(Credit:
U.S. Department of Justice)
A group of Eastern Europeans was charged with hacking into the network of payment processor RBS WorldPay and using counterfeit debit cards at ATMs around the world to steal more than $9 million, the U.S. Justice Department said on Tuesday.
Four of the defendants allegedly collaborated to break into the RBS WorldPay network on November 4, 2008, where they got access to the account numbers for prepaid payroll cards used by employees to withdraw salaries from ATMs, according to the indictment from a federal grand jury in Atlanta. The defendants allegedly reverse-engineered the PINs associated with the accounts from the encrypted data on the network.
The defendants then allegedly raised the account limits on the compromised accounts and provided a network of "cashers" with 44 fake debit cards, according to the Justice Department. The cards allegedly were used November 8, 2008, to withdraw money from more than 2,100 ATMs in at least 280 cities, including in North America, Russia, Ukraine, Estonia, Italy, Hong Kong and Japan, in less than 12 hours.
The cashers were allegedly allowed to keep 30 percent to 50 percent of the stolen money and sent the remainder back to the hackers, according to the 16-count indictment.
"Last November, in just one day, an American credit card processor was hacked in perhaps the most sophisticated and organized computer fraud attack ever conducted," acting U.S. Attorney Sally Quillian Yates of the Northern District of Georgia said in a statement. "Today, almost exactly one year later, the leaders of this attack have been charged. This investigation has broken the back of one of the most sophisticated computer hacking rings in the world."
Indicted on charges of conspiracy, wire fraud, computer fraud, access device fraud, and identity theft charges were: Sergei Tsurikov, 25, of Tallinn, Estonia; Viktor Pleshchuk, 28, of St. Petersburg, Russia; Oleg Covelin, 28, of Chisinau, Moldova; and an unidentified defendant known only as "Hacker 3."
The alleged cashers, indicted for access device fraud, are all from Tallinn, Estonia. They are: Igor Grudijev, 31, Ronald Tsoi, 31, Evelin Tsoi, 20, and Mihhail Jevgenov, 33.
Tsurikov, the Tsois and Jevgenov were arrested earlier this year and Tsurikov faces extradition to the U.S., officials said. Two people in Hong Kong have been arrested for allegedly withdrawing funds from ATMs there.
RBS WorldPay, part of Royal Bank of Scotland, is based in Atlanta.
A hacker in the Netherlands broke into some jailbroken iPhones and sent text messages to the owners asking them to pay to find out how to secure their phones, according to postings in a Dutch forum called Tweakers.net.
One of the victims posted a screenshot from his iPhone of the SMS received. It said: "Your iPhone's been hacked because it's really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files."
The URL provided now displays a message indicating that it was reported for spam or phishing abuse and has been deactivated.
Ars Technica reports that before the page was removed, it asked that victims send 5 euros ($7.36) to a PayPal account and then await an e-mail with instructions on how to secure the phone. The fix probably would involve restoring the factory settings, according to the Ars Technica post.
"If you don't pay, it's fine by me," the hacker's page said. "But remember, the way I got access to your iPhone can be used by thousands of others--they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It's just my advice to secure your phone."
... Read more
A 28-year-old Miami man who made millions breaking into computer networks and stealing credit card numbers pleaded guilty on Friday and agreed to forfeit more than $2.7 million in restitution, as well as a condo, jewelry, and a car.
Albert Gonzalez, a former federal government informant and the alleged ringleader of one of the largest known identity theft cases in U.S. history, pleaded guilty () to 19 counts of conspiracy, computer fraud, wire fraud, access device fraud, and aggravated identity theft related to theft of credit and debit card data from TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, among other retailers.
Gonzalez, along with 10 others from the U.S., Eastern Europe, and China, were accused in August 2008 of breaking into retail credit card payment systems using wardriving (searching for unsecured wireless networks while driving by with a laptop), and installing sniffer programs to capture data.
He also pleaded guilty to one count of conspiracy to commit wire fraud related to hacks into the network of the Dave & Buster's restaurant chain. He was indicted on that charge in New York in May 2008.
Gonzalez still faces charges in New Jersey of conspiring to steal credit card numbers from Heartland Payment Systems, 7-Eleven, and supermarket chain Hannaford Brothers following an indictment handed down against him and two unnamed Russians last month.
