DefCon
Latest
Those chip and PIN cards aren't as secure as we thought
Chip and PIN cards and readers are finally rolling out in the United States. Unlike traditional magnetic cards, which use static information to make a transaction, these pieces of plastic create a new key with each purchase, based on a standard by Europay, MasterCard and Visa. That should make purchases or withdrawals more secure, since the information is only valid for 60 seconds. As it turns out, according to Rapid7 security firm researcher Weston Hecker, a lot can happen in that minute.
Sex toy sends intimate data to its creator
Connected sex toys that track your habits can be helpful, but at least one of them is a little too willing to transmit your personal data. Presenters at Def Con have revealed that at least one toy, the We-Vibe 4 Plus, regularly shares sensitive info with its creators at Standard Innovations Corporation. The couple-oriented vibrator sends its temperature to the manufacturer every minute, and reports whenever you change the vibration level. While it's not calling you out by name, it wouldn't take much to piece together details you probably don't want to share beyond your partner, such as when you climax and what it takes to get there.
Researcher finds huge security flaws in Bluetooth locks
Security researcher Anthony Rose just wanted to try out his Bluetooth range-finding setup. While wandering in his neighborhood, he noticed a lot of Bluetooth locks popping up and decided to do some sniffing of those "security" gadgets (read: capturing packets being sent between devices). "I discovered plain-text passwords being sent that anybody could read. I couldn't imagine I was the only one that could see this," Rose told Engadget following a presentation at last week's DefCon security conference.
How to hack a government
Last month members of the Turkish military experienced an attempted coup to oust president Recep Tayyip Erdoğan. The overthrow attempt was quickly thwarted, but it might have succeeded if Chris Rock (the security researcher, not the comedian) had had a hand in it.
AI hackers will make the world a safer place -- hopefully
The spotlights whirl in circles and transition from blue to purple to red and back to blue again. Basking in the glow is a stage constructed to resemble something out of a prime-time singing competition. But instead of showcasing would-be pop stars, the backdrop is built to push 21kW of power while simultaneously piping 3,500 gallons of water to cool its contestants. Those seven competitors were actually server boxes autonomously scanning and patching vulnerabilities.
RSA security conference: 25 years of discontent and pranks
The first time I went anywhere near the RSA information security conference in San Francisco, it was by way of a prank. Two things I love to cover are computer crime and and enterprise security, so when I met friends for drinks at a downtown hotel bar during the conference one year they were genuinely surprised I'd never attended RSA. One of my drinking pals that night was Twitter's head of security, and he jokingly asked if I wanted to go to RSA -- right now.
This drone can steal data while hovering above your office
It's the job of a security researcher to figure out how the company they are working for could be compromised. Apparently that now means using a drone sniff out vulnerabilities a few dozen feet off the ground. The Aerial Assault drone houses a raspberry Pi running Kali Linux, a distro built specifically for penetration testing (also known as pen testing) of networks and devices. Once in the air, the spy drone can detect insecure devices and networks and store that information locally or beam it back to the pilot.
Def Con 23: Where PR stunts and hackers come together
Having outgrown the odiferous corridors of the Rio, hacker conference Def Con entered this year by relocating to Bally's Hotel and Casino -- a venue described to me, in turns, by a Mandalay Bay hairdresser as "a shithole," a taxi driver as "a punishment" and a Mandarin Hotel bar waitress as "totally haunted." It turned out to be all that and much more. Def Con's move to Bally's and its adjoining property Paris allowed it to accommodate an estimated 20,000 attendees this year. And, like a goldfish growing to fit a big new bowl, the talks, expo, workspaces and hacking villages filled the vast ballrooms in each hotel to the limits. Lines for talks were long, and huge ballrooms were packed. In a time when stunt hacks garner headlines readymade for cartoonish CSI: Cyber plotlines, overhyped hacking talks were more overcrowded than ever; companies engaged in successful PR subterfuge on a bigger stage; and the U.S. government basically begged us to like it.
Where kids can hack without getting in trouble
In a ballroom in Bally's Vegas casino, kids are lined up on either side of a table with soldering guns melting metal to metal. Their small hands deftly join LED to circuit board, while a few feet away other children are learning the basics of developing. In the back of the room, a group of children and their parents watch two preteen girls give a presentation on the cryptography found in a TV show. This is R00tz Asylum, the kid-friendly portion of the Def Con hacker conference. From the first-timers ripping apart various electronics to see what makes them tick, to the teenage hacker "CyFi," who revealed her first zero-day exploit at age 10, R00tz is exposing children to the world of white-hat hacking to make the future of our digital world a bit safer.
