Hackers to flock to Black Hat, Defcon this week

Researcher to give talk on ATM security holes that was canceled a year ago, but talk on Chinese cyber army is axed after Taiwan complains.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read
Black Hat

Last year, a security researcher was forced to cancel his talk scheduled for two hacker conferences about weaknesses in ATM software after the ATM vendor complained.

This year the talk is back on the agenda for Black Hat and Defcon, which run Wednesday and Thursday, and Friday through Sunday, respectively, in Las Vegas.

"I've always liked the scene in "Terminator 2" where John Connor walks up to an ATM, interfaces his Atari to the card reader and retrieves cash from the machine. I think I've got that kid beat," Barnaby Jack, who works for IOActive, wrote in the description for his presentation, which is titled "Jackpotting Automated Teller Machines Redux."

Jack said he will demonstrate local and remote attacks on two new model ATMs from two major vendors and will reveal a rootkit--software designed to hide the fact that a computer has been compromised--that works on ATMs running various operating systems.

While Jack will finally get to give his talk, another presentation was canceled after a foreign government complained.

Wayne Huang, founder of Taiwan-based security company Armorize Technologies, was scheduled to give his presentation, titled "The Chinese Cyber Army: An Archaeological Study from 2001 to 2010," on Wednesday but pulled the talk due to pressure from the Taiwanese government, according to a spokesman from Armorize.

Huang, who used to do research that helped secure the Taiwanese government's networks from attacks, will instead demonstrate how easy it is to inject malicious code into high-traffic Web sites such as Google, Facebook and others and plans to reveal new information about the targeted attacks on Google and others dubbed "Operation Aurora."

The two conferences are among the most popular annual security events globally. Black Hat attracts a more professional crowd than Defcon, where young hackers have been known to fill their off-hours with antics such as hacking ATMs and hotel elevators and participating in sponsored events such as lock-picking workshops and Hacker Jeopardy.

Multiple tracks of sessions cover a range of topics and often they are standing room only. Jane Holl Lute, deputy secretary of Homeland Security, will give a keynote talk at Black Hat and speakers at both events represent a who's-who of the security industry.

In a presentation that is likely to create waves throughout the telecom industry, cryptography expert Karsten Nohl will release software that people can use to test whether or not their GSM (Global System for Mobile Communications) phone calls can be snooped on. The presentation builds on prior work he has done publicizing the security weaknesses of GSM networks.

"There are effective, low-cost patches that network operators can use," Nohl said in an interview with CNET on Monday. "They need to install the patches now that have already been delayed for years."

In another talk, titled "Malware Attribution: Tracking Cyber Spies and Digital Criminals," HBGary Chief Executive Greg Hoglund will be releasing a free malware fingerprinting tool that can provide information about the identity of an attacker. Hoglund analyzes programming language fingerprints, mutations and extensions to algorithms, command and control protocols and other keys and artifacts code writers leave in the software to try to trace the malware back to its source.

Jeremiah Grossman, chief technology officer at WhiteHat Security, will show how malicious Web sites can steal passwords for other sites that are stored in Firefox's password manager and other threats from attacks hiding in Web pages.

Rob Ragan and Francis Brown, researchers at consulting firm Stach & Liu, will show search engine hacking techniques against Google and Bing to easily find Web sites that have vulnerabilities and release a "live vulnerability feed" to help people detect and protect against attacks.

And Tom Parker, director of consulting services at Securicon, will discuss the difficulty in tracing attacks back to their creator in his talk, titled "Finger Pointing for Fun, Profit and War?"

In addition to talks about security (or lack of it) in critical infrastructure, mobile networks, cloud computing, operating systems, routers and browsers there are numerous sessions about privacy issues related to Google Toolbar, Facebook, ISPs, government surveillance and laptop searches and seizures.