Ep. 86: DefCon and BlackHat show us that everything can be hacked

-- Everyone -- -- reporters' roundtable are pretty much almost weekly show about -- atop each time and that this is the paranoia episode. It is the week of black cat and -- the two great hacking privacy security conferences. That are ongoing right now in Las Vegas and we have got our siamese twin reporters there Elinor mills and -- -- are. Taking a break from conferences to hang out and talk to us about what's happening at these two conferences. And hopefully figure out if things are getting better for security as as as a whole or if it we should just all go home and hide under our beds and unplug everything. And -- landing and getting worse analogous. You have as cover for agency -- that. Thank you guys -- making the time my notes a very busy conference out there and there's like multiple tracks and is only will this also set is there he's out -- or you guys are here. I do in the show. And -- I want to thank you -- important things like operating system patches. The well there isn't rule number one force being safe and security to keep your systems patched. Slowly and that's why he's not uncovering the braking to the breaking news -- -- updates all right let us get started again thanks guys for joining us -- before we get into the news of the show I wanna fill everybody in here on what. What these two shows are for those who of of of the listeners who are new to this world. Every year in Las Vegas we've got black hat and Defcon are these competing conferences or are they -- -- -- both. I mean you guys are covering both what's the difference here. I do think there -- gonna -- your own well. De cons a lot older it started on nineteenth it's been nineteen years and -- -- started it -- He is pretty on launch I went to my first icon in 1990. And it was really small and around. -- -- -- -- -- -- -- Years later He realized that there was a lot of on interest in professionals attending shell. So black -- is kind of you know unofficially -- professionals show. Com a lot of companies will pay more to send their own people to -- show and around and vendors how. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- And -- -- companies are willing to pay that may well and it wouldn't be willing to send someone here for a hacker conference. Of computer security conference. -- -- -- -- -- And in its let. Few hundred dollars an attack on -- it's about a lot of people. Eating -- their company isn't making baking your for the weekend black -- it's Wednesday and Thursday at -- -- experience and so it meant. A British Shire had a great He called He said. Is the U university class or university. Defcon is the -- -- and that kind of sums it up and -- That is so which one has the more hardcore hackers and in which one is -- are the ones at the FBI guys have to go undercover. Really -- idea. -- aren't both and and the -- are both. And it has -- boots right having you have austerity you know -- was from -- ax head of the NSA and misses it it depends on a presence hearings that it's both. To keep an eye on what's going on in terms of -- -- -- a new threat we have to worry about but it's also a recruiting companies on -- the same. Reasons and it's an -- solicited fans and and and companies -- items Amazon -- here. Interest in our estimates and the difference let's move on now one of the big thing before again and again to what's going on with at shows and all the big news. -- -- -- or every time I go buy your -- conceal these badges from his security comes as you go to and they are getting more and more elaborate each year with an embedded chips and some I think some of -- If you go through security -- the wrong way they explode. I mean what is with the badges this year. It's but it's retro now that's different but in years that. The -- -- that this here this is this is steam I'm not safer and this is a piece of sheet titanium. It's it's not hackable and it's exactly the opposite of what they're doing next our last year. What -- Sahara both mean there. Me. And a lot injection -- with -- code secret code you know snipers. I don't know if this is the scandal also -- He put it over something like. You know. He seems to press for what works well and you -- and -- secret topic here. It's kind of -- it's. Steam punk there's you know it's like is a little rusty metal and so they're not -- an appealing to the steam -- on. You know this. -- let's get into -- -- what's what the news is here in the world of security now at one of the -- It was unveiled. That I think Mac fan -- this this big operation shady wrapped. What is that -- or you -- the big story -- that what is shady retton and how big -- deal is it. It's pretty significant -- basically it's a Mac be researcher. -- -- -- -- Probably not gonna -- Nokia found that -- There was an undercover. Espionage. Campaigns -- been going on for five years. At least He just discovered earlier this year when He was looking at some other -- information on cut compromise computers in or -- organizations and