Surviving the Def Con hacker conference
The phrase I saw and heard over and over again while talking to other journalists and security researchers about the Def Con hacker convention was "hostile environment." Not physically hostile; the attendees and staff were extremely nice. The hostility was digital. The hackers and security researchers are there to present vulnerabilities within the systems we rely on. But there's a tinge of mischief that permeates the event. Because of that, everyone that attends is fair game for hacking. That meant taking certain precautions that I wouldn't regularly take while covering an event. And, since it would be my first time covering Def Con (or any hacker conference for that matter), I felt especially vulnerable. Everyone loves to haze the n00bs; that's just human nature. So here is how I prepared for, attended and (I'm pretty sure) survived Def Con 23.
Birth then kill a virtual baby for fun, but mostly profit
Babies are cute, cuddly and worth a lot of money if you know how to exploit their existence. While the babies being virtually birthed by Kustodian CEO Chris Rock (no, not that Chris Rock) may not inspire the sort of bond found only between a parent and real child, they can be a financial windfall in the wrong (or right) hands. During a presentation at Def Con, Rock demonstrated how easy it was to get doctor and undertaker credentials from publicly available databases and use those credentials to register birth and death certificates. In fact, you don't even need to create a fake baby to kill; you can kill one of your friends (or enemies) thanks to a system that doesn't verify the identity of medical professionals.
Smart collar turns your cat into a WiFi hacking weapon
Forget Trojan horses -- it's the cats you have to worry about. Security engineer Gene Bransfield has developed WarKitteh, a tech-laden collar that turns feline companions into scouts for WiFi hackers. The innocuous-looking accessory hides a Spark Core board that maps wireless networks and their vulnerabilities wherever the pet wanders. If used in the field, the technology would be pretty sneaky; the cat stalking mice in your backyard could represent the prelude to an attack on your wireless router.
US considers blocking Chinese nationals from hacking conferences
Following its decision to charge five Chinese officials for allegedly stealing trade secrets, the US is apparently ready to take further action. Reuters reports that the US government may impose visa restrictions on Chinese computer experts, stopping them from attending the high-profile Def Con and Black Hat hacking conferences in August. Black Hat currently has three Chinese speakers lined up to present, while Def Con has none on its roster. The move is said to be part of a "broader effort to curb Chinese cyber espionage," after cybercriminals were said to have infiltrated six American private-sector companies to help give Chinese state-owned firms a competitive advantage. Organizers of both events, which include Def Con and Black Hat founder Jeff Moss, were unaware of the government's plans, but Moss did note on Twitter that such actions would not help build a "positive community." While an official block has yet to be imposed, stopping Chinese nationals already in the country from attending could prove difficult -- Def Con's privacy-conscious setup requires attendees to pay using only cash and they never have to share their name.
Automotive takeover schemes to be detailed at Defcon hacker conference
It's not like Toyota hasn't already faced its fair share of Prius braking issues, but it appears that even more headaches are headed its way at Defcon this week. Famed white hats Charlie Miller and Chris Valasek are preparing to unleash a 100-page paper at the annual hacker conference in Las Vegas, and notably, hacks that overtake both Toyota and Ford automotive systems will be positioned front and center. The information was gathered as part of a multi-month project that was funded by the US government, so it's important to note that the specifics of the exploits will not be revealed to the masses; they'll be given to the automakers so that they can patch things up before any ill-willed individuals discover it on their own. Using laptops patched into vehicular systems, the two were able to force a Prius to "brake suddenly at 80 miles an hour, jerk its steering wheel, and accelerate the engine," while they were also able to "disable the brakes of a Ford Escape traveling at very slow speeds." Of course, given just how computerized vehicles have become, it's hardly shocking to hear that they're now easier than ever to hack into. And look, if you're really freaked out, you could just invest in Google Glass and walk everywhere.
'Best of British Indie Bundle' on Steam
A collection of the best-rated indie games by British developers is on sale for a couple days on Steam. The "Best of British Indie Bundle" includes Time Gentlemen, Please!, Ben There Dan That!, Eufloria, DEFCON, Frozen Synapse, Revenge of the Titans and Gratuitous Space Battles.The bundle, whose components would add up to $79.94 individually, is more generous than gratuitous at $9.99. The sale runs until 4PM Pacific on Thursday.
