Security

NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.

Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.

In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)

If I'm worried, how do they feel at the Pentagon and the White House?

Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.

"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."

The book doesn't reveal the codes needed to open the locks, he noted.

"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."

Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.

Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."

Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.

NEW YORK--The typical image of a hacker is a kid hunched over his keyboard in the wee hours of the night staring at commands on his computer screen that unlock the secrets of the national government.

But, according to someone who knows better, the woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company's confidential sales data could be just as dangerous.

One of the more fascinating talks at the Last HOPE hacker conference this weekend was by Johnny Long, a security researcher who hacks, writes books on hacking, and founded Hackers for Charity, which helps children and others in underdeveloped countries.

On Sunday evening, he told about an epiphany he had when he and a friend were thwarted in their attempts to get into a highly secured building. Long was ready to give up. But his friend had another plan. He got a coat hanger and a rag and proceeded to break the window in the door. He then reached in with the straightened coat hanger and the door opened up.

"What he had done was defeat this multimillion-dollar security system with trash," Long said. "The touch bar doesn't know the difference between a wet wash cloth and a hand."

The message? "There's a lot of room for...solving problems in simple ways," he said.

Some of those simple ways to get access to supposedly secured systems, such as buildings or computer networks, without using technology include: shoulder surfing, which is viewing exposed information on computer screens; dumpster diving; and if you can't get in the front door, trying the smoker entrance where you'll be less likely to be interrogated.

Long showed photos of laptop screens he had managed to photograph in airports and other public places where executives and military officials were casually but unwittingly revealing confidential and sensitive information to anyone within a few feet. It's clear--nobody tries to hide what buttons they are pushing on pass code secured doors, even at the airport's TSA room, based on his ample photographic evidence.

You have to wonder, if Long could snoop so easily, what data can someone who is really targeting a source get at.

He showed photos of ATM, grocery store check-out and other public kiosks with error messages or in some other state that they could be easily compromised.

Long also talked about how easy it is to "sniff" a hotel's billing and room entertainment network over the cable system and view other peoples' room charges and activities, such as porn surfing, logging into banking accounts, and e-mail communications.

Then there are what he called the "Jedi wave" and "fed blend" techniques of getting past security guards and mingling with federal officials by wearing a fake badge and just acting like you belong.

Blending in is the key to getting access, he said. Wearing a uniform will get you in anywhere, and telephone repair, FedEx delivery, and other uniforms are readily available on eBay and other sites.

NEW YORK--Kevin Mitnick knows that the weakest link in any security system is the person holding the information.

As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.

Mitnick and a panel of other hackers discussed their social engineering pranks and gave live demonstrations at the Live HOPE (Hackers on Planet Earth) conference late on Saturday.

"Everything happened more than five years ago" and the statute of limitations has passed, he said. "I never said I didn't deserve to be punished, but it really went overboard putting me in solitary confinement" for eight months.

Mitnick, who was released in 2001 after serving five years in jail, announced that he has a contract to write his life story and showed a preview for a reality-based TV series in development in which he would test corporate networks by trying to break into them. As part of his plea agreement, he was banned from writing a tell-all until 2007. He also runs a security consulting firm and lectures.

Dubbed the "most dangerous hacker in the world," Mitnick was put in solitary confinement and prevented from using a phone after law enforcement officials convinced a judge that he had the ability to start a nuclear war by whistling into a pay phone, he said.

Mitnick didn't do any whistling on Saturday, but in his keynote following the panel he talked about how he listened in on FBI phone calls during the three years he evaded the FBI, left them doughnuts when he narrowly escaped raids and was chased down by a helicopter. He also demonstrated how to be able to see the phone numbers of callers on caller ID even when they have their number set to be blocked.

Below are some videos taken during the panel:

Mitnick and HOPE organizer Emmanuel Goldstein swap stories about using social engineering to get IDs and directories out of workers at telephone central offices.

Mitnick tells attendees at the Last HOPE conference about how he used social engineering on workers at a Hollywood telephone company central office in the middle of the night.

Goldstein does a live phone prank on a Starbucks employee offering aid for laid off employees from the fictional "Last HOPE Foundation" during a social-engineering panel at Last HOPE.

