SPACE ROGUE

I’m sitting on the floor of the eighteenth level of the Hotel Pennsylvania at The Last HOPElistening to Karsten Nohl talk about the (Im)possibility of Hardware Obfuscation as he discuss tracing connections in integrated chip design. Heady stuff. Already ran into Lady Ada from AdaFruit Industries and Road Dancer from the old (defunct?) HDF.

So far it is a very interesting crowd mix, there are your standard hacker types but here also seem to be a lot of ‘normal’ people as well. The crowd seems sedate but there is a certain electric charge in the air present at all hacker cons. The real fun will come later tonight as people absorb all the new information presented at the talks and start to mix it up amongst themselves. Good stuff.

Check my flickr stream for pictures.

Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less than helpful, but the bank in question was very forth coming, they announced the incident, released a press release, and detailed what happened. They then spent millions to revamp their entire security posture to prevent it from happening again. That bank lost millions of dollars of business afterwards despite the fact that after the breach it was probably the most secure bank in the country at that time.

Looks like banks have learned their lesson and now are keeping as quiet as possible about any and all compromises in their security.

Kevin Poulsen has written an excellent article over at Wired detailing the recent breach of ATM card numbers and their PINS. Seems that someone broke into a server that controlled CitiBank branded ATMs in various 7-11s across the country and then used the card numbers and PINs to create fake cards and drain bank accounts. There are a lot of unanswered questions about this case such as who was actually responsible for this server. Citibank is pointing the finger at a third party transaction processing company and that company seems to be denying any involvement. No one is being very forthcoming with the details, probably afraid of bad publicity and the loss of business that may result from it.

Consumers of course are protected by law from actual monetary losses but the hassle of having to get a new card number can’t be fun. Unfortunately there isn’t much the consumer can do to protect themselves against this sort of attack. You can try to avoid those stand alone ATM kiosks like those found in convenience stores and rely solely on ATMS at actual banks but in many cases that is just not practical. So keep a close eye on those statements, verify every line item and call your bank at the first sign of anything weird.

UPDATE: Thanks to NR for sending me a link to the CitiBank breach from 1995 that I referenced above.
 

About a month or so ago I did an email interview with an online ezine known as The Bug Magazine. They are based in Brazil so most of the magazine is in Portuguese however the editors graciously published my interview in English as well. Scroll about half way down the page to get to the English version. The interview covers some of the old L0pht and @Stake stuff but also touches on new trends and the future.
 

Everyone gets a kick out of TV shows and news reports that feature stupid criminals. People who get themselves locked inside the store they are trying to rob or stuck in the air vent attempting to break in. For some reason you don’t hear about the smart criminals very often. Maybe they don’t get caught as much?
Recently there has been a new twist on the old credit card number scam. Criminals have found a way to modify those point-of-sale scanning machines everyone swipes their cards through to make copies of the information. I’ve written about this before here and here. Previously it was Stop & Shop Supermarkets who had their card readers physically altered inside the store to record card information (smart) and the second time it was researchers at the University of Cambridge [PDF] who found how easy it was to tamper with the tamper resistant chip and pin machines (wicked smart). Now it is Lunardi’s Supermarket in Los Gatos California who have found their card swipe machines altered to record the card number and PIN. At least a hundred people so far have reported fraud against their cards.
There isn’t a lot of room inside those little machines, so to be able to take one apart, install your recording device then put it back together and install it inside the store without anyone noticing seems to be pretty damn smart to me.
So you want to be smarter? Don’t trust the machines. Don’t give out your PIN number to every retailer you shop at. When the machine asks for a PIN hit the cancel button and choose ‘credit’ instead of ‘debit’. If your debit card can’t double as a credit card get to your bank today and demand one that can. Don’t give your PIN to the Supermarket or Walmart, and at the corner MOM & POP store use cash. Cash is King. Even at the ATM protect your PIN, look for tampering at the machine, cover your hand when entering the number. Be smarter than the criminals. Sure you may feel like George Costanza in an episode of Seinfeld but better to feel like a stocky bald man than to become the victim of fraud.
 

One of the more popular features of HNN (The Hacker News Network) was the daily list of web page defacements that was maintained at the time by Attrition.org. Maintaining such an archive soon overwhelmed Attrition and the task was taken over by Alldas. After the demise of Alldas, a small (at the time) upstart security site in Austria, Zone-H took over. They have been maintaining the defacement archive for years and years slowly adding to it over time as new websites get compromised. Their archive now encompasses over 2.6 million web page defacements. The amount of data they have collected is invaluable and is an amazing resource for security researchers to gain a historical perspective on the frequency and methods of attacks used over the years.
Lately Zone-H has had some rough times, their founder has been arrested in relation to an Italian spying scandal and they have been coming under increasing criticism from people who think their archive is actually promoting web page defacements. As a result they are actually thinking about discontinuing the defacement archive.
This would be an unfortunate occurrence if it was to happen. They are currently running a poll on their front page, (in the left column) as to whether they should continue hosting and updating the archive or not. I urge you to cast your vote and help save a valuable security research tool.
 

I had been waiting for the folks at Source Boston to update their website with relevant materials before I posted a recap but they are probably waiting until Monday and I know I won’t have time to post anything then. So be sure to check their site for presentation slides, videos, and whatnot, but in the meantime here is what I have.

