The first night of Black Hat briefings concluded with the Pwnie Award Ceremony. The awards reward achievements in security… but mostly failures. Notably, this was the first year anyone accepted an award in person. Hack a Day took home an early victory by producing a MacBook mini-DVI to VGA adapter (pictured above). The ceremony was fairly straight forward after that. Best Server-Side Bug went to the Windows IGMP kernel vulnerability. It was a remote kernel code execution exploit in the default Windows firewall. The Best Client-Side Bug went to Multiple URL protocol handling flaws like this URI exploit. Mass 0wnage went to WordPress for many many vulnerabilities. Most Innovative Research went to the Cold Boot Attack team. Lamest Vendor Response was won by McAfee for saying XSS can’t be used to hack a server. The Most Overhyped Bug went to [Dan Kaminsky] for his DNS vulnerability. Most Epic FAIL was won by the team behind Debian for shipping the OpenSSL bug for two solid years. Lifetime Achievement Award was won by [Tim Newsham]. Finally, the Best Song was by Kaspersky Labs for Packin’ The K!, which you can find embedded below.
Day: August 6, 2008
Black Hat 2008: FasTrak Toll System Completely Broken
FasTrak is the electronic toll collection system used by the state of California. Motorists can purchase a toll transponder for ~$26 and link the serial number with a debit account to have their tolls deducted automatically. Today at Black Hat in Las Vegas, security researcher [Nate Lawson] presented not just the privacy problems with FasTrak, but why absolutely no transaction from the tag should be trusted.
Continue reading “Black Hat 2008: FasTrak Toll System Completely Broken”
Black Hat 2008: Dan Kaminsky Releases DNS Information
[Dan Kaminsky]’s much anticipated talk on his DNS findings finally happened at Black Hat 2008 in Las Vegas today. [Dan] has already uploaded the complete slides from his talk as well as posted a short summary to his site. New information in the slides since our previous coverage includes “Forgot My Password” attacks and new attacks on internal network vulnerabilities as a side of effect of DNS cache poisoning. [Dan]’s talk today was over capacity; our shot of the conference room overflow is shown above.
Black Hat 2008: EFF Coders’ Rights Project Announced
The EFF has just announce the creation of the Coders’ Rights Project website at the Black Hat conference. The sites’ main goal is to centralize legal information for coders, and to help protect important security work from legal actions that may be taken against them with the DMCA and other legal black holes. While this is in no way a fully comprehensive list of everything you need to know, it looks like a good place to start, and provides a few FAQs for suggestions on how to stay in the legal clear as much as possible. At numerous points the documents suggest you speak with a lawyer, if you have any deeper questions, which you absolutely should. This can be very helpful if a person or group finds a security risk, and wants to publish it, or just wants to start looking into possible security risks.
Hybrid Headphone Amplifier
[Rogers Gomez] has posted up this hybrid tube based headphone amplifier over at DIY Audio. Being a fan of tube amplifiers, but wanting something with lower voltage and lower cost, he put together this little system out of spare parts he had lying around. He wanted it to have as few parts as possible and be able to power his 32 ohm Grado headphones.
He states that he’d built several YAHA amps, and a Szekeres Mosfet follower and was curious how they’d sound together. He was pleasantly surprised with the resulting quality.
There are less than 30 individual components involved in the project. The complete parts list and schematics are available from the site. He notes at the very end, to unplug your headphones when powering up as there is a surge that could damage them. That might be good to know at the beginning just in case you get eager to test it out.
[Thanks, Gio]
Remote Controlled Pill-bot
The NanoRobotics Lab at Carnegie Mellon University has come up with a medical robot that can be swallowed, and is then able to be controlled from outside the body. The device has small arms with adhesives that can attach to slippery internal surfaces, which has previously proven difficult. Once inside the body, it can be used to view damaged areas, deliver drugs, as well as biopsy questionable tissues, and possibly even be used to cauterize bleeding wounds with a small laser. The device could be stopped, and even reversed to get a better look at areas that may have gone unnoticed otherwise. This would be a major advancement in diagnosing intestinal problems, and could lead to potentially life saving treatments. Did we mention that it has lasers?
[via Neatorama]
Autonomous SWARM At Large
SWARM has been showing up at a number of places. Until now, the mysterious spheres have been under human control. However, the SWARM has taken the first steps to autonomous control. The SWARM is a kinetic art project consisting of several large self-propelled metallic spheres that interact with each other and their environment. Each orb in the swarm is fitted out with a processor, GPS, accelerometers, and Zigbee wireless communications. The entire project is open source. Slated to appear at the 2008 Burning Man festival, the orbs will use their GPS to wander within a specified area, keeping themselves “in bounds”.