companies such basically it's significant because it's so broad it covers more than seven. Companies government agencies nonprofit organizations across a broad swan -- industries. In numerous like fourteen countries. And they horror. Basically you know whoever was on the other -- Was siphoning out data sensitive data classified information on from these companies such content so it's pretty pretty scary stuff -- He and -- who's behind it. But do we do we know or do we suspect any particular group or person or country. Well it's hard to know for sure anything people can speculate but to actually prove that it is the party is is very difficult to eat the researchers said the you know He believes -- nation state. But because of some of the -- the targets on you know. One could although the researchers not one could speculate that it's -- cash a lot of the targets were on major. -- companies and governments in. Asia but not know targets were in China specifically. And there were some I'm nonprofits how -- do with pro democracy movements -- words. But very recently there there was -- You Olympic. International Olympic organization and some Olympic committees in specific Asian countries. That -- hit the Florida Beijing. 2008 Olympics and then during -- after so the timing. Is a little bit suspicious there aren't and you know could point to China but again you know China has -- always denies this Clinton. You know these things come out so it's it's really hard to actually and -- Where something comes from because you can you can you know reroute -- through -- servers sound. Do we know what type of information was accessed from -- corporate entities or from individuals. Well Begin to go into specifics but. I'm closely guarded national secrets including classified government network on data source code on databases email archives negotiation planned. -- exploration details -- -- New oil and gas deal auctions. Document stores legal contracts skating configurations you you get the picture. So so what's the reaction of the black and different communities there as to this. This this attack which -- has been going on -- happened five years ago there has been going on for five years it's pretty it's pretty. -- at least. At least. So what direction there is this like oh yeah this is one of and several or that this is really -- So. A lot of professionals. Actually most people are either. Saying that they're not surprised that they know -- this goes on all the time -- in many directions and many -- -- -- Government I mean that this goes on and it's not just -- it is China it's just China and so there's a lot of like well yeah great -- this is happening and now the general public does it because there's some actual real privilege the big companies and organizations that are targeted age they don't go public with this for obvious reasons and you often if the government is. You know it's a government of a target. Who is monitoring that to seeing less. In other countries spying -- then. You know -- the government doesn't want to go public so either really. -- clandestine and in multiple ways so that got this information came out and we know the types of companies only let you explore organizations were actually named by name -- but it's a lot of information that's come out. To the general public and that's pretty important. Now -- go hip and happening and hip and and I don't know -- He gets. I -- thank you He gave a black hat talk there and He pointed He was -- at this this -- I think particular He pointed out that. Most exploits go through PDF files it what's going on on what's the Adobe. -- sure there and at these conferences. -- In general -- -- their. Wikipedia is in the strong vector for attack. -- well I might point out that it was a tiny hole that was used on Internet. At least some of the targets of the Google and it was thirty corporations. Abu last year and and late the year before on the net knows that asking us tax so it's not just Adobe on but they're -- there are you using. Security beefing up their security technologies trying to do you know imprint that they know that it's a target because every -- media DF files. Everyone that the software. Now -- wanna move on to I think. Move move on from this shady rest -- to as I was looking through the stories coming out of these shows. It seems to me that the big theme is that there are new. Devices new network's new things to hack we've got this data systems which are command industrial controls. An and other devices out there that are getting. People are showing how you can attack them from things on your body. Batteries we'll get those in the second the list that start with I think the closest tie to the shady rec story here which is skater NCA DSC. ATA. These are industrial controls and we -- -- what we did a whole show on infrastructure getting hacked. What's the latest there are -- or -- on a -- controls. Yeah and there's quite a few -- -- -- -- it'll. -- It's an embedded systems to aunt which are in all industrial control environments -- and new -- -- -- you on is a researcher and covered more holes I -- This is another issue with the researchers note that it -- legacy critical infrastructure systems. They're connected to the Internet even sometimes directly to the Internet -- Causes problems now they're putting on in embedded systems using -- in the PLC is and that's another. Vector for attack and another stretched so I don't. You know he's he's been -- -- and there's a software holes. He and covered a range of problems this week and out of the Nur in the North American electronic. Reliability thank you and release some of alerts because his work and another researcher -- so. Problems. And -- lots of toxic today there's something that Defcon is one on this Margaret unhappiness Margaret so -- It is it's pretty interesting. Now -- when you reported on yet another security threat speaking of energy which is -- -- most much closer to home for most of us which is our laptop batteries. There is -- demonstration somebody hacking into the it's the chemistry in the battery or the charging control system though what what is an atom and what's the danger the reaction to that. Now right well -- our first and the reaction is that Apple has not -- discuss this CNET Ellington. Turning in response -- -- to congress respond to such outlet in the the trend is this batteries are recurring smarter batteries have microprocessors in the books batteries -- charge controllers in the microprocessor. The charge controllers and says now's the time to charge the battery now's the time to stop charging the battery so you can tell me into a few things. -- the first is that you can wipe out. I you can send a new firmware update that will wipe out. -- -- A program that microprocessor has loaded so you can -- battery should the federal still worked out but you're not gonna battery and -- active red run only -- power and that's one and the other thread as this is kind of more contrasting matches well what happens if you can jump tell and a and charge controller well. It's it's still only 50% charging to keep on charging this thing even though it's fully charged and so you can in theory clause of the battery to overheat and perhaps sort of fire this is a theoretical the researcher who demonstrated this hasn't actually I've gone through. There's also an analog news. Outlet and this is an end this is -- the -- There's. In here typing by the way. NASA sorry about that there's there's one -- not possibility this kind of contrasting and that is. -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Now speaking of which. When Chrome came out and then following that the Chrome books -- Google. Made a lot of a pay about how secure the operating system -- but it's using a browser was an -- house secured the Chrome -- operating system is. And now we're learning that Google's Chrome OS may not be as secure as as we've let been led to believe where you that's in any of those sessions. Colleagues sat there -- those of an imminent. From covering the breaking news operating system passes. And let's see we've got what else is being hacked these days square which as the little credit card reader forget about Madison square. The -- and I really wanna talk about is the insulin pump hack. What is going on with of that which -- you guys was on on that story. There is not I islands against those there's incentive here's into the threat doubted that there. It's unclear how much of this is actually new look -- on portions of this have been demonstrated. At. And other. Conferences. But. And what. Out what we're talking about is wireless devices that can be implanted in the body or tactics that dumped the body permanently attached to change either that happens. I noted that can be accessed without proper security mechanisms and so what is what does this mean -- this means it bet I if you have a pacemaker in history of insulin pumps. Our you -- blood glucose. Monitor. Then. I. What guarantees to -- happened -- medical device manufacturers are actually. I'm taking the proper steps to ensure these camp each accessed and in some cases it human insulin pump on the chest down in you need devices are buggy -- Happens. -- you you can give yourself shots and probably on the items -- -- -- without incident right should not but if you what happens if you're very insulin sensitive and you can teach you you get 100 times -- -- what happens it is a pacemaker in and it. Can be. -- and a day and this -- -- matter -- -- -- -- -- Or. So what is the reaction there among. White hat -- black hat hackers. To the increasing exposure of all the devices that we depend on our lives whether it's our electrical created or implants in our bodies our cars and so on. Things that we think it was -- that earned her lumps of chemicals that can all be hacked it what's the attitude there and around these new expose threats. There's not enough encryption. An authentication. Not enough. Protections and security bill -- -- designed -- To make sure that there aren't you know data -- -- leaks and you know