Gonzalez and his alleged co-conspirators sold the numbers to others and encoded the data onto magnetic stripes of blank cards and used the new cards to withdraw tens of thousands of dollars at a time from ATMs, according to the indictments. They concealed and laundered their proceeds by using anonymous Internet-based currencies within the U.S. and abroad, and by channeling money through bank accounts in Eastern Europe, court documents indicate.
Under the terms of the plea agreements, Gonzalez faces up to 25 years in prison for the Boston charges and up to 20 years on the New York charges and will serve the terms concurrently. He also faces fines of at least $500,000.
As for restitution, Gonzalez has agreed to forfeit his Miami condo, a 2006 BMW 330i, a Tiffany diamond ring, Rolex watches, and more than $1 million in cash that was buried in his back yard.
Sentencing is scheduled for December 8. Gonzalez' attorney, Rene Palomino, did not immediately respond to a request for comment.
Albert Gonzalez, the alleged ringleader of one of the largest known identity theft cases in U.S. history, has agreed to plead guilty to all 19 counts of related charges against him, according to court documents filed Friday.
Gonzalez, 28, of Miami, was accused in August 2008 of helping steal millions of credit card and debit card numbers from major U.S. retail chains. Among the retailers hacked were TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21, and DSW.
Under the plea agreement filed with the U.S. Attorneys Office in Boston, Gonzalez would serve a sentence of 15 to 25 years after pleading guilty by September 11 to charges of conspiracy, wire fraud, aggravated identity theft, and money laundering (PDF).
Gonzalez, who is already in jail, would also have to forfeit a range of possessions, such as almost $3 million in cash, his Miami condominium, a 2006 BMW, several computers, and three Rolex watches.
The agreement also resolves 2008 charges pending against Gonzalez in federal court in New York for hacking the computer network of Dave & Buster's restaurant chain.
A former federal government informant, Gonzalez was also recently indicted in New Jersey, along with two unnamed Russian men, on charges of hacking into Heartland Payment Systems, as well as systems for 7-Eleven, the Hannaford Brothers supermarket chain, and two unnamed corporate victims. They also allegedly stole data related to more than 130 million credit and debit cards. This is considered to be one of the biggest data breach cases in U.S. history.
Rene Palomino, who is listed as Gonzalez's attorney within Friday's plea agreement, did not immediately return a call seeking comment.
Joe "Kingpin" Grand, the designer of the Defcon badges, wearing one of the highly coveted Uber badges that winners of certain contests are awarded that grants life-time access to Defcon. The art on the badge is by Eddie Mize.
(Credit: Eddie Mize)Most badges from conferences and trade shows end up in the trash. Not so the badges from the Defcon security show, which are stylized, mysterious, and highly customized electronics equipment designed to be hacked.
Instead, they end up as collector's items. Bidding on eBay for a Defcon 17 badge from last weekend had reached $81 on Tuesday with three days to go, while a 2007 badge was at $33.99.
The Defcon badges and badge hacking contest, both highly anticipated at the conference each summer, not only give the hackers a mental challenge to figure out what the devices are capable of doing, but they serve as tools for participants to demonstrate their talent at coming up with innovative hacks.
"Each year we push the limits of printed circuit board design techniques and try to show off devices and technologies attendees might not have seen before," Joe "Kingpin" Grand, who has designed the Defcon badges for the past four years, said in an interview on Tuesday. "We are doing things on circuit boards now that clearly have never been done before."
This year's badge was the most sophisticated yet. It doesn't just have a circuit board on it; it is the circuit board. It runs on a 3-volt battery and has a built-in microphone and a multicolored LED (red, green and blue) that reacts to sound by changing color and brightness and by blinking.
The microphone picks up noises, such as conversation and music, and the LED pulses to it. The LED will even flash "SOS" in Morse code when the sound is extremely loud for a period of time--an eardrum protection feature that would surely be useful at the Defcon parties where loud Techno music is the standard.
The badge also has a battery-saving feature and goes to sleep if the environment is quiet, waking occasionally to listen for sound before hibernating some more if it remains still.
The microphone is not a recording device (as some suspected), but the badge can be modified to capture sound for playback. One hacker did just that by attaching an SD (Secure Digital) card reader to the back and modifying the code so it would store the microphone input, Grand said. That effectively turned the badge into a bug that could be used to eavesdrop on unsuspecting bystanders.
The design is slick and aesthetically pleasing and the badge itself is thin, light, and not bulky. The front has multiple layers of silk screen graphics.