Former NSA official says agency collects Americans' web data, director denies charges
The NSA director, General Keith Alexander, is coming under scrutiny after he told a crowd gathered at the Def Con hacker conference that the spy agency "absolutely" does not collect data from and maintain files on American citizens. A former official stopped just shy of calling Alexander a liar, accusing him of playing a "word game." William Binney left the department in late 2001, when it became apparent to him that it planned to use the terrorist attacks on September 11th as an "excuse" to launch a data collection program that was already in the planning stages. Alexander for his part maintains that any data, be it web searches, Twitter posts or emails, collected from American citizens is merely incidental, and associated with intelligence gathering on foreign entities. Of course, Binney rejects this claim and testimony from Qwest CEO James Nacchio regarding the NSA's wiretapping program would seem to contradict it. ACLU attorney Alex Abdo, who was on the panel with Alexander, cast further doubt on the director's denial. He noted that loopholes in the law allow the NSA collect vast amounts of information on Americans, without them being the "target" of the surveillance. Since the agency can hold on to any data collected, it can retroactively build dossiers on citizens, should they eventually become the focus of an investigation. For a few more details, hit up the source link.
Defcon 20 visitors get their own 'pirate' cellular network in Ninja Tel, exclusive One V to match
The annual Defcon hacking meetup produces its share of unique creations. You know you're in for something special when even your entrance badge is an adventure. Defcon 20 might be winding to a close, but about 650 guests may just have the fondest memory of all: access to a private, ad hoc GSM carrier from Ninja Networks. While the collective's Ninja Tel is really an invitation to a party at the Rio Hotel, where the lone cell site operates out of a van, it lets the privileged few call and text each other to their hearts' content over cellular and WiFi. The network operators can unsurprisingly eavesdrop on any of the completely unencrypted calls -- this is a hacker's convention, after all -- but we don't think guests mind after getting an equally rare, customized HTC One V for free to make the calls in question. The Android 4.0 phone gets unique perks like triggering a nearby vending machine with Qualcomm's AllJoyn or making apps on the spot through Google's Integrated Development Environment. Owners can even reflash the One V to hop on AT&T or T-Mobile afterwards. Just don't expect to see Ninja Tel popping up in your hometown anytime soon; when Defcon shuts its doors, the cellular network shuts down.
Defcon 20 badges meld hieroglyphs, circuitry and cryptography for hacker scavenger hunt
Every year, the world's hacker population descends upon Las Vegas to trade notes, sit in on informational talks and compete in friendly contests -- all in the name of Defcon. But this time out, it's the conference's ever-evolving smart badges that've caught our eye, owing mostly to what lurks beneath. Designed by Ryan Clarke -- the mastermind behind the gathering's Mystery Box challenge -- these hackable IDs, issued according to status (Press, Human, Goons, vendors, etc), come embedded with an LED, a multi-core processor, IR transmitter and accompanying hieroglyphic graphic. But that's not all that makes these high-tech tags so special. Turns out, each one contains a game, buried within its open source software, that's encoded with several cryptographic, linguistic and mathematical layers. Shying away from hardware-focused hacks of the past, Clarke built this year's scavenger hunt-like game to be more inclusive of attendee skills, as it'll force conference-goers interested in cracking its code to break down social barriers and collaborate with other highly-specialized nerds. What's the end game, you ask? Well, according to Clarke, the puzzle is a continuation of last year's secret agent story (played out by a real-life actor) involving "a [mysterious] society of computer elites." It's not the sort of payoff we'd be after -- something greener and covered with a certain Ben Franklin's face would suffice -- but it sounds intriguing enough. Click on the source below to read more about the makings of this geek sport. And may the pastiest neckbeard win!
Ten-Year-Old Hacker presents iOS game exploit at DefCon
A 10-year-old hacker who goes by the name CyFi uncovered a new exploit in iOS and Android games. The time-based exploit lets you advance in a game by adjusting the clock on your phone or tablet. The California girl discovered the flaw while playing an unnamed farming game. Tired of waiting ten hours for some corn to grow, she advanced the device clock ahead and discovered an exploit that forced the game to advance prematurely. Several games are vulnerable, but their names are being withheld so the developers can apply a patch. Though they may be patched, she has reportedly looked into a few tweaks that may get around this fix. CyFi presented this information to DefCon Kids, a part of the popular DefCon hacking conference dedicated to the budding, young hacker.
Android Network Toolkit lets you exploit local machines at the push of a button
Defcon 2011 is in full hacking swing, and Itzhak Avraham -- "Zuk" for short -- and his company Zimperium have unveiled the Android Network Toolkit for easy hacking on the go. Need to find vulnerabilities on devices using nearby networks? The app, dubbed "Anti" for short, allows you to simply push a button to do things like search a WiFi network for potential targets, or even take control of a PC trojan-style. To do this, it seeks out weak spots in older software using known exploits, which means you may want to upgrade before hitting up public WiFi. According to Forbes, it's much like Firesheep, and Zuk refers to Anti as a "penetration tool for the masses." Apparently, his end-goal is to simplify "advanced" hacking and put it within pocket's reach, but he also hopes it'll be used mostly for good. Anti should be available via the Android Market this week for free, alongside a $10 "corporate upgrade." Consider yourself warned.