attackers who can intruding -- data or or messed with the system. Now now. It isn't I -- there's this constant call privacy by design which is a two inch T privacy into account when you have of the initial audit on the drawing board and -- the same and the security field that -- think about this from the beginning each on rely on security through obscurity am I mean Apple probably not that nobody was going to -- At its batteries and it's -- actually adds Amanda asked orbiter they're buying chips from Texas Instruments and should I you can at a house for you want some of the third party batteries that were in -- computers -- -- and Alex rule batteries I -- -- to actually -- account passwords that are oddly enough and so it's. Ions and so this is in your -- hoping that security I'm not that your security comes -- just. Assuming an illusory and look there's -- a critical ground at -- -- here and it probably isn't a good long term solution. -- -- when speaking of privacy by design you've been talking about. This new things happening with the FaceBook profiles. That. Now the FaceBook is getting face matching -- facial recognition software and that represents a privacy. Threat to. The average -- that is that -- you -- Well that they're. There -- few different points chairman let's let's actually not a public FaceBook is doing things in I itself actually and instead talked about the fact that you have all these profiles available. And -- -- Arafat and and the needs of public FaceBook requires you to make them public to be looked at its prompts privacy policy your name and photo if you -- -- I cannot be set to private. So what this means is that you have hundreds of millions of people who probably use a photo of themselves as their browser based. Or docs the number number it -- -- right but 90%. As opposed a -- of the other backpack or chat should -- has so. So you 90% of FaceBook users and it puts their real name possibly and a photo. Out of themselves possibly online now what happens -- was database with we think. Real names -- attached. So what happens -- that you can then readiness against. Other databases He can -- -- against people on the streets you can write this against our people on dating sites well researcher from Carnegie Mellon did well and found out is that it actually I Dennis identifying people on dating sites who worry not using -- real name using. I'm using pseudonyms and now about one -- ten. Could be identified and via their FaceBook profile. I'm the same thing -- people on the street I found actually higher match but there's more it will act. Humble higher percentage actually weren't FaceBook and people -- dating sites so if there is so so this is a pretty interesting -- -- in certain linking different database is loaded with the FaceBook photos and then when -- DMB -- so what happens if you -- -- of people -- -- from -- inserted an -- -- privacy threat. Now speaking of identifying and tracking people that we also wrote about the a demonstration -- -- at least that talk on a a group of people who were building a wireless. Aerial vehicle and a robotic aerial vehicle that could follow somebody by tracking their cell -- signal. And kind of stealth fully follow them home. Right and fortunate and so this is an -- A former US army target -- made from isn't that's designed for soldiers to shoot -- and so it's -- relatively lightweight and a candidate but it's a point I horse power motor in this thing -- sale for about an hour. At present continents on your anything -- it figures cost about seven to -- at 7000 dollars in hardware is not that much as a long shelf stuff -- do better with custom software which ends and then and of course their time and so what what they did do was it they outfitted this with the devices -- -- -- and on. A Wi-Fi transmissions Bluetooth transmissions and -- the position of -- -- wireless phones. And and then in theory you could actually attract someone west that nowadays are dragging them down the highway and you can follow them. It would help to actually get more from multiple drones -- -- -- -- the law and and eaten into triangulation which is a proof of concept that they're trying to call attention to another privacy and security -- of these drums and what happens when should I say. You can number. I Google wants this mr. pollute this with a dirty bomb that's -- pounds of payload. -- that's not to block the relatively small dirty -- what happens if you have when smuggled in across the national order -- -- a drone may have thought I was gonna show on radar should and so the these -- is an interest in security threats is not really great solution. Do you think that next year we're going to be talking that same things from -- this year will be talking more about. The track ability of people's mobile devices and the threat from above as we've -- -- heard about this this drone apparently. December. New stations now using parrot AR quark doctors for. News coverage. Is the aerial security environment going to become organ issue next year. I think so