There are seven different types of badge for the different participants: Human, Press, Speaker, Vendor, Contests, Goon (security) and Uber, which is a highly coveted badge that winners of certain contests receive, giving them lifetime access to Defcon. Each type of badge has its own shape. Like a puzzle, they form an image when assembled all together.
Soldering wires to pins and pads
Grand, whose Grand Idea Studio develops and licenses electronic products, chose an MC56F8006 Digital Signal Controller manufactured by Motorola spin-off Freescale for the processing. He surrounded the chip with test points that provide access to interfaces on the chip.
Hackers can wire three of the test points to the corresponding test points on other badges enabling a multi-badge communications interface for creating a network of badges that can blink in unison. If any badges are connected, the Human badge becomes the master and controls the LED output of all of them.
The Defcon 17 press badge hides some nifty features.
(Credit: James Martin/CNET News)The badges, which were manufactured in China and held up in U.S. Customs until shortly before the show started on Friday, include a Static Serial Bootloader that allow attendees to load on their own programs and firmware. All it requires is a simple connection to a PC and a terminal program, like HyperTerminal, to upload custom code, Grand said.
He designed in some hidden features, as well. For instance, if a certain frequency of high-pitched sound--a 1,000 Hertz sine wave generated from a computer or iPhone, say-- is emitted near the microphone, the badge will blink a secret in Morse code. The message is the URL for a formerly secret Web site that has additional information on the badges.
While this year's badge was designed as a sound-activated LED gadget, last year's badge functioned as a TVBGone, able to remotely turn TVs off, as well as a file sharing device. They had an SD memory card so that badge holders could transmit files and receive them from other badges over infrared. In 2007, the LEDs scrolled a programmable message on the badge.
With the contest, Grand and other judges, including Defcon founder Jeff Moss, are looking for the most creative, unique or mischievous badge hacks and modifications that weren't intended.
The first place winner of the Defcon badge hacking contest went to Zoz Brooks, who has a Ph.D in electrical engineering and computer science from MIT and was one of Grand's co-stars on the Discovery Channel TV series "Prototype This."
Brooks modified a hat into an anti-surveillance device by wiring up the brim with LEDs. When you turn on a device controlled by the badge all the lights blink at a certain frequency that generates enough optical noise to defeat facial recognition systems.
For the second part of his project, Brooks modified a badge from last year's Defcon to create a device that can help someone escape detection by infrared motion detection sensors that are temperature sensitive. He added a temperature sensor to the badge that indicates when the room is warm enough for someone to start moving so as not to trigger the motion sensor. A motor on the badge controls two foot-shaped pieces of plastic so that they move at the pace needed to evade detection--two inches per second, giving an indication of how slow someone's feet need to move.
The second place winner of the Defcon badge hacking contest went to a group that created what they called a "Sound-Fearing Blimp." They wrote custom software for the badges and hung three of them to the bottom of a toy blimp. Each badge measured the sound level coming from its microphone and set the speed of its individual drive motor accordingly, steering the blimp away from areas with greater noise levels. The badges were connected together to communicate between themselves.
Third place went to "Solder Guy," who added a speaker and keypad and turned the badge into a multi-function dialer that in the vein of classic phone phreaking could be used for making free long distance calls as a blue box. "He didn't demonstrate that part because technically it would be illegal," Grand said.
One of the more unusual of the 23 contest submissions was a badge as polygraph device. It used galvanic skin response and measured the heart rate to try to determine whether an individual was answering honestly or not to questions posed.
"It didn't place, but it was neat," Grand said. "They tested it on me (with only about five questions)...and it seemed to work. It was convincing."
