Trying to predict the big news at this week’s Black Hat and Defcon conferences is extremely tricky, if not impossible. Usually the most interesting stories pop up at the very last minute—hackers tend to hold off on disclosing the really big talks because they don’t want jittery lawyers to shut them down. And even when you think you know what’s going on, sometimes one of the shows steps forward to take center stage, as Defcon did three years ago when Dateline NBC reporter Michelle Madigan was run out of the conference for trying to secretly film show attendees.
Black Hat, the more corporate event, and its unruly sister conference, Defcon, are held one after the other each year in Las Vegas. This year’s Black Hat conference is on Wednesday and Thursday. Defcon runs Friday through Sunday.
So expect some chaos this week in Las Vegas. Expect some surprises. If you’re attending, expect a hangover. But also look out for some interesting security stories on these topics:
Hitting the ATM jackpot
This year’s most-anticipated talk comes from Barnaby Jack, formerly of Juniper Networks. Jack has been toying around with ATMs (automated teller machines) for the past few years and is ready to talk about some of the bugs he’s found in the products. We don’t yet know whose ATMs are vulnerable—or even if the manufacturers will be disclosed—but ATMs are a green field for vulnerability researchers.
Black Hat conference director Jeff Moss says the work on ATM bugs is reminiscent of the voting machine research that came out a few years ago—which showed serious security vulnerabilities in the systems and caused many government agencies to rethink the way they were rolling out e-voting.
Jack’s talk is controversial. Juniper pulled it at the last minute ahead of last year’s Black Hat conference, at the request of ATM makers. But now working for a new company, IOActive, Jack plans to show several new ways of attacking ATMs, including remote attacks. He will also reveal what he calls a “multi-platform ATM rootkit,” according to a description of his talk.
“I’ve always liked the scene in ‘Terminator 2’ where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I’ve got that kid beat,” Jack writes in his abstract.
Two years ago, Dan Kaminsky made headlines worldwide by uncovering a flaw in the DNS (Domain Name System) used to look up the addresses of computers on the Internet. This year, Kaminsky is speaking again at Black Hat—this time on Web security tools. But he’s also been tapped to participate in a press conference where he and representatives from ICANN (Internet Corporation For Assigned Names and Numbers) and VeriSign will discuss Domain Name System Security Extensions (DNSSEC)—a new way of doing DNS that provides a level of confidence that computers connected to the Internet are what they actually claim to be.
About two weeks ago, ICANN presided over the first cryptographic signing of a root server with a DNSSEC key. DNSSEC isn’t yet widely supported, but ICANN hopes that by signing a root zone, it will spur others to support the protocol in their server and client software.
Researchers like Kaminsky say that widespread adoption of DNSSEC could curb a whole bunch of online attacks. “We’ve been looking at how DNSSEC is going to address not only DNS vulnerabilities, but some of the core vulnerabilities we have in security,” Kaminsky said in an interview. “We’re not going to solve all of those problems with DNSSEC… but there’s an entire class of authentication vulnerabilities that DNSSEC does address.”
Unleash the Kraken! That’s just what GSM security researchers are going to do at Black Hat this year, in what could ultimately become a major headache for U.S. and European mobile network operators. Kraken is open-source GSM cracking software that’s just been completed. Combined with some highly optimized rainbow tables (lists of codes that help speed up the encryption-breaking process), it gives hackers a way to decrypt GSM calls and messages.
What Kraken doesn’t do is pull the calls out of the air. But there is another GSM-sniffing project—called AirProbe—that’s looking to make that a reality. The researchers working on these tools say that they want to show regular users what spies and security geeks have known for a long time: that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak, and can be easily broken.
But why break GSM encryption when you can simply trick phones into connecting with a fake basestation and then drop encryption? That’s just what Chris Paget plans to demo in Las Vegas this week, where he says he’ll invite conference attendees to have their calls intercepted. Should be a fun demo, if it’s legal. Paget thinks it is. He has also developed what he calls the “world record” for reading RFID tags at a distance—hundreds of meters—which he’ll be discussing at a Black Hat talk.
Another researcher, known only as The Grugq, will talk about building malicious GSM network base stations and components on mobile devices. “Trust us, you’ll want to turn off your phone for the duration of this talk,” the talk’s description reads.
And on a week that was kicked off with Citibank’s admission that it had messed up security on its iPhone app, another talk to watch will be Lookout Security’s “App Atttack,” which will shed light on insecurities in mobile applications.
Siemens got a taste this month of what it’s like to respond to a real-world SCADA (supervisory control and data acquisition) attack, when someone unleashed a sophisticated worm attacking its Windows-based management systems. But SCADA experts say that Siemens was just unlucky, and that this type of attack could easily have taken down any of the company’s competitors too. In fact, there are plenty of security issues plaguing industrial control systems—so many that they’re getting their own track at Black hat this year.
Over the past 10 years, Jonathan Pollet, the founder of Red Tiger Security, has run security assessments on over 120 SCADA systems, and he’ll talk about where security vulnerabilities are most likely to crop up. Pollet says that many networks have developed a kind of no man’s land between IT and industrial systems — computers that are often at risk because nobody really seems to take complete ownership of them.
Pollet will talk about where these bugs show up in the infrastructure—his company has collected data on 38,000 vulnerabilities—and the types of exploits that have been written for them. “You don’t have to wait for zero-day vulnerabilities, ” he said. “There are already a lot of exploits out there.”
Will the Zero for Owned group, who hacked Dan Kaminsky and others on the eve of last week’s show return? Will the feds or AT&T stop Paget from messing with GSM? Will an irate ATM vendor launch a last-minute legal challenge to Barnaby Jack’s talk? Will Defcon’s Social Engineering contest cause someone in the financial services industry to blow a gasket? Will a swarm of bees infest the pool at the Riviera? Who knows, but in Vegas, expect the unexpected.
[Robert McMillan covers computer security and general technology breaking news for The IDG News Service. ]