Ep. 43: Security Report--Takeaways from Black Hat and Defcon: Live!We sent three reporters to the dual security conferences, Black Hat and Defcon, last week in Las Vegas. Each--Declan McCullagh, Elinor Mills, and Seth Rosenblatt--has a different coverage area and perspective. Today we talk with them about their experiences...
-- -- However one -- to reporters roundtable primary human San Francisco this is our weekly podcasts on a single tech topic. Each time. Today we're talking about the fall out from Defcon and black have the two. Security conference is that happened last week we've got a full house here of experts from -- is an all -- -- show. Elinor mills. Seth Rosenblatt. -- -- The these we sent three people to the show it was so important. And we figured probably one of -- get hacked and picked off and be unable to reports we sent three as back up. But they all actually reported live reported from the show got great stories three very -- -- in different perspectives here think in like the show lot. And we're going to basically be talking about what we learn at the show this year and every year. What -- or two for next year what we should be paranoid about. I love these shows -- paranoid. The -- says everything everything -- thanks okay. And look in in detail get there in a second. Before we get into that take aways here maybe a little bit of background. These two security shows that both in Las Vegas there one right after the other are they. Competing with each other at a different -- -- wide Defcon -- black -- One I don't know. Well use -- start out with Def -- mom. You know years ago -- early ninety's and it was just for the hackers you know script -- any when he wanted to do you know. Play with security boundaries. In the computer around and and Jeff moss organizer decided that there was increasing interest from it. Sort of you know legitimate secure security community people who are professionals and wanted to go in their companies within wanna send into a you know a hacker conference. So they have -- more legitimate more official more expensive. Black cat show for two days before Defcon Defcon runs over the weekend in its kind of a little more -- here. And in -- -- is called black hat the college course and Defcon the frat party but there's a lot of overlap in some of the sessions so -- black -- Which comes first is and more the suits. And Defcon is more of the geeks Alexandria. At the black hat is also something that might cost you quite a bit of mind to get them it's it's something that's -- go and expensive -- distaste for the week in and have fun. At Defcon 200 bucks it's like it's a lot cheaper so now black that is that is the buttoned down conference and the like and it's a party. Okay so. And we sent three why do we send seriously why do we decide to send three people was more than we've ever sent to the show was -- a lot happening or world. Or what what world sort of on different beats a cover -- the softer reviews side of security. And there's some blend over from that into went -- in -- -- -- -- would but not really. And the security vendors actually had fairly large presence. Like at this here and security vendors mean McAfee symmetric exactly -- feel okay. So what -- the big topics are there any -- themes this year at black applicants built into -- Very similar themes actually. There's just stand more sort of workshops and you know fun stuff going on at Defcon like you know lock picking contest and on you know contest to see -- -- -- tamper with boxes in and and packages without them being visibly -- let you know all sorts of like challenges to to. Keep -- I keep it fun and contests contests on black -- is. Really about the sessions button and you have -- there and there you know. Hawking their products and it's it's much more you know it's more like a regular trade show. Now you guys did some amazing reporting from the show it especially from some -- sessions at black hat there were stories about. ATMs that could be programmed to basically should money -- -- -- or not them. Somebody who was hacking mobile phone network and what that Clinton you reporting on these what the -- your take away it's -- -- that the most. Important. Are the biggest though of the sessions than demonstrations at that black -- well. Of the -- the most entertaining one was the ATM. Packing when I covered that -- covered some of the other ones as you can tell you about -- the ATM hacking it presentation was. A security you're a researcher -- -- who's the director of security testing of the Seattle based company Barnaby Jack businessman Francisco. Bay Area and -- he. All the few ATMs up on stage these -- the smaller standalone ATMs that you might find -- the convenience store or. At a restaurant as opposed to the big old art won't even better armored once -- banks. And -- -- he'd demonstrated how he found security vulnerabilities in in each one. Now one asthma manufactured by tracks to the area and -- accident the by Triton. And -- one security vulnerability -- party to actually go up there and does this -- -- USB. -- driver -- something into either physical access the other one was