Hacking the Defcon badges
Defcon badges, designed to be hacked, get turned into a polygraph, blue box dialer, sound sensitive blimp navigator and a device for defeating facial recognition systems.• Photos: Defcon badge inspires hacks
(Posted in InSecurity Complex by Elinor Mills)
August 5, 2009 4:00 AM PDT
Hanging with hackers can make you paranoid
Compromised ATMs, virus-infected USB drives, badges with built-in microphones and security experts getting hacked--no wonder it's scary going to Black Hat and Defcon.• Defcon: What to leave at home and other do's and don'ts
(Posted in InSecurity Complex by Elinor Mills)
August 4, 2009 4:00 AM PDT
Using software updates to spread malware
Researchers warn that attackers could put malware on machines by intercepting software updates on Wi-Fi networks.(Posted in InSecurity Complex by Elinor Mills)
August 1, 2009 4:17 PM PDT
Researchers offer tools for eavesdropping, video hijacking
UCSniff can be used to spy on video conference calls while VideoJak allows for hijacking of video streams.(Posted in InSecurity Complex by Elinor Mills)
July 31, 2009 5:51 PM PDT
Apple fixes iPhone SMS flaw
Vulnerability in iPhone software allowed hackers to take control of the device via an SMS message, as demonstrated at Black Hat.• Apple cautions iPhone users about jailbreaking
(Posted in Security by Jim Dalrymple)
July 31, 2009 11:50 AM PDT
An SMS can force a URL or app on smartphones
The onslaught of SMS attacks continues at Black Hat with the third of a handful of mobile-related talks.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 7:28 PM PDT
Hackers claim to bypass S.F. e-parking meters
A trio of programmers and engineers say they can bypass the security mechanisms of the city's electronic parking meters and create "prepaid" cards with a value of $999.99.(Posted in Security by Declan McCullagh)
July 30, 2009 2:15 PM PDT
Researchers can attack mobile phones via spoofed SMS messages
Phones that support MMS on GSM networks are vulnerable to new SMS spoofing attacks, researchers say at Black Hat.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 1:53 PM PDT
Flaws in domain name verification uncovered
Dan Kaminsky and Moxie Marlinspike explain how flaws in the way domain names are verified on the Internet could allow attackers to impersonate a site and steal information from unsuspecting Web surfers.(Posted in InSecurity Complex by Elinor Mills)
July 30, 2009 1:14 AM PDT
Researchers attack my iPhone via SMS
Two security researchers prove to a reporter during Black Hat that they can indeed "Pwn" her iPhone by just sending a text message.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 8:51 PM PDT
Ex-Google CIO breaks his own security rules
Douglas Merrill talks about being CIO at Google and an exec at EMI, and how more companies need to foster innovation, letting employees use Google Calendar if they want.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 5:11 PM PDT
Security experts' sites hacked on eve of conference
Attackers post e-mails, passwords, and other sensitive data stolen from security experts and others on hacked site of Dan Kaminsky.(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 3:13 PM PDT
Clampi Trojan stealing online bank data
Security researcher warns that two-year-old Trojan has infected hundreds of thousands of PCs and is stealing log-in credentials when victims log into bank and other Web sites.• Spam and malware at all-time highs
• Report finds fake antivirus on the rise
(Posted in InSecurity Complex by Elinor Mills)
July 29, 2009 11:30 AM PDT
Microsoft offers patches to ward off ActiveX attacks
In rare out-of-cycle security update, Microsoft fixes hole that put IE users at risk of attacks via ActiveX and other controls.• Single misplaced '&' caused latest IE exploit
(Posted in InSecurity Complex by Elinor Mills)
July 28, 2009 11:04 AM PDT
Microsoft says security programs are paying off
Company releases progress report on three programs launched a year ago to identify security holes and patch them faster.(Posted in InSecurity Complex by Elinor Mills)
July 27, 2009 1:17 PM PDT
From iPhones to smart grids at Black Hat, Defcon
Security pros to swap data on hacking everything from phones to critical infrastructure at Black Hat and its less corporate sister show Defcon, where geek games and mayhem rule.(Posted in InSecurity Complex by Elinor Mills)
July 27, 2009 4:00 AM PDT
HP researchers develop browser-based darknet
Darknets, encrypted peer-to-peer networks, are normally difficult to set up and maintain. But two researchers plan to demonstrate a less complicated one at Black Hat.(Posted in Security by Tom Espiner)
July 25, 2009 3:58 PM PDT
Researchers to offer tool for breaking into Oracle databases
Free tools for breaking into Oracle databases will be released at Black Hat and Defcon next week.(Posted in InSecurity Complex by Elinor Mills)
July 23, 2009 12:04 PM PDT
previous coverage
ATM vendor gets security talk pulled from conferences
Juniper Networks cancels researcher's talk at Black Hat and Defcon about ATM insecurities after a vendor complains.(Posted in InSecurity Complex by Elinor Mills)
July 1, 2009 12:30 PM PDT
Hacker named to Homeland Security Advisory Council
Hacker and Defcon founder Jeff Moss joins former FBI, CIA directors on Homeland Security Advisory Council.(Posted in InSecurity Complex by Elinor Mills)
June 5, 2009 5:27 PM PDT
Hackers launched a distributed denial-of-service (DDOS) attack that sporadically downed popular blog network Gawker Media over the weekend and on Monday, the company confirmed in a blog post early Tuesday morning.
