CD the conference hands out to all attendees. The report turned out to be false.
Also arousing suspicion were the Defcon badges, which featured a built-in microphone, LED, digital signal processor, and custom circuit boards designed to be hacked as part of a contest. I prudently popped the battery out of my badge after discussing the microphone capability with another journalist. Some attendees chose not to wear the badges at all, even without the battery, tucking them in satchels and digging them out every time they needed to display them.
As it does every year, Defcon also had its share of stupid attendee tricks--one arrest reportedly for carrying a concealed weapon and another for bungee jumping off the hotel roof.
But those are par for the course when you mix booze and rebellious youth trying to out-impress each other. It was the other stuff--the hacking and viruses and sniffing--that made me and others at the show jumpy.
Security guru Bruce Schneier, however, brushed it off as the mere cost of doing business.
"This is the way hackers play," he said. "This is the experimental battlefield. It's not bad; it is just what it is. Defcon has an important place in computer security."
Updated 12:54 p.m. PDT with information on Defcon attendees trying to hack ATM, and at 11:00 a.m. with this: Apparently, some feds at Defcon got a scare of their own. As part of a security awareness project, researchers set up an RFID reader connected to a Web camera that sniffed data from RFID-enabled cards in bags and pockets as people walked by and snapped a photo of the person in possession of the card, Kim Zetter at Wired.com reports. At risk of exposure was information on government access cards and badges agents tend to carry, as well as data stored on RFID-enabled cards that accompanied badges for Black Hat. After federal agents speaking at a panel were informed of the project, the data collected was destroyed.
Attending Defcon and Black Hat can make you feel a bit like a deer in a forest full of hunters.
The iPhone, love it, but leave it at home when going to Defcon, experts say.
(Credit: CNET )With virus-infected USB drives, Wifi network sniffing, badges with built-in microphones and even security experts getting hacked, it seems like it's only a matter of time until your number comes up if you're not careful.
I asked some security experts for suggestions on what they do to protect themselves at the events and here is what they said.
Do's:
• Have minimal software on your laptop, such as only the operating system and necessary applications.
• Make a backup of your computer before you leave for the conference and then wipe everything and reinstall when you get home.
• Disable Bluetooth and Wi-Fi on all devices.
• Use an EVDO wireless card.
• Only connect to the Internet when you must.
• Use a virtual private network and--if you can--use RSA ID authentication and stop all direct connections to the computer.
• Run Linux off a USB key, back up documents online, and start with a fresh operating system every day.
• In addition to using updated security, application, and system software (antivirus in particular) and installing patches, use an operating system-level firewall.
An EVDO modem, such as the one pictured, should be the only gateway to the Internet used at a hacker conference.
(Credit: Verizon)• Use a disposable camera and a pre-paid cell phone.
• Lock up your equipment in your hotel room when you are going to be gone.
• Take the drives with you when you leave the laptop in the hotel room.
• Ask to be listed as a non-registered guest at the hotel so people can't get your room number or acknowledgement that you are staying at the hotel.
Don'ts:
• Don't plug into any Ethernet jacks.
• Stay off the Wi-Fi networks at the airport and the events.
• Don't use the ATMs in the vicinity of the conferences.
What to leave at home:
• Your laptop and smart phone. You can't be attacked if you don't bring your equipment. If you must bring it, consider leaving it in the hotel room.
Itzik Kotler and Tomer Bitton of Radware
(Credit: Elinor Mills/CNET News)LAS VEGAS--Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.
About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.
Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view of potential victims on a network.
With the tool, an attacker can scan a Wi-Fi network for computers checking for new updates via HTTP (Hyper Text Transport Protocol). If the system detects a computer sending a software update request, the tool replies before the app update server can respond, Kotler said.
Ippon customizes messages for the particular application and sends a message indicating that there is an update available even when the system already has the most recent legitimate update, he said. A malicious file is then downloaded from the attacker's server onto the victim's computer.
