Security

NEW YORK--I feel much less secure after attending the Last HOPE conference this weekend.

Not only is my personal information at risk every time I log onto the Internet and use a cell phone headset or passport, but even my gym locker, bike, and home can easily be accessed with the proper tools and manual dexterity.

Tools of the lock picking trade.

(Credit: Elinor Mills/CNET News)

In the popular Lockpicking Village area at Last HOPE (Hackers on Planet), I watched guys twirl little pins in all types of locking devices. For some, it took less than a minute to get the locks to snap open. One lock picker even showed how to open an ordinary padlock with just a piece of aluminum from a beer can. (See video demo below.)

If I'm worried, how do they feel at the Pentagon and the White House?

Medeco, the lock that secures the doors in those two places and at high-security agencies around the world, had been un-crackable for 40 years--until last year. And now there's a book about the lock's shortcomings called Open in Thirty Seconds.

Marc Weber Tobias, co-author of Open in Thirty Seconds gets freed from a pair of prison transport handcuffs without a key.

(Credit: Elinor Mills/CNET News)

"This is all about liability and responsible disclosure," said Marc Weber Tobias, a co-author on the book. "People need to know they are vulnerable, and the manufacturer says it can't be done."

The book doesn't reveal the codes needed to open the locks, he noted.

"The goal is to help people understand how we did it," said Tobias, who has a physical security consultancy called Security.org. "As a lawyer, I believe in full disclosure and I believe manufacturers ought to disclose the vulnerabilities in their products."

Like with software vulnerabilities, manufacturers don't want to acknowledge security flaws, he said. But the difference between software and old-fashioned hardware is that software can be easily upgraded over the Internet while locks must be replaced.

Below is a video that demonstrates just how easy it is to pick a deadbolt lock. "Steve," a member of the Toool Open Organisation of Lockpickers, uses a small tension wrench to hold the pins in place while he jiggles a lock pick tool to set the pins to "open."

Below in this video, "Deviant" shows how to pick an ordinary combination padlock by shimmying the shackle open with a small, folded piece of aluminum or metal.

NEW YORK--The typical image of a hacker is a kid hunched over his keyboard in the wee hours of the night staring at commands on his computer screen that unlock the secrets of the national government.

But, according to someone who knows better, the woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company's confidential sales data could be just as dangerous.

Security researcher Johnny Long speaks at Last HOPE.

(Credit: Elinor Mills)

One of the more fascinating talks at the Last HOPE hacker conference this weekend was by Johnny Long, a security researcher who hacks, writes books on hacking, and founded Hackers for Charity, which helps children and others in underdeveloped countries.

On Sunday evening, he told about an epiphany he had when he and a friend were thwarted in their attempts to get into a highly secured building. Long was ready to give up. But his friend had another plan. He got a coat hanger and a rag and proceeded to break the window in the door. He then reached in with the straightened coat hanger and the door opened up.

"What he had done was defeat this multimillion-dollar security system with trash," Long said. "The touch bar doesn't know the difference between a wet wash cloth and a hand."

The message? "There's a lot of room for...solving problems in simple ways," he said.

Some of those simple ways to get access to supposedly secured systems, such as buildings or computer networks, without using technology include: shoulder surfing, which is viewing exposed information on computer screens; dumpster diving; and if you can't get in the front door, trying the smoker entrance where you'll be less likely to be interrogated.

Long showed photos of laptop screens he had managed to photograph in airports and other public places where executives and military officials were casually but unwittingly revealing confidential and sensitive information to anyone within a few feet. It's clear--nobody tries to hide what buttons they are pushing on pass code secured doors, even at the airport's TSA room, based on his ample photographic evidence.

You have to wonder, if Long could snoop so easily, what data can someone who is really targeting a source get at.

He showed photos of ATM, grocery store check-out and other public kiosks with error messages or in some other state that they could be easily compromised.

Long also talked about how easy it is to "sniff" a hotel's billing and room entertainment network over the cable system and view other peoples' room charges and activities, such as porn surfing, logging into banking accounts, and e-mail communications.

Then there are what he called the "Jedi wave" and "fed blend" techniques of getting past security guards and mingling with federal officials by wearing a fake badge and just acting like you belong.

Blending in is the key to getting access, he said. Wearing a uniform will get you in anywhere, and telephone repair, FedEx delivery, and other uniforms are readily available on eBay and other sites.

NEW YORK--Kevin Mitnick knows that the weakest link in any security system is the person holding the information.

As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.

Kevin Mitnick takes the stage at the Last HOPE conference.