When CNET News spoke to Gawker Media representatives on Monday, they were not yet sure what was causing the outages but had not ruled out malicious behavior.
The attacks appear to have been launched at Consumerist, a blog that Gawker sold to Consumer Reports last year but which is still hosted on the same servers. The motivation behind them is not yet clear.
The New York-based Gawker Media has sold or merged a number of its blog titles over the past few years, but it remains the parent company of several extremely high-profile blogs--often with an edgy gossip angle--like Gizmodo, Jezebel, and the eponymous Gawker.com.
DDOS attacks occur when hackers swamp a site with excess pings from multiple sources to bring it down; they can knock out entire hosting companies.
At a hacker conference no one is safe.
When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.
Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.
The Riviera Hotel room key customized for Defcon attendees. What else does it do?
(Credit: James Martin/CNET News)The evolving demographic of Defcon attendees shows that the hacker community, like all of us, is aging. But it's also a reflection of how the threat landscape has changed. Web site defacements have given way to much more serious risks like financial fraud and unaddressed critical infrastructure weaknesses. It's a cornucopia of phishing e-mails, cross-site scripting attacks that poke holes in trusted Web sites, and criminals harvesting credit card numbers and selling them on the underground equivalent of eBay with guarantees of service and support.
Defcon and Black Hat, the pricier and more corporate sister confab held the two days preceding Defcon ($120 for Defcon registration versus $1,395 to $2,095 for phased registration at Black Hat), offer a forum for researchers to share information about vulnerabilities they find in software, hardware and systems.
Targeted this year were everything from the iPhone and surveillance video feeds to e-parking meters and security underlying the Domain Name System.
Vendors and users weren't the only ones who need worry. Attendees had plenty to fear and security experts themselves weren't spared.
On July 27, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)
There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.
Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being hacked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.
Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.
This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe they were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.
I had a panic of my own at Defcon this year. I was connected to the Internet using an EVDO wireless card and a virtual private network and was startled a short while later when a Web page opened up out of the blue and I noticed the VPN was disconnected. Granted it looked like a legitimate page for my wireless carrier, but not wanting to take any chances I immediately logged off.
(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)
Unfortunately, I had neglected to disable the Wi-Fi on the laptop. Because Windows XP event logging is lacking, it's not clear whether someone may have spoofed the name of a wireless network the laptop is configured to automatically connect to. Time to call the help desk.
At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.
Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: "Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here."
There is no evidence that the fake Riviera ATM was planted by anyone at Defcon, and in all likelihood the hacked Rio ATM was not associated with the hacker show.
However, a small group of Defcon attendees was seen hacking into an ATM at the Artisan hotel where a "Ninja" party was being held on Saturday night and it appeared they had the ATM in administrator mode and were trying to change settings, several sources said.
Heightening the paranoia at Defcon was the report from event organizers on Saturday that there was a confirmed Trojan on the CD the conference hands out to all attendees. The report turned out to be false.
Also arousing suspicion were the Defcon badges, which featured a built-in microphone, LED, digital signal processor, and custom circuit boards designed to be hacked as part of a contest. I prudently popped the battery out of my badge after discussing the microphone capability with another journalist. Some attendees chose not to wear the badges at all, even without the battery, tucking them in satchels and digging them out every time they needed to display them.
As it does every year, Defcon also had its share of stupid attendee tricks--one arrest reportedly for carrying a concealed weapon and another for bungee jumping off the hotel roof.
But those are par for the course when you mix booze and rebellious youth trying to out-impress each other. It was the other stuff--the hacking and viruses and sniffing--that made me and others at the show jumpy.
Security guru Bruce Schneier, however, brushed it off as the mere cost of doing business.
"This is the way hackers play," he said. "This is the experimental battlefield. It's not bad; it is just what it is. Defcon has an important place in computer security."
Updated 12:54 p.m. PDT with information on Defcon attendees trying to hack ATM, and at 11:00 a.m. with this: Apparently, some feds at Defcon got a scare of their own. As part of a security awareness project, researchers set up an RFID reader connected to a Web camera that sniffed data from RFID-enabled cards in bags and pockets as people walked by and snapped a photo of the person in possession of the card, Kim Zetter at Wired.com reports. At risk of exposure was information on government access cards and badges agents tend to carry, as well as data stored on RFID-enabled cards that accompanied badges for Black Hat. After federal agents speaking at a panel were informed of the project, the data collected was destroyed.