it was a more interesting vulnerability in that. Allowed you to just call it up over the phone another group of modems and and they often haven't checked next to Wi-Fi and to take advantage of a vulnerability in the log in process and a press the button and it spits out money and a password required. Now -- do these represented aside from being an obvious threat to banks and people on the eight camps of these represent a security or privacy or financial threat to consumers. They they do because it when you have ATM fraud and you have the is that someone able to. Extract money with literally depress the button after spending hundreds and thousands of analyzing -- -- -- lets you press that button. Then and that that increases fraud and having increases the cost of banking -- that means higher ATM fees and lower interest it's not -- Anti consumer stuff but there are few caveats that this -- he. At hold those two companies about the flaws in their software a year ago and that the software has subsequently been fixed. But you don't know with every convenience store and every local pizza parlor has actually implemented this stuff I understand this correctly. This hack this -- hymn music him hacks are year old. And he tried to present them last year and -- the companies somehow convinced them not to -- month the companies -- holder and his employer wouldn't but this may not really via a good idea and then there's a there's a long history of companies and that's that's that's actually more companies and sometimes government agencies. -- it telling people at these conferences hey if you present this he might be in a world of hurt -- -- was Cisco in 2005. And in 2008 I think get all right both covered this this was that the Massachusetts local transportation authority by telling a -- MIT students that if you present. This. And description how to hack local -- token subway card tokens then you might get sued. Electronic frontier foundation content vault but added there is there that this is this is one reason I think reporters -- go to Defcon because. There's the news might happen you'd never know who's going to be stuff the lawsuit as they walk -- -- at the podium. -- as they go up -- they come off. You 1012 -- if you don't want the information to get out -- the company is more likely -- you get the restraining order before they go on but give them and then maybe they arrested as they walk off when what's -- -- -- clear often a few years ago who -- represented on how to bypass Adobe. FBI -- the mail for nine months. Not the Cisco was merit as Cisco. Someone doing Cisco research and he. That was Michael and in 2005 but our former colleague yours. Before defected to go -- PR I wrote it wrote about that's -- -- those. Now -- -- or death when you've been going to this conference since the mid ninety's. Has. Has it fundamentally changed has or has the hacker mentality. Or cracker mentality. Change at all in the last ten years or so but Elliott has been going before -- I I did a few years. Forming and I think I think my first year was 95 and there were like -- and I remember like 400 people. A lot of young kids and -- those in the days of script kiddies and website and the vandalism you know. On it with you know finds him you know. -- down Yahoo! temporarily you know for a day -- part of a damning it was it was some. It was a different world and now it's a lot of you know like V -- socialist most popular one. It's about stealing your money how they're how they're you know draining your bank accounts and the financial institutions are worried and it's it's much more threatening and scaring -- you know that then. They the hackers were bragging about their exploits. Amongst themselves because that gives them in street cred and and they're doing it for you know to get a high profile to him make name for himself. Now you're not you're hiding what you're doing because you don't want to stop the flow of money so let's talk about. That the kind of natural push and pull you got people are very proud of their exploits -- the people who they are exploiting. And they're all together in one place in particular the that the mobile phone -- the two G echoes -- -- patch it was that the out. Who demonstrated. A mobile phone antenna -- basically fake out -- base station and convince. Some. Mobile phones. That they were communicating with an authorized cellular base station in fact they -- there -- being intercepted. Yeah tell us a little about that happen and let's talk about that the kind of the dynamic of the hacker -- the people from the phone industry you're in the room the security professionals and how they react to that and stuff. -- so he created with he made -- homemade bomb -- called in C and catcher. -- at some basically -- stating it GSM cell towers know that. The call that are in the the -- will come to you instead of the any real power and -- he of course you know. Put signs up and warned people listen you know we're gonna be doing this for purposes of the demonstration. He and you know turn off the -- or or you know he disabled the tax. Ability he he was able to do it just with Paul and you