(Credit: Elinor Mills)

Mitnick and a panel of other hackers discussed their social engineering pranks and gave live demonstrations at the Live HOPE (Hackers on Planet Earth) conference late on Saturday.

"Everything happened more than five years ago" and the statute of limitations has passed, he said. "I never said I didn't deserve to be punished, but it really went overboard putting me in solitary confinement" for eight months.

Mitnick, who was released in 2001 after serving five years in jail, announced that he has a contract to write his life story and showed a preview for a reality-based TV series in development in which he would test corporate networks by trying to break into them. As part of his plea agreement, he was banned from writing a tell-all until 2007. He also runs a security consulting firm and lectures.

Dubbed the "most dangerous hacker in the world," Mitnick was put in solitary confinement and prevented from using a phone after law enforcement officials convinced a judge that he had the ability to start a nuclear war by whistling into a pay phone, he said.

Mitnick didn't do any whistling on Saturday, but in his keynote following the panel he talked about how he listened in on FBI phone calls during the three years he evaded the FBI, left them doughnuts when he narrowly escaped raids and was chased down by a helicopter. He also demonstrated how to be able to see the phone numbers of callers on caller ID even when they have their number set to be blocked.

Below are some videos taken during the panel:

Mitnick and HOPE organizer Emmanuel Goldstein swap stories about using social engineering to get IDs and directories out of workers at telephone central offices.

Mitnick tells attendees at the Last HOPE conference about how he used social engineering on workers at a Hollywood telephone company central office in the middle of the night.

Goldstein does a live phone prank on a Starbucks employee offering aid for laid off employees from the fictional "Last HOPE Foundation" during a social-engineering panel at Last HOPE.

NEW YORK--Using a laptop, cell phone headset, building access badge, credit cards, or even a passport can make you a walking target for data thieves and other criminals, a security expert warned at the Last HOPE hacker conference here late Friday.

Security expert RenderMan discusses the insecurity of RFID chips, Bluetooth headsets and laptops using Wi-Fi at the Last HOPE hacker conference.

(Credit: Elinor Mills/CNET News)

In a frightening but entertaining session entitled "How do I Pwn Thee? Let me Count the Ways" (pwn is hacker speak for "own" or control), a hacker who goes by the alias "RenderMan" explained how most people are at risk and don't even know it.

By now most people probably know they should be careful using Wi-Fi networks, especially public hotspots that don't encrypt data transmissions and where network access points can be spoofed. These issues leave Web surfers at risk of having their data stolen, receiving fake Web pages and other information, and having their computers completely taken over, he said.

Even airplane passengers who either ignore stewardess requests to disable Wi-Fi or don't know how to turn it off are not immune to attacks from others in the airplane, he added.

RenderMan suggests that people disable Wi-Fi when it is not in use and use VPNs and firewall software.

Bluetooth headset users are at risk because of a security hole in the technology and default PINs that don't get changed, he said. Exploiting vulnerabilities someone can break in and steal data from the phones, make calls without the cell phone owner knowing, listen in on and break into conversations, and even spy on people by turning the device into a bug.

He advises that people change the default password, disable the Bluetooth on the phones, turn off the headsets when not in use, and limit access to the data and features when communicating with other Bluetooth devices.

Many people don't realize that new U.S. passports have RFID technology with weak encryption that makes the data on the chip easy to read with the proper reader device. (See related video below).

The U.S. government attempted to mitigate the privacy threat by putting a metal foil layer on the front and back cover of the passports, but the stiffness of the foil pops the passport open as much as an inch, wide enough for RFID readers to snatch the data, RenderMan said, showing a video to demonstrate this.

"There is no rule that says that if the chip doesn't work, they will refuse you access to the border. You will get increased scrutiny, but it's still a valid document," he said. "So, liberal application of a hammer can negate a lot of the possible" problems.

But doing willful damage to the passport is a crime, one attendee pointed out. "I fell, really hard," RenderMan deadpanned.

RFID used in transit and building access badges has also been proven to be insecure, allowing someone to use an RFID reader to copy data off the card and make a clone of it, he said.

A security flaw in the Mifare Classic Chip used in transit systems is the subject of a court case in The Netherlands. The maker of the chip, NXP Semiconductors, sued to block a university from publishing details of the problems, but a court ruled on Friday that the research can be made public.

Even traditional keys are vulnerable, RenderMan said. For instance, photographs of spare keys for electronic-voting machines displayed on a Web page were used to make replicas with similar-looking keys, he said. A video demo showed how someone filed down a key from a hotel mini-bar and was able to open up the memory card slot of a Diebold voting system.