News

3657 Articles

Defcon 16: Glimpses Of The Network Operations Center

August 11, 2008 by 5 Comments


Wired’s Threat Level takes us on a photo tour of the Defcon Network Operations Center, giving a unique behind-the-scenes perspective of one of the largest computer security conventions. The Defcon Network Operations Center is run by a volunteer group named the “Goons”. They keep operations running smoothly and securely with both high and low-tech resources, like a Cisco fiber switch and an armed guard, to protect the router and firewall.

Defcon 16: Covert Warballooning Flight

August 10, 2008 by 6 Comments


Since last month, when the Defcon warballooning event was announced, [Rick Hill] finished building his rig and even got FAA approval for the flight. Just when everything seemed set, the Riviera Hotel management decided not to allow the takeoff from their property. So, naturally, [Rick] and his team rented a moving truck and covertly inflated the balloon inside. They launched it in an abandoned parking lot and drove through the Vegas strip. They were surprised to find that about one third of the 370 wireless networks they scanned were unencrypted.

[photo: JoergHL]

[via /.]

Defcon 16: Pacemaker-B-Gone

August 9, 2008 by 24 Comments

A collaboration of various medical researchers in the academic field has led to proof that pacemakers can be remotely hacked with simple and accessible equipment. [Kevin Fu], an associate professor at the University of Massachusetts at Amherst, led the team. [Kevin] first tried to get documentation from the manufacturers, believing they would support the effort, but they were not interested in helping. They were forced to get access to an old pacemaker and reverse engineer it. They found that the communication protocol used to remotely program the device was unencrypted. They then used a GNU radio system to find access to some of the machine’s reprogrammable functions, including accessing patient data and even turning it off.

Although this was only done with one particular pacemaker, it proves the concept and should be taken seriously by the medical companies who produce these devices. If you are interested in the technical aspects, check out the paper the team released in May disclosing the methods.

Black Hat 2008: Google Gadgets Insecurity

August 9, 2008 by 2 Comments


Black Hat presenters [Robert “RSnake” Hansen], CEO of SecTheory, and [Tom Stracener], security analyst at Cenzic, criticized Google in their presentation “Xploiting Google Gadgets”. [Hansen] and [Stracener] say that there’s currently no way for Google to confirm whether Google Gadget creations contain malicious content or not; this leaves the application vulnerable to a wide range of hacking ugliness such as data poisoning, worms, and theft of data. [Hansen] himself isn’t exactly on the friendliest terms with Google. He’s got a bit of a contentious history and he claims that Google has threatened legal action against him. Nevertheless, if what was presented is true and accurate, then Google has a huge security issue that needs to be addressed sooner rather than later. Google has not yet commented on the situation.

Black Hat 2008: What’s Next For Firefox Security

August 8, 2008 by 23 Comments

Mozilla security chief [Window Snyder] made some surprising announcements about Firefox Next, Mozilla’s next major browser overhaul. In her chat at the Black Hat security conference, she introduced three new initiatives that focused on threat modeling, training, and vulnerability metrics. For the threat modeling initiative, she’s hired Matasano Security consultants to review Firefox’s code for weaknesses and recommend mitigation tactics to protect the browser from hacker attacks. This isn’t inherently unusual; what is abnormal is that the information, once the work is done, will be revealed to the public. The training initiative will have IOActive trainers working with Mozilla engineers on secure computer programming practices. At the end, according to [Snyder], online versions of the classes will be released to the public, along with the class materials. The last initiative revolves around security metrics, and is already in progress. Essentially, the project will ideally take the focus off of patch-counting and provide a better assessment of security and vulnerability issues. [Snyder] says “We’re in the early phase, working on incorporating feedback from the rest of the industry.” She also reveals some more Firefox developments, including possibly incorporating NoScript into the core browser and implementing protected mode, but they’re still a long way from becoming standard features.

New E-Passports Cloned

August 7, 2008 by 17 Comments


Within an hour, Jeron Van Beek was able to create a successful clone of Britain’s new E-Passport. All he needed was a £40 card reader, two £10 RFID chips, and a small, improvised script. Although the exact details were not specified, it looks like he read the ID on the real passport using the RFID reader, then he wrote it to the two blank chips and put them in the fake passports. There is also a flaw which may allow outright forging of the passports. Nearly all of the 45 countries using the system have not yet registered with the Public Key Directory, which was put in place to make forging impossible.

The government is claiming that this hack is a hoax, but recent reports have shown that these RFID systems were never secure. No matter what the actual truth is about these hacks, it can certainly be said that the ability to clone or forge these passports would be a devastating security issue for every country involved.

[Photo: Digital World Tokyo]

[via The Guardian]