listen anything was just for demonstration purpose and he got like you know was at thirty you know woo -- Lines are all from during the demo. But he -- that he he made that with like 15100 dollars and -- button and dot used to be in the realm of you know governments and agencies. You know thousands whatever of you know way out of anyone's realm of actually doing it and he -- you know he showed that it can be done easily. On the so it it's it's pretty. You know it's it's not that it's new it's just that it's. Things are coming down the price is a possibility of these things and he wasn't mobbed by people from eighteen PT mobile or arrested by the FCC or anything of the sort or when it no -- not that I -- want. I mean -- can't these researchers there there are above board their legitimate they work you know for legitimate companies I mean. There keeping the company's. Helping in their security and companies know that together -- -- -- -- Chances are he probably talked to people and the companies about this before hand in fact is that the technology and the the technology was not name so they the Telecom can't care providers knew about if this is nothing new they probably came to see. Wow you could do it so easily my neighbor could be doing it now -- One of the things about the show is that. So many of the security things we're talking about whether to ATMs or. The mobile phone or -- that the the story this in the news today that's related to security of this week with you leaks. So many of these issues. Our. Government big government big company thing. You guys worked on a story about somebody was on their way to this this pair of conferences who was intercepted at border. As they were heading to black -- or what that come. That was allowed and I'm definitely about less hat now welds Thursday I'm in right in black children -- tell us a little bit about -- the -- fastening tells about what what happened and and how typical this was of the people going to the show. Okay -- don't we -- -- that we don't know everyone who's involved. And when -- -- -- they've never made their entire membership. -- principle let's let's call it. Public -- for probably good reasons one of the folks who is involved is. -- Apple long who. This in the Seattle area and was in Europe for a few weeks. After announcing that he was involved in with -- this was his first trip back to the country -- he was detained at the border. And Eleanor if you give east Marty tells but he was detained at the border at that the border this is that Newark Airport and and -- the air border there for about three hours -- customs officials and some army investigators. Detained him searched him searches for its role was as electronic here. I kept some of his laptops and cellphones and oh what they they were none too polite during miss them mean that there there them and so. They didn't arrest him -- in charged with any crimes. In fact. That nobody involved and we helix has been now but the date made it clear that is their kind of watching him and so the next time he comes back in the country what's gonna happen. Where is even going be allowed to leave the country. -- -- US citizen. He is -- -- importance happens it's Bavarian. And -- he was on its way to -- shows to give some presentation exact area on Saturday. And so he was detained their eyes as I read -- stores that's ultimately -- sort about. How he was they claimed he was pulled over and random check which was clearly not nothing random about. And then he he's detained they confiscate some of his devices he he then takes I guess the next flight out to Vegas. It gets this show and he's met again by more government officials. And -- -- down -- that. Yes so he. He didn't know winning losing is your back -- you know what what was gonna happen after that. So I actually attended his his talk on. Internet censorship -- a couple of other researchers talked about that in real regards to -- -- specifically. And afterwards there's -- name they moved to another smaller room where people can. Diving deeper with the you know with -- and any others. And he answered it into people's questions and then these two gentlemen -- to -- and I'm on their weight you know are waiting to talk to -- to you. -- and they identify themselves is being agents and you know. From the FBI and they wanna talk film and of course he's doesn't -- top panel lawyer. -- EFF lawyer who -- nearby and stands up you know next to them to sort of see what's going on and they said that they want it's just talk -- he didn't you talk to them. Without you know more information knowing exactly was going on. So that was kind of a bit of the stalemate and then that the agents walked off they didn't -- to talk to me either. More identify themselves so. Yeah he he was approached but it wasn't clued in I was amazed that people actually go to this conference considering how. Tense in must -- for people who are involved in high profile cases or. Anything -- -- there it's so ingrained in the history of the Michelle they have a spot the Fed contest that's one any official events he and you know -- can you -- these -- -- fat -- and -- No. -- -- -- -- No date they wear it you know they they kind of dressed casually and one had baseball cap I mean it looked a little less cool you know and some of the other hackers walking around their black shirts and their piercings and they looked you know more -- You know soccer you know dancer and you know whatever but. I I could I'm really wasn't also trying to look and in you know detect them but yeah they they -- there and they're sort of an. It's sort of a a neutral kind of at a -- it's sort of neutral turf where people can come together and from both signs you know and all sides actually. You know the researchers -- trying to help. The government -- it doesn't really sound. To me like -- that people at the show or flying under completely look. Reliable flag of truce if there -- people being detained at borders or arrested when they leave stayed the stage for after talks and things like that so how far does this kind of. They weren't arrested after the talk well and you're right you're right after this show all. You're right I mean it it depends. What the government what they're going after -- -- they didn't they and grabbed a Canadian detain -- -- and they just wanted to talk you know you talk to -- OK but you know Adobe actually going back to the companies that are getting information about. Vulnerabilities and exploits -- -- Charlie Miller who is what and great with iPhone an Android you know kind of security problems. He talked about something that had to do with it. And Adobe PDF. Adobe reader law. Adobe learned about that. From fitting in on his talk at black hat last week really so they better send people to the east talks because that's how they're learning about. A lot of this stuff and now they're fixing it this week Eminem rushing out. An emergency patched -- to be before their next. Agile morally based on what happened up like that. Yeah based on what they learn from telling analysts talk now next is -- just -- side note here next Tuesday is that massive patch Tuesday for Microsoft. Is that at all related to what people learn to black -- that are related -- that's under I as far as I know I don't know anything that's related Adobe's releases now okay and asset you said mean if they know before the show about how. Many of the problems that people are addressing at these conferences. Are the same all problems they've been talking about for years can you elaborate comment at an accent that might not think it hacked -- -- -- well as well I think it was human with somebody else that masquerading as you. Let's -- And yes so I thought it was very interesting in the keynote that and that the pre keynote address that Jeff -- -- I just bosses. The guy who who organizes or look at X attempts to write it. A definitely founder -- that's it. He made a really interesting point that. They're problems that we've been having with email security. We. Sending encrypted data all that stuff. This has been going on for thirty years forty years they still haven't solved any these things -- PGP key is a great way to secured email but it's not foolproof. And there are document ways of getting around. And that I think is a really interest in -- about what's going on in computers security right now. Where. It's not really a matter of whether or not it's got holes it's just a matter -- whether someone's going to find them. And be a black -- white hat and you know and then that that I think is. Cause for concern. One of the things that I it was reading lately is is that. One of the few things that it's protecting us from a massive cyber attack is hacker culture. Which is a kind of a hack for good mentality that do you think that it's true or are we basically hanging. On the goodwill of hackers and and a culture or or is -- -- that we've been lucky so far. The combination of both and I remember back from the late ninety's that -- people don't really pay much attention to. The vulnerabilities of the and -- the serious systemic vulnerabilities and you could just and get into. I'm Mae east which was so we're a lot of the East -- -- Internet pipes. Load through -- what's it with just two key card and -- -- people sit around tonight yet another meetings and say well you know here's how it could take on the Internet them here's how few people could take on the Internet. And -- since then info for news things have -- of -- more mature that there is the there's a very active culture. The people who are fighting back against hackers and sizes and so it's not just a bunch of Wiseman could pull the plug. It's and but there there is so there's some truth to that as well because if if you had hundred of the nation's best and brightest -- -- turner. Skills towards evil then that this this from the -- would be a very different place until we could. Fight back against that and fixing. This is this show isn't just. Sections as you said one or there are some stunts and contests there. What are some of the one of the things that were familiar with is the wall of sheep but that's basically you go to this conference is -- and use an un encrypted Wi-Fi connection. Basically. It shows up and people can see what