Black Hat USA 2010 and DEF CON 18 Wrap Up
Black Hat USA 2010 and DEF CON 18 Wrap Up
Black Hat USA 2010 and DEF CON 18 took place last week in Las Vegas. In order to really appreciate the magnitude of each conference proceedings, it is important to understand where each conference focuses its attention.
Black Hat is a security conference largely addressing all things computer and communications security. It is where industry comes together, describes attack vectors, and openly talks about malware, hackers, and threats to innocent systems and privacy. Black Hat is big business, both expensive to attend and sponsored by big name companies such as IBM and Adobe. If Black Hat were personified as a female actor, it is probably most analogous to an Angelina Jolie. Mostly prim and proper, strong reputation, easily discussed in polite conversation.
In sharp contrast is DEF CON, a conference in its 18th year. This year’s theme: 18 and barely legal. If that doesn’t set the tone for this conference, consider that DEF CON would be best personified as Lindsey Lohan- often drifting into illegal situations. DEF CON is an all-cash conference, no attendance records by design. It is where electronics and software gurus–hackers in proper parlance, meet for 3 days to discuss–and demonstrate–the unthinkable.
The highlight of the entire week had to come from DEF CON. For approximately 20 minutes, the presenter “legally” became an AT&T cellular tower, hijacking all the cell phones that use the GSM cellular network. Lawyers were on hand, as were the local media, to witness the presentation entitled Practical Cellphone Spying, by Chris Paget.
The synopsis of the hour-long presentation is this: HAM operators are permitted access to portions of the 900MHz spectrum, so long as they announce their call sign on a regular basis and transmit at less than 100 watts. A portion of this spectrum overlaps with the GSM frequencies used here in the United States. Chris used a 25 milli-watt transmitter and OpenBTS (http://openbts.sourceforge.net/) to capture AT&T handsets, using a VOIP solution as a backhaul. Members of the audience were encouraged to make phone calls during the session. Randomly by design, some were connected through the VOIP backhaul, calls recorded in the process, while others were met with a devilish recording advising them that their call couldn’t be completed, and done in a way one would expect from a DEF CON presentation. Total investment with gear purchased from eBay: no more than $2000.
Most disconcerting to some was that during this presentation 911 services were not available to the GSM phones linked to Chris’ tower. The humorous understatement of the moment: if you burst into flames from the antenna radiation, be sure to find someone with a Verizon (CDMA) phone to dial 911 on your behalf.
The range of digital security discussions across both conferences was daunting. From instructions on how to hack millions of routers, devices that make the Internet a reality, to intricate instructions on how to jackpot ATM machines, my mind consistently wandered toward the same question at the end of virtually every session I attended: have the digital technologies that we’ve come to rely on forsaken us?
Black Hat brought in the biggest names, including Deputy Secretary Jane Holl Lute from the US Department of Homeland Security, and Gen (Ret.) Michael Hayden, former director of both the CIA and the NSA. Both speakers delivered more provocative questions than answers, asking the audience to consider how society has become enamored with technologic advances, ignoring the security ramifications that follow widespread adoption.
Nothing is Truly Secure
The Black Hat opening day keynote emcee succinctly stated the problem: nothing we have built is truly secure. Think about it this way–email, web browsers, digital hardware, including wireless access points, routers and firewalls, and even today’s mega-smart cell phones–none of them is truly secure. Nothing engineered to date is truly secure. Why?!? Is security that hard to design? Why is encryption so often easily skirted with simple man-in-the-middle attacks? Does the rate at which we innovate preclude us from building secure systems? Are innovators so obsessed with innovation that security is an afterthought, if a thought at all? Or, is security simply beyond the grasp of human engineering? After all, security especially in recent years has been given an elevated status by the media.
What are the ramifications of our inability to build secure systems? The ramifications are disturbing. We often speak about the notion of privacy, but spend 8 consecutive days with hackers at these conferences and one can’t help but reach the conclusion that privacy is already a thing of the past.
Data Leaks Series Planned
Over the next several weeks, we’re going to embark on a journey here at ITS that takes a deep, critical look at the data leaks in your life. These are data leaks that you probably didn’t even know existed. We are going to look at how your car tire valve stems (not tread marks) can give away your daily routine, how WiFi as we know it is fundamentally broken and unsafe, how your computer or cell phone can easily be compromised by a determined hacker armed with an openly available rootkit, and how big business wants to force intrusive location based services (LBS) upon you in the name of profit margins.
The conclusion of the series is likely obvious to most–if you want true privacy, move to the backcountry and unplug everything that has a transistor in it. If that’s not an option, and if you want to better mitigate the digital risks imposed on life from technology, stayed tuned…