Las Vegas airport is now crowded with home-bound crackers, hackers and those who oppose them, as the annual Black Hat and Defcon conferences close for another year.
Black Hat kicked off at the start of last week, and is the serious side of the sessions.
It begins with training for security professionals on current and future threats, and then opens out to general briefings for everyone. It's a mix of hackers, crackers, security executives and law enforcement.
Then Defcon begins and the crowd thins out. This is the event for the hackers and crackers, so the talks get more complex, the dress more outlandish and the partying more serious.
Anyone who thinks that the geeks who come here are antisocial losers should go to a Defcon pool party; these people know how to rock.
I heard it said that, if the world really did want to stop computer hacking, a medium-sized nuclear warhead detonated over Las Vegas last week would have done a pretty good job.
However, despite the attractions of nuking the place, in fact it would have made the computer crime problems worse.
No matter how the media views these people, the fact remains that they find the security holes that others miss, and their coming together to share knowledge is a good thing not a bad one.
There are still far too many commercial companies out there that cover up security holes and hope no-one notices, rather than exposing them and finding a workaround.
So anyway, here's the most notable happenings of the events, some scary, some funny and some downright disturbing.
Honourable mention: Conversation
While the briefings can make you paranoid, the private conversations with people can be even more terrifying. You realise quite how vulnerable large areas of information technology are, and it's not something that means you sleep well at night.
That said, there's also fun to be had. The crowd at the Black Hat show are by and large highly intelligent people, and that always makes for good anecdotes.
Bruce Schneier gave a great example of why we are better than animals in that we have tamed our fight or flight reflex, so that if the boss gives us a dressing down we don't stab him or run away.
But Deb Radcliff, one of the best security journalists in the country, came out with a comment so funny that, if I'd been drinking a cup of tea at the time she would have been receiving a bill for a new laptop. This was an actual quote from someone she knew: "I'm not lying, I'm managing information!"
10. Internal hacks
Hackers are natural pranksters, like Loki and Brier Rabbit from legend. So it's natural that there would be many pranks played by members of the conference.
After all, there's major kudos to be had in beating the professionals at their own game.
Even before Black Hat had kicked off in earnest there were already problems. Security researchers Kevin Mitnick and Dan Kaminsky had their servers hacked by a bunch of crackers who wanted to display their prowess. Kaminsky brushed it off as "drama" and said they got nothing of value.
There were also reports that someone was spoofing the Caesar's Palace Wi-Fi address, changing one digit in the hope that some poor soul would log on and open up their laptop to scrutiny.
I didn't use Wi-Fi all week and all radio communication on my machine and phone stayed disabled.
Then, at Defcon, an ATM was found that was harvesting credit card information. It was rather poorly put together, but I wonder whether it was an attempt to steal money or just to get kudos.
9. Federal Aviation Administration hacking
If you're a