Andy Greenberg from The Firewall has a nice wrap-up from the recently completed security conventions….
Employees at Apple, Google, BP and many other companies spilled secrets in a “social engineering” contest that challenged Defcon attendees to call corporations and trick employees into giving up sensitive information. Contestants sat in a soundproof booth (pictured) while an audience listened to them impersonate journalists, survey takers, fellow employees and customers to wheedle out private data from big corporations’ sales people and call center staffers. The contest was worrisome enough to warrant a call from the FBI to its organizers, and the contestants convinced all but five of their human targets (and, after multiple calls, 100% of the companies) to give up some details, ranging from what software versions the firm used or its paper record disposal methods. Those seemingly innocuous facts would help hackers case a firm for a larger data theft–searching for more private details like credit card or social security numbers was forbidden in the contest rules.
Barnaby Jack, a researcher with security consultancy IOActive, demoed two methods of hacking ATMs to make them literally spew money. One version of the trick on Triton ATMs allowed Jack to insert a USB stick into the machine and cause it to eject cash in a matter of seconds. The second hack, on Tranax machines, connected remotely via the Internet and could either output cash or secretly record credit card numbers and PINs. Both Triton and Tranax have worked with Jack to develop fixes for their ATMs.
Researcher Chris Paget demonstrated what’s likely the world’s cheapest and most accessible system for intercepting GSM phone calls, the protocol used by AT&T and T-Mobile. His hardware and open source software cost just $1,500, far less than previous methods. Paget went ahead with his talk despite legal concerns by the Federal Communications Commission–thanks in part to legal representation from the Electronic Frontier Foundation, he hasn’t been arrested as of yet.
Eavesdropping and social engineering aren’t the only methods Defconners demoed to steal information via phone. Nicolas Percoco and Christian Papathanasiou of consultancy Trustwave showed off a rootkit for the Android operating system that could invisibly give a hacker full control of victim phones running Google’s mobile software. The security firm Lookout also launched an App Genome Project database to monitor which Android and iPhone apps might engage in malicious behavior. One wallpaper app that had been downloaded more than a million times, the company found, collected users’ phone numbers and unique phone identifying numbers, and sent them to a server in China. The company later clarified that while suspicious, that data wasn’t used for anything malicious.
Nearly as significant as what was presented at Black Hat and Defcon this year was what wasn’t. This year’s conferences had at least two controversial talks silenced. One, a breakdown of China’s cyberwarfare capabilities, was pulled from the conference after the presenter, Wayne Huang, was pressured by the Taiwanese and Chinese governments not to reveal his research. Another talk on security vulnerabilities in high-speed trading systems was also snipped after a bank customer of the presenter Varun Uppal’s company, Information Risk Management, expressed concerns about the work.