I think it geo location which enhances the physical world when you blow someone's battery theory when you can -- its -- as follows someone in the air when mutant -- or counselor privacy issues when -- to this I think He doing on physical -- on the -- in the world wants to pre existing acts -- that -- dwellers than doing a series of very articles about it assistants present a back. What do you think. Absolutely I think yeah I'm -- systems you know I'm. Protecting our nuclear energy are electric grid that NASA had electricity in in the -- that smart meters via -- home appliances. I think there's gonna be out more. Appliances that are networked -- you're using Internet protocol in your -- They did you when you think of it now in it's not matter -- your your laptop your mobile on it could be your TV your your home AC system that they could get. You turn your -- sprinkler systems on and Brussels and perhaps an hour. On over seven days lingered under -- was loaded via a network -- dishwasher a nice thing about killer washing machine there. Everything -- my -- majority shakes my house apart. Anyway speaking of the future -- close with this -- or you wrote that there is. A new conference -- a new sub sub segment of the conference Defcon kids. I don't know what to make of that tell -- what his -- on kids and should we be happy. Or upset that this conference this -- -- -- are reaching out to the young and impressionable. Sony's it's this is a good thing because they're not teaching -- not telling people even at the adult content go out and break things and bring a -- be criminal there talking dairy educating. Researchers. And companies and organizations about weaknesses they need to be -- students and tune -- system you have to know. It -- so we're training Dayton down on its training kids. About. Tickets to systems and that weaknesses in the systems and got -- -- to improving them. So is this like any can be secure Stewart's -- all it is is it's basically nannies are. It's not a babysitting service absolutely not they they want seemed to be there with you're with your kid and which I've -- to sessions are gonna be a valuable for adults to a lot of -- a lot of good talks on on -- I -- history history -- solving -- couple -- I urged him. You know where Google hacking a lot of lot of -- The same researchers and top end centers are talking -- such there are also gaining workshops on you know how you can you know locks -- -- -- the words and un you know right coached. It's on its valuable but also shows how. How grown up the industry and hacking community has become their -- they were kids. In the ninety's when. Defcon started and they're still kids here at over the years you know the -- not gray area -- People started having children and and now there are families with. With this year quest for knowledge and -- -- -- that that. To me and some may take that and so they take the kids here let's say it won't Urals mountain missile you're on the school of public schools and telephone network or computer -- many -- -- should this some of my. Should there they are teaching -- -- -- -- that responsibility comes -- actually how does does -- conspiracy don't expelled. Or how -- those social engineering your way and seeing getting something you want any kids already know you don't need to. Safe kids were -- -- -- done. I can't wait to take my -- there I you know -- market I'd I'd rather have them know what he's doing enough anyway. -- -- -- -- -- A maker fair -- ever will geeks. Maker -- cryptographic maker Faire. I -- I like the idea although. I want and get an actress prize to our anti lock away with shellac like this I'm with you really shouldn't put it on camera -- -- news. This is the Microsoft dot swagger right and you probably see a Microsoft logo on this thing you know I'm not -- -- -- -- -- is this -- -- at the maker gonna taxable aren't -- already topped out the more lights up. Which point -- -- that went. Sorry I'm actually I -- a model that or not just -- So that's a light up. I'll let you can see -- -- right now it's not really well that is fantastic. This is the Microsoft also hold the answers I think are the depth on track. They've only they grow up so fast guys I know you are very busy I really do appreciate the time out of covering black hat and Defcon for -- I really appreciate it. Echlin. -- McCullough Elinor mills are both writers at CNET news define their stuff on news.com. Guys thank you so much for the time. Com and thanks everybody for watching. Reporters' roundtable be back next week for another great episode. You can get all the links all the stories were talking out here on cnet.com slash reporters dash roundtable dash podcasts. Or I'll put a link to -- my Twitter feed which is just -- are -- -- you can also send me an email. If your feedback on this or other shows -- want to know more make any suggestions that's race are a -- At cnet.com. -- on -- again thanks very much Steve and thank you for producing thanks every for watching. Be safe out there and we'll see next week.