The researchers said they had not tested whether Firefox or other major browsers are vulnerable. Microsoft software is not vulnerable because it uses digital signatures in its update process, which all software updates should, Kotler said. People should be careful when using public Wi-Fi networks and avoid doing software updates on them, he said.
"You have to assume when on a public infrastructure that the infrastructure can be attacked," he added.
There is also the possibility that someone could spread an "airborne virus" via software updates that uses victim machines to attack and infect other machines on a network, according to Kotler.
My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.
I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.
Jeff Moss, founder of Black Hat and Defcon.
(Credit: Black Hat)Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few--have led to bans at certain hotels.
"One good thing about the [economic] downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."
In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.
Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)
While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.
The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.
There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.
Despite the recession, both events are expected to be crowded.
"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."
The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.
Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded.
"The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"
Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."
There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.
When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.
"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.
Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.
Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.
"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."
(Credit:
Oracle)
During their presentation at the Black Hat and Defcon hacker conferences next week in Las Vegas, security experts will release a tool that can be used to break into Oracle databases.
Chris Gates and Mario Ceballos will present Oracle Pentesting Methodology and give out "all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules," according to a summary of their presentation on the Defcon Web site.
The tools are designed to help companies determine whether their systems are vulnerable, Gates said in an e-mail response to questions from CNET News. "There wasn't a good set of (free) tools for auditing Oracle databases," he said.
Gates said he did not contact Oracle about his presentation because none of the exploits or exploitation methods are new and information about ways to mitigate the attacks has been public for some time.
"If administrators haven't applied the patches, then the databases were/are vulnerable," he said when asked if the release of his tool will expose companies running Oracle databases to attack. "Plenty of other tools exist to do exactly what we are releasing. These tools just help streamline the penetration testing process."
Gates is a member of the Metasploit project, an open-source platform used for developing, testing, and using exploit code and sharing information related to finding vulnerabilities.
"Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access," the presentation summary says.
"We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks," the summary says.
An Oracle spokesperson said the company had no comment.
Updated at 2 p.m. PDT with comment from Gates.
(Credit:
Black Hat)
Last year it was smartcards and this year it's ATMs.
It's almost security conference season in Las Vegas and with one month to go, a presentation has been pulled from Black Hat and Defcon.
Juniper Networks says it pulled a talk about a flaw in ATM software that one of its researchers was scheduled to give at the security conferences, after the ATM vendor complained.
In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to discuss local and remote attack vectors on ATMs and provide a live demonstration of an attack on an unmodified ATM.
The description of the talk, which was posted on the Defcon Web site but appears to have been removed, said: "The most prevalent attacks on Automated Teller Machines typically involve the use of card skimmers, or the physical theft of the machines themselves. Rarely do we see any targeted attacks on the underlying software. This presentation will retrace the steps I took to interface with, analyze, and find a vulnerability in a line of popular new model ATMs."
In a statement, Juniper Networks said the company "believes that Jack's research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected. Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone Jack's presentation until all affected vendors have sufficiently addressed the issues found his research."
Juniper Networks is reaching out to other ATM vendors to help them address any security risks uncovered in Jack's research, the statement said.
The company did not disclose which manufacturer makes the ATMs that were to be referenced in the talk. Jack could not be reached for comment.
Security issues related to ATMs are a hot topic. Last month, a computer forensics expert revealed that he had discovered malware on ATMs that allowed criminals to steal account data and PINs. Three people were arrested last year after allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes.
This is the second year in a row that a scheduled presentation at one of the two security conferences was pulled. Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. The lawsuit was later dismissed and the three MIT students who were muzzled eventually ended up agreeing to help the transit system improve its fare collection system.
And other researchers have encountered problems after giving their talks. In 2005, a security researcher was able to give his presentation at Defcon on how attackers could take over Cisco routers, but hours later Cisco Systems filed a lawsuit against him. The suit was ultimately settled.
Things were more dramatic in 2001, when the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave his Defcon talk about insecurities in e-book security software.
(The ATM talk cancellation was first reported by Risky.Biz.)
