Standing on the Shoulders of Giants

In February of 1676 Sir Issac Newton wrote in a letter to Robert Hooke “If I have seen a little further it is by standing on the shoulders of Giants.” implying that while he may have come up with the final idea he was only able to do so because of the work of those that had gone before him.

Weld Pond (Chris Wysopal) accurately points out that this also applies to security researchers. Seldom is a major security flaw discovered that isn’t related to the previous work of an older technology. His case in point is the recent flaw patched by Microsoft of a almost decade old vulnerability. The original vulnerability has been widely credited to Sir Dystic (Josh Buchbinder) but Dystic’s research was based in part on work by DilDog (Christien Rioux). Dildog wasn’t the first to find the flaw either as it was mentioned in a earlier paper by Dominique Brezinski. Weld argues that this is why credit for security research is so important.

On a completely unrelated note Mudge (Peiter Zatko) was recently quoted by Mass High Tech (again) on the subject of voting machine security.

Prototype This! premiers Wednesday Night

Former L0pht member, Defcon Badge Designer, Triathelete, new father, and urban clothing designer Kingpin (aka, Joe Grand) can now add yet another title to his resume, TV Star! The premier of the Discovery Channel’s new show Prototype This! debut’s Wednesday October 15 at 8PM. Sort of a cross between Junkyard Wars and Myth Busters Kingpin acts the groups electronics wizard. For the first episode the team builds a mind controlled car. Be sure to check your local listings!

Hope someone throws this up on the Bay ’cause I don’t get cable.

Fake Story Still Fake, Media Still Clueless

About eight years ago a media story broke about how some “hackers” took over a British Ministry of Defense Satellite and were holding it for ransom. Anyone who knew anything about Command and Control systems for satellites knew this would be almost impossible especially for a military satellite. That didn’t stop Newsbytes, Yahoo News, ZDNet, even Reuters from running the story and sensationalizing the crap out of it. None of the ‘legitimate’ media questioned the story at all. They just reran the original Sunday Business story. The only website that I know of that questioned the story at the time was The Hacker News Network.. It was the questioning of that story that prompted Brock Meeks of MSNBC to label HNN as “the voice of reason”. As it turned out no confirmation of the original story was ever obtained, the Ministry of Defense flat out denied the event ever took place and the Sunday Business never revealed where the story came from.
So? Big deal? What’s the point of this walk down memory lane? Well, here it is eight years later and the same crappy media is republishing the same bullshit story as truth and fact. Evidently Corinne Iozzio over at PC Magazine, nor her (his?) editors can be bothered to do basic journalism, simple research or check facts. No, can’t let facts get in the way of a good headline and increased page views and ad impressions. So now this supposed ‘hack’ that as far as I can tell never actually happened, is the second most mysterious unsolved cyber crime. I suppose, on the Internet, if you repeat something enough times it magically turns into fact?

For reference here are the old HNN pages from March 1, 1999 and March 2, 1999. Unfortunately the chrome is gone and none of the links work anymore but the content is unchanged.

UPDATE: Thanks to Google’s 10th Anniversary Archive from 2001 and the Internet Archive a few quick searches help to confirm that the original story was fake. (Hey, Corinne, this took me all of about ten minutes.)

ZDNet – via Internet Archive “Our Satellites are Hack Proof” – via Internet Archive “Satellite hack is impossible, says UK”
Reuters Retraction – via “British Defense Ministry Dismisses Hacker Report”

Mudge Cover’s Mass High Tech

So I get into work this morning and grab my snail-mail and throw it on my desk and go grab my morning oatmeal and glass of water. I get back to my desk and start eating my oatmeal as I go through my mail. Things like fake domain name renewal bills, pleas from wireless phone companies to switch services, a copy of Information Week, the normal crap that finds it way into the IT Managers inbox. Then I get to this weeks (August 22-28) copy of Mass High Tech and oatmeal spews out of my nose! Why? Freaking a big ass above the fold picture of Mudge’s fat smiling face staring back at me. Seriously his face takes up like half the damn page.

The online version is much smaller. Here is a scan of the front cover [PDF]. Just make sure you have finished your oatmeal before you open it.

Oh, the story? It is about finding security holes in heart defibrillators. Which is important I guess, and I suppose I would find it more interesting if I or someone I know actually had one of these implanted. Personally I can’t wait until someone starts looking at wireless utility meters.

The next Last HOPE in 2010

So The Last HOPE is over and while I am still here in New York (the reason why I’ll save for another day) I have been contemplating the events of the weekend. All in all I thought the con ran extremely well which is a bit unusual in my experience for HOPE. While there were a few excellent talks that I mentioned in my previous post I found many of the talks to be… elementary. But hacker cons are sooo much more than just the talks and presentations, they are time to reconnect with old friends, friends you only see at cons and online. Time to drink bears and retel old war^h^h^h hacking stories. The fact that this is the “Last” HOPE and that 2600 the book has just been released I have been reflecting on my own travels through this underground maze. From my first real introduction to hacker culture at HoHo Con ‘92 held in Houston Texas to the ‘last’ Pump con in Philadelphia just a few years ago. In ‘92 the internet did exist but getting access to it was a bit more difficult. I remember making a modem call from my HP95LX from my hotel room to post news from HoHo con back on the hometown BBS. By the time of the first HOPE in 1995 the Internet was much more prolific but still new and shiny. The First HOPE captured that excitment of newness and the possibilities that it presented. Here at The Last HOPE people are live twittering (tweeting?), disecting talks and heckling in real time from behind keyboards. Change is of course inevitable but I think what I am seing here is a change in the culture itself. Sure parents are now bringing their kids to the same cons they snuck out of the house to go to, but I think it is more than just the core population growing older. There is a definite shift in how people interact and react to each other and technology. I haven’t quite been able to put my finger on it but I have been feeling it all weekend. Much like the first HOPE opened a new chapter I got the feeling that this last HOPE is closing a chapter in hacker history and culture. It makes me wonder what comes next?