your writing and when your ideas right -- -- and passwords user names and he skated -- it's okay. But there are other things here where if you show up at this conference and you're not smart on security. And. Yeah well will they also that this year they had the peek a boo boot -- publicity perhaps you know. I I I wanted to check it out I didn't and got -- like -- something else but from what I understand it was -- -- the screen shots of what people were looking -- Images over Wi-Fi and web -- in web pages I don't know exactly how they were doing it so but they had it. Yeah accord on top I mean it was you know you had to be eighteen -- over to to check it on I don't know. I didn't see it myself but -- is something that people were talking about they're also. He had these and this is the year of like Hoover high tech badge making no carport badges for four Defcon attendees will you have the -- that is there I've got the band -- here -- Every year -- got to get more. Intricate and complicated thing here at the -- on the regular cap on back here. I the battery island. Smart -- -- a yeah. But it without. You know had thirty interact with it and there's all sorts of little things going on here that you can do with and you can -- -- emanate they want you know recent just people to come coming in and do stuff with and they have a contest it in you know. Find the most novel -- interesting thing to do with -- -- they had these are these are. Really artistic and masterfully. -- -- And really you can -- on it I -- date that the it comes pre programs yeah things that you can do. And then. What I'm you're gonna talk -- ninja party they they told me that. People could only get allowed into there exclusive. Changing. If they hack -- -- the right way and if they did it wrong. It will die on them -- which show a little so I mean that's about -- indictment but if the game with -- and immature little symbol indicating that they failed and they wouldn't be allowed in. Are you talking about the Defcon mentioning in Japan. Oh -- there like that. I had -- but you've you're talking about in my -- have been injured advocate -- groups came up with like. Their own badges so this is the ninja -- -- maybe it's got it you know I've read only level one eaten by other players. And there are altered its secret hidden. Gain -- things going on in there. On the people like in Kaminsky in other you know really well known -- got black badges a black -- -- you read regular patch. Youth and give them more powers I mean. At this has so much stuff going on I -- I have no idea I'm afraid that if that thing away from me my devices this guy's going to be the ninja party on Saturday night which is sort of the final could a garage indignity you know events and also this was. He's you know it's -- this is used -- -- and supposedly he makes sure that you can't think people like you know and other some of them and security. So what one -- -- that -- ours actually being modest here. I did you just even getting one of those that does what what what who took some war dances of clearly she's young elite hacker which -- lead reporter I -- -- we know that. Let me. Just lucky so what we need what what -- we learn set you'll start here on this what are we learn from the show that we need to be worrying about as technology users. What should we be concerned about security wise today everything. Can you be more specific if it. Well yes and now I mean everything we we. There's a great program out there that I've been talked meant for years called TrueCrypt and some people know about it. It allows you the offers its own version seven -- version six update to it from years and half ago. Allowed you to create a in encrypted and -- in hard drive. In operating system on your computer and so -- the -- -- -- if you got pulled over by -- TSA. You could show -- your computer. And you know -- -- -- -- and there was no way that they would find out that there was actually a second encryption. Which means you're original encryption and and that would be one way to protect your data. I spoke with -- with a company called -- NC they do. Corporate security. It working on they -- been doing an enterprise sandbox. Based on. Hardware virtualization. And they're working on taking that into the consumer space and and what that means is that. Whatever program you're using currently they've only enabled set it up four Internet Explorer and Adobe reader although they're going to be extending that Firefox -- very -- they said. This would prevent you from. Prevent anything from getting into your system in want because -- -- virtualized and because of you running -- hardware. As opposed to a softer naturalization -- it would be harder to two breakthrough -- -- one of the components Abdallah dot com well. -- -- -- -- By definition that yes Republican. So what do you tell. Your readers I mean that. Just proceed as normal just use up to date browsers and operating systems are they take -- special care and in any particular area. I think that I think honestly it depends a lot on the user it depends on whether the user is particularly web savvy. What I'm gonna tell. Somebody