NEW YORK--Using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals, a security expert warned at the Last HOPE hacker conference here late Friday.

In a frightening but entertaining session entitled "How do I Pwn Thee? Let me Count the Ways" (pwn is hacker speak for "own" or control), a hacker who goes by the alias "RenderMan" explained how most people are at risk and don't even know it.

By now most people probably know they should be careful using Wi-Fi networks, especially public hotspots that don't encrypt data transmissions and where network access points can be spoofed. These issues leave Web surfers at risk of having their data stolen, receiving fake Web pages and other information, and having their computers completely taken over, he said.

Even airplane passengers who either ignore stewardess requests to disable Wi-Fi or don't know how to turn it off are not immune to attacks from others in the airplane, he added.

RenderMan suggests that people disable Wi-Fi when it is not in use and use VPNs and firewall software.

Bluetooth headset users are at risk because of a security hole in the technology and default PINs that don't get changed, he said. Exploiting vulnerabilities someone can break in and steal data from the phones, make calls without the cell phone owner knowing, listen in on and break into conversations, and even spy on people by turning the device into a bug.

He advises that people change the default password, disable the Bluetooth on the phones, turn off the headsets when not in use, and limit access to the data and features when communicating with other Bluetooth devices.

Many people don't realize that new U.S. passports have RFID technology with weak encryption that makes the data on the chip easy to read with the proper reader device. (See related video below).

The U.S. government attempted to mitigate the privacy threat by putting a metal foil layer on the front and back cover of the passports, but the stiffness of the foil pops the passport open as much as an inch, wide enough for RFID readers to snatch the data, RenderMan said, showing a video to demonstrate this.

"There is no rule that says that if the chip doesn't work, they will refuse you access to the border. You will get increased scrutiny, but it's still a valid document," he said. "So, liberal application of a hammer can negate a lot of the possible" problems.

But doing willful damage to the passport is a crime, one attendee pointed out. "I fell, really hard," RenderMan deadpanned.

RFID used in transit and building access badges has also been proven to be insecure, allowing someone to use an RFID reader to copy data off the card and make a clone of it, he said.

A security flaw in the Mifare Classic Chip used in transit systems is the subject of a court case in The Netherlands. The maker of the chip, NXP Semiconductors, sued to block a university from publishing details of the problems, but a court ruled on Friday that the research can be made public.

Even traditional keys are vulnerable, RenderMan said. For instance, photographs of spare keys for electronic-voting machines displayed on a Web page were used to make replicas with similar-looking keys, he said. A video demo showed how someone filed down a key from a hotel mini-bar and was able to open up the memory card slot of a Diebold voting system.

NEW YORK--Want to know how to build your own cell phone charger? How about putting an old-fashioned pay phone in your home to make voice over Internet calls?

A team of do-it-yourself technology gurus are creating a video series that will show you how to hack everyday gadgets to get more--and novel--uses out of them.

Limor Fried, who owns the Adafruit Industries electronics building business, and Phillip Torrone, senior editor at Make Magazine, are calling their series "Citizen Engineer." They debuted it at the Last HOPE conference here on Friday.

The video series demonstrates how to create the devices, from showing exactly what parts you need to how to solder them and build the final electronic item. The production is well done and the videography is creative, with shots from under a glass table and other interesting angles.

The first two chapters in the series show how to create a SIM card reader and how to hack a pay phone. Like most everything this team does, the videos are open source and will be available online for free.

Exploring the technology you use everyday can increase and improve its uses as well as save millions of electronics from piling up in landfills, Torrone said in an interview with CNET News before the session.

"Once you understand your technology, you are more likely to repair it and do something useful with it, so there's a recycling aspect to this," he said.

Upcoming subjects being considered include a GPS music player that plays songs based on your location, a GPS jammer or tracker, and wearable accessories or clothes that block security cameras by shining a special light at them, they said.

Fried offers kits for hacking all sorts of things. For instance, she has kits for creating what she calls a "Minty Boost" MP3 and cell phone charger that fits in an Altoids mint tin, as well as a cell phone jammer that fits in a cigarette pack that blocks Wi-Fi or cell phone transmissions.

She also built a SIM card reader kit that lets you see what is on a SIM card, such as deleted SMS messages and phone book entries, and other information that can be used to clone the card.