P.S. Rumour has it that the Hotel Pennsylvania will not be torn down due to the poor economy. In which case, if it is still standing, the next HOPE will be in 2010. (Eternal HOPE?, HOPE Pheonix?). Personally I think if this con continues they should come up with a new name. The era of HOPE is over.


Talks at the Last Hope

After you attend more than a half dozen or so hacker cons you start to realize several recurring themes amoung presentation topics. Topics such as Freedom of Information Act requests, hacker spaces, or hacker history have been done several times at various cons. The Last Hope is no different as these topics have recurred here as well. The difference here is that the presentors of these topics have each taken a different more interesting slant and have actually presented new and useful information. The FOIA talk has actually motivated me to file a few requests myself. The Hacker Spaces presenation actually broke down many of the problems that we ran into at the L0pht and even some we didn’t have and actually codified them all with solutions creating almost a blueprint for anyone wanting to create thier own hacker space. And Sketch Cow’s talk on hacker history makes you stop and think when you realize that future historians may only have major media sources such as hollywood movies and copies of Newsweek to try to understand what all hacker culture was all about.

Looking forward today to talks on Phone Phreaking History, Copying High Security Keys, Honeypots for the Home User, and the premier of Hackateer.

Can’t be here and are missing all the action? Check out the Live twitter feed and the Flickr stream.


The Last Hope in NYC Today!

I’m sitting on the floor of the eighteenth level of the Hotel Pennsylvania at The Last HOPElistening to Karsten Nohl talk about the (Im)possibility of Hardware Obfuscation as he discuss tracing connections in integrated chip design. Heady stuff. Already ran into Lady Ada from AdaFruit Industries and Road Dancer from the old (defunct?) HDF.

So far it is a very interesting crowd mix, there are your standard hacker types but here also seem to be a lot of ‘normal’ people as well. The crowd seems sedate but there is a certain electric charge in the air present at all hacker cons. The real fun will come later tonight as people absorb all the new information presented at the talks and start to mix it up amongst themselves. Good stuff.

Check my flickr stream for pictures.


CitiBank Card Numbers and PINS Stolen in Server Breach

Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less than helpful, but the bank in question was very forth coming, they announced the incident, released a press release, and detailed what happened. They then spent millions to revamp their entire security posture to prevent it from happening again. That bank lost millions of dollars of business afterwards despite the fact that after the breach it was probably the most secure bank in the country at that time.

Looks like banks have learned their lesson and now are keeping as quiet as possible about any and all compromises in their security.

Kevin Poulsen has written an excellent article over at Wired detailing the recent breach of ATM card numbers and their PINS. Seems that someone broke into a server that controlled CitiBank branded ATMs in various 7-11s across the country and then used the card numbers and PINs to create fake cards and drain bank accounts. There are a lot of unanswered questions about this case such as who was actually responsible for this server. Citibank is pointing the finger at a third party transaction processing company and that company seems to be denying any involvement. No one is being very forthcoming with the details, probably afraid of bad publicity and the loss of business that may result from it.

Consumers of course are protected by law from actual monetary losses but the hassle of having to get a new card number can’t be fun. Unfortunately there isn’t much the consumer can do to protect themselves against this sort of attack. You can try to avoid those stand alone ATM kiosks like those found in convenience stores and rely solely on ATMS at actual banks but in many cases that is just not practical. So keep a close eye on those statements, verify every line item and call your bank at the first sign of anything weird.

UPDATE: Thanks to NR for sending me a link to the CitiBank breach from 1995 that I referenced above.

Interview with The Bug Magazine

About a month or so ago I did an email interview with an online ezine known as The Bug Magazine. They are based in Brazil so most of the magazine is in Portuguese however the editors graciously published my interview in English as well. Scroll about half way down the page to get to the English version. The interview covers some of the old L0pht and @Stake stuff but also touches on new trends and the future.

More POS Hacks Grab CC Numbers

Everyone gets a kick out of TV shows and news reports that feature stupid criminals. People who get themselves locked inside the store they are trying to rob or stuck in the air vent attempting to break in. For some reason you don’t hear about the smart criminals very often. Maybe they don’t get caught as much?
Recently there has been a new twist on the old credit card number scam. Criminals have found a way to modify those point-of-sale scanning machines everyone swipes their cards through to make copies of the information. I’ve written about this before here and here. Previously it was Stop & Shop Supermarkets who had their card readers physically altered inside the store to record card information (smart) and the second time it was researchers at the University of Cambridge [PDF] who found how easy it was to tamper with the tamper resistant chip and pin machines (wicked smart). Now it is Lunardi’s Supermarket in Los Gatos California who have found their card swipe machines altered to record the card number and PIN. At least a hundred people so far have reported fraud against their cards.
There isn’t a lot of room inside those little machines, so to be able to take one apart, install your recording device then put it back together and install it inside the store without anyone noticing seems to be pretty damn smart to me.
So you want to be smarter? Don’t trust the machines. Don’t give out your PIN number to every retailer you shop at. When the machine asks for a PIN hit the cancel button and choose ‘credit’ instead of ‘debit’. If your debit card can’t double as a credit card get to your bank today and demand one that can. Don’t give your PIN to the Supermarket or Walmart, and at the corner MOM & POP store use cash. Cash is King. Even at the ATM protect your PIN, look for tampering at the machine, cover your hand when entering the number. Be smarter than the criminals. Sure you may feel like George Costanza in an episode of Seinfeld but better to feel like a stocky bald man than to become the victim of fraud.