First of all I don’t think I have been to a better con since HoHoCon ’92 or maybe SummerCon ’97? (Was there a SummerCon that year?). So what made it so great? The excellent talks for one thing. You had to make hard decisions for three days straight about where you wanted to spend your time. All of the talks I listened to were extremely high caliber, better than most talks at Blackhat, Defcon, RSA or elsewhere. Then throw in just enough socializing to make it interesting without going overboard (i.e. Defcon), not to many pushy vendors trying to sell stuff (i.e. RSA), and the small (by Blackhat standards) number of attendees and you had a really intimate setting of knowledge sharing for three days straight.

For a recap of the whole conference check out Jack Daniel’s blog post over at Uncommon Sense Security and check the individual talk write-ups at the Source Boston Blog. So far I have only found slides for Sinan Eren’s talk on Information Operations. Dan Geer’s keynote speach is posted here (If you read nothing else read that!). If you want to relive the con vicariously check out the tweme feed as several people (myself included) were microblogging the whole thing.) Other than that you can check out all the photos posted to Flickr so far.
Oh, and videos of all the talks should be available at Media Archives real soon now. I can personally recommend James Atkinson’s talk about telephone defenses, Andrew Jaquith’s talk about problems with AV software, Matt Moynahan’s talk about software inspections, Carole Fennelly’s talk about Incident response plans, and Frank Reiger’s talk on cell phone security. Oh, and there was a little thing near the end about the L0pht you might want to watch as well.

Anyone got more links? Post in the comments. Thanks.
 

Yesterday I unfortunately missed James Atkinson’s talk at Source Boston but evidently it scared a few people and pissed off a few others. I did manage to catch Carole Fennelly’s talk about Incident Response Plans which was very informative even for me. And of course people are still talking about Dan Geer’s keynote. Still great talks lined up for today, listening to Frank Reiger right now telling me how insecure all my cell phones are, scary. Oh, yeah, I have a little talk scheduled later as well, at least thats what their telling me, after last night’s pub crawl I’m not sure I remember right now.

Videos of the talks are said to be available at Media Archives at some point real soon now. If you missed the con be sure to pick up a couple of these.

P.S. If you ever get to sit down with James Atkinson ask him to empty his pockets onto the table. Trust me you won’t be at a loss for conversation.
 

Sometimes I wonder if people who are revered in their field are really all that smart. I am pretty sure that some people have achieved their positions not because they know their subject matter but because they are just charismatic people who are adept at politics and manipulation. However, as I sit here listening to Dan Geer at Source Boston talking about the dangers of a computing mono culture and the coming digital pearl harbor I realize that yes, some people really are that smart. Dan has said that his remarks will be available after his talk. I can’t wait to examine his words more closely.

This is one of the best cons I have been at in a long time. Just the right mix of serious technical talks, socialization and of course a little alcohol. Looking forward to talks today about the tug of war between business and security, Critical Infrastructure Protection, Study on Security Training Programs, and of course Developing an Incidence Response plan.

I’m pretty sure day passes are still available.
 

SourceBoston 2008 Going on now and for the next two days. If your anywhere near Cambridge MA you should head over. The shear number of smart security people in this hotel is mind boggeling. Seriously, you can’t turn around without seeing someone else who is a major industry luminary.
Already listened to talks by Tito Jackson (no, not that Tito), he’s the Director of IT from state of MA. He basically said that Mass is great and that jobs are growing and all hail Gov. Deval! Woohoo! I kid, but it was some interesting opening remarks and good to hear that things may not be all doom and gloom as the economy suggests.
The official keynote was given by Richard Clarke the former head anti-cyber terrorism dude at the White House he runs a consulting company now, oh, and he has a book or two out. He asked a very interesting question about wether the government should disclose software vulnerabilities that it discovers or should it keep them for use in the next ‘cyber war’? IMO my tax dollars paid for it so yeah, I should get a copy!
Then Matt Moynahan from from Veracode spoke about how hard it is to quantify the security in software. A subject I have wrote here many times. Lots of good points, companys don’t want to give up their IP, there are no uniform standards, etc… Of course his company (andcformer L0pht peeps company) Veracode has the answer but it seems like a pretty good answer to me.

Oh, and I set up a Twitter account. Not sure if I will use it after the con but there it is.
 

When I see something labeled tamper-resistant or even tamper-proof I don’t assume it is secure I just think that it is a little more difficult to break into than something that isn’t tamper-resistant. Three researchers at the University of Cambridge have figured out that PIN entry keypads used for Chip+Pin transactions in the UK are anything but tamper-resistant. They have published a paper to show just how easy it is to break them open and record customer data as they swipe their cards and enter their pin numbers. I applaud their effort but all they had to do was look at what happened to Stop & Shop Supermarkets a few short months ago.

Here is some advice which you can use, at least here in the US, don’t trust those card swipe and pin entry machines at the checkout counter. Most Debit cards from US banks will also work as a VISA or MasterCard. If your at WalMart and you whip out the ATM card and the machine asks you for your PIN, hit cancel. If the checkout lady at the supermarket asks “Debit or Credit” always, always say credit. If that little machine at the checkout stand is secretly recording your card number at least you won’t also be giving it your PIN and complete access to your checking account. While this won’t stop fraud it will make the bad guys work a little harder. Hard enough perhaps that they skip your card and go to the next one. Not to mention that VISA and MasterCard probably offer a bit more fraud protection than your local bank.