She also figured out how to hack a pay phone, connecting it to a computer so it can be used with Skype, modifying it so it requires quarters, or even making it so it requires a red box to simulate the sound of quarters dropping in.

The two also have a laser etching business, where they typically create designs on laptops, but can also etch sushi instructions on nori. They also have worked on the TV-B-Gone device, which shuts off televisions in the area and created a stir at CES, expanding the remote reach up to 200 feet.

Here are videos showing off some of the various hacks and tricks Torrone and Fried have worked up:

Updated July 18, 7:52 AM PDT with more details about live radio broadcast

NEW YORK--From sessions on how-to create fluorescent mice and crack safes to discussions on losing your privacy in a taxi and complaints about Wikipedia, the Last HOPE conference starting here Friday has something for just about everyone.

The conference is the brainchild of Emmanuel Goldstein, aka Eric Corley, who publishes the notorious 2600 magazine. Corley has seen the community grow from its early days in the1980s with kids going to jail for breaking into the AT&T network, to millions of regular citizens skirting the law with their digital entertainment consumption and iPhone hacking.

"Basically what the hackers and phone phreakers of the past were doing, everybody is doing today," he said in an interview on Thursday. "This is the price of success; we have these fads of everybody jumping into technologies and playing with things, (but) it's also gotten more commercial."

Back in the day, the phone system was a "giant toy that people wanted to figure out. That's what hacking is all about," he said. "The interest is still there. People want to know how things work, but there's no practical reason for (phone phreaking) beyond curiosity" because of the advent of the Internet.

Meanwhile, the widespread distribution of technology has turned millions into would-be criminals. "It's a free-for-all as far as legal precedent goes," Corley said. "Something you think is completely above-board, like running a program on your own computer, can be a violation of the DMCA (Digital Millennium Copyright Act)."

The conference program makes for entertaining reading. If you've ever wondered exactly how your luggage gets so banged up after check-in then you might be interested in the session on the Bagcam, a small suitcase containing a mini-digital video recorder and pinhole camera that has documented cases of mishandling in airports around the country.

Another speaker will discuss why transporting firearms may be the best way to safeguard your valuables during flights because federal law requires passengers to lock firearm-bearing luggage.

There's a session on "biohacking"--modifying and engineering biological systems for "novel purposes," such as making fluorescent mice, therapeutic viruses, or bacteria that eat explosives or smell like bananas.

Other sessions cover how to escape high-security handcuffs and topics like cybersexuality, food hacking, postal hacking, social engineering, culture jamming, and hacking the price of food by forming urban communities. Several sessions deal with building hacker collectives, including one by a group whose space is tricked out with drink-serving robots.

One talk is titled "From Black Hat to a Black Suit--How to Climb the Corporate Security Ladder Without Losing your Soul," and another speaker will talk about using the Death Star as a model for assessing security threats. Another session will cover technologies used in modern New York taxis, including GPS tracking, SMS messaging, and touch-screen kiosks, and explore the privacy and security concerns of those.

Keynote speeches are being given by the likes of convicted hacker Kevin Mitnick, former Dead Kennedys singer and songwriter Jello Biafra, and author Steven Levy.

There also will be live radio broadcasting from the event. The programming, accessible here, is expected to include houseplants hooked up to live computer visuals and music, a "mutant trumpet" that is half analog and half digital, an animated Wii controlled digital art sketchpad, a robotic drummer and digital gloves for gestural DJing.

The badges also have RFID chips that will be tracking attendees' movements for interactive games.

The event, the seventh since 1994, is being held in the 90-year-old Hotel Pennsylvania across from Penn Station. A move to demolish the slightly rundown hotel (the halls seriously remind me of the hotel in The Shining) appears to be in limbo, but the prospect inspired the name change this year to "Last HOPE."

Corley has placed symbolic black coffins in the registration area and suggested people donate flowers instead of monetary contributions to the event. The cover of the program features artwork of a boy holding the hand of a scythe-carrying Death and walking toward the Hotel Pennsylvania.

"When all is said and done...is it not all too clear that we are all in fact The Last HOPE for the future?" the intro to the program says, before dismissing that as a "pretentious notion."