who just you know browsers casually to look stuff up -- and and in a -- that doesn't treat the computer the Internet as as as cable TV that sort of sort of does. Where I'm gonna tell them is gonna be different from somebody who's -- you know even slightly more -- set but definitely use an updated operating system. The big. Conficker disaster. That was because of people who didn't have an updated operating system -- the reasoning and update was because they -- using hacked version. About windows XP and so updating is important. I'm not using Adobe reader right now I think is it is is -- the big -- to do. But seriously. Well. Mobile devices and and Apple products in general. In car. Very risky place to be because Apple doesn't necessarily. Who warn people win breaches are found and doesn't update as quickly as Microsoft does ironically because Microsoft is and as. Bundling them -- doing this for ten years and and culture of doing. -- the -- when any the big take ways for you were they in the. Realm of the web information sharing mobile what -- -- way. Oh a few things and I mean I -- right here hearing. That the folks from the ths and -- the NSA and CIA gamma formally talk. And the -- what one of the topics with cyber war and now when night this can be legally declared I actually I mean that that this this this literally this is when the Defense Department. -- can attack as someone else's computers if they attacked. Say the computers use -- by. Moscow's equivalent of the Pentagon that might be an act of war what happens is coming from and not from -- someone who's a private entity written and is so we had this discussion about well maybe we need to start -- -- the ground rule -- continue to figure at the ground rules and and we had. I yesterday's announcement by the Pentagon at a formal press conference that. They want -- -- to return. The summit documents the documents they posted numbers they have -- post relating to military communiques from. Afghanistan or else in the or else was left open -- -- I wasn't. What headaches but it that we helix has no that -- could this be your first cyber war with the US. On the offense that it's declared I I don't know this is it but it but this of this information. I'm what wants to be freer information wants Minnesota to cyber -- it what was it was a very interesting set -- -- -- the -- button. -- You I would just like to say you'd -- you asked about the culture and how it's changed yeah over the years and one at -- you know on the chat someone said -- Jeff -- is now on the ths -- report and that's a good point. You know when he started out the show he was really young and having lots of fun and you know there -- a lot of -- just kind of plane around. And now he's on the board that invited advising the government's. To keep networks and keep system secure. And when I said that you know the hackers want to help the government yes they want to help the government I mean the legitimate ones who have good intentions one -- the government keep. Keep -- country. Safe from the you know any kind of like I know attacks on network from and you know keep it but when it comes to surveillance. That's another issue and then not you know that there's definitely a -- different of opinion from the government there. But -- also -- who is on a famous hacker and very well respected. -- Psycho he is now working for DARPA and so there's there's you know people are growing up and they're they're being enlisted. For for good reason to. Two rolls of import. Now are these people who grew up. In a different -- who are now becoming -- you say in areas of importance and influence are these. Mature. -- hackers putting out the him correct or the safe where -- Any sense of moral structure onto the up and comers. Is that is -- -- are they being positive role model yes that's I mean absolutely and I think cell. I mean the Abbott yeah I think so I mean there you know they have the credibility from. You know what they were able to do you know what did the -- beat the research they did you know -- -- was keeping Microsoft on its -- You know finding holes in windows like you know Swiss cheese and you know he's responsible for a lot of -- -- -- -- security development -- Taking action on that cell I think that -- they played an important part in the security industry and now they're being recognized for that. In a way that is very beneficial. Great. Well I'm reminded the fact that them. These people aren't this is its importance on the interest budget committee of -- thing you know keep your friends close and your enemies closer. And hopefully. Grow them up well. With that we're gonna and this reporter's roundtable -- thank you very much in Seth Rosenblatt you can download that when call from CNET news.com. Look back next week at same time noon Pacific on Friday probably on net neutrality -- so putting the show together so they can watch my Twitter feed its -- -- FE. If you would like a replay of this and all the show notes and links. It's reporters roundtable dot cnet.com is an email to the show at our roundtable at cnet.com. Thanks guest again thanks -- producing -- the --