Attending Defcon and Black Hat can make you feel a bit like a deer in a forest full of hunters.
The iPhone, love it, but leave it at home when going to Defcon, experts say.
(Credit: CNET )With virus-infected USB drives, Wifi network sniffing, badges with built-in microphones and even security experts getting hacked, it seems like it's only a matter of time until your number comes up if you're not careful.
I asked some security experts for suggestions on what they do to protect themselves at the events and here is what they said.
Do's:
• Have minimal software on your laptop, such as only the operating system and necessary applications.
• Make a backup of your computer before you leave for the conference and then wipe everything and reinstall when you get home.
• Disable Bluetooth and Wi-Fi on all devices.
• Use an EVDO wireless card.
• Only connect to the Internet when you must.
• Use a virtual private network and--if you can--use RSA ID authentication and stop all direct connections to the computer.
• Run Linux off a USB key, back up documents online, and start with a fresh operating system every day.
• In addition to using updated security, application, and system software (antivirus in particular) and installing patches, use an operating system-level firewall.
An EVDO modem, such as the one pictured, should be the only gateway to the Internet used at a hacker conference.
(Credit: Verizon)• Use a disposable camera and a pre-paid cell phone.
• Lock up your equipment in your hotel room when you are going to be gone.
• Take the drives with you when you leave the laptop in the hotel room.
• Ask to be listed as a non-registered guest at the hotel so people can't get your room number or acknowledgement that you are staying at the hotel.
Don'ts:
• Don't plug into any Ethernet jacks.
• Stay off the Wi-Fi networks at the airport and the events.
• Don't use the ATMs in the vicinity of the conferences.
What to leave at home:
• Your laptop and smart phone. You can't be attacked if you don't bring your equipment. If you must bring it, consider leaving it in the hotel room.
Gary McKinnon has lost his high court bid in the U.K. to avoid extradition to the U.S. for hacking into military systems.
McKinnon had tried to argue that former home secretary, Jacqui Smith, was legally wrong to push for the extradition despite his diagnosis of Asperger's syndrome and that the director of public prosecutions was also wrong to opt for extradition despite having sufficient evidence to prosecute McKinnon in the U.K.
Gary McKinnon
(Credit: ZDNet UK)However, Lord Justice Stanley Burnton and Justice Alan Wilkie dismissed both claims on Friday. McKinnon now has 28 days to launch an appeal at the Royal Courts of Justice. According to his solicitor, Karen Todner, McKinnon and his legal team will also appeal to the Law Lords, and Todner has made a fresh approach to President Obama.
"I have today sent a letter to President Barack Obama signed by 40 members of a cross parliamentary group of MPs asking him to step in to bring this shameful episode to an end," Todner said in a statement on Friday. "It is a sad state of affairs if this government cannot protect our most vulnerable of citizens."
In her statement, Todner also referred to the judges' decision as "inhumane" and "an affront to British justice."
The decision comes almost seven years after McKinnon, from North London, was indicted by the U.S. Department of Justice in November 2002. He was charged with intentionally damaging a federal computer system, and with breaking into 97 computers belonging to the U.S. Army, U.S. Navy, U.S. Air Force, U.S. Department of Defense, and NASA.
McKinnon has never denied the hacks, although his legal team has disputed the cost of the damage he allegedly caused--around $700,000, according to U.S. authorities. The Londoner said he had been looking for suppressed evidence of extraterrestrial life and pointed out the poor security that had been applied to the affected systems.
The case has had ramifications beyond the hacks themselves, as it has drawn attention to the extradition treaty that exists between the U.K. and the U.S. The U.S. can demand a suspect be extradited from the U.K. without providing prima facie evidence, which McKinnon's defense team have argued is not reciprocal.
McKinnon has also been diagnosed by the autism expert Simon Baron-Cohen with Asperger's syndrome, a disorder on the autism spectrum.
If he is convicted in the U.S., McKinnon faces up to 70 years in a maximum security federal prison. Legal team has argued that, given his condition, the situation would put him at risk of psychosis or even suicide.
Politicians and celebrities have rallied behind McKinnon, arguing that he should serve any potential sentence in the U.K., rather than in the U.S.
Correction at 8:25 a.m. PDT: The details of the extradition treaty between the U.S. and the U.K. have been tweaked.
David Meyer and Tom Espiner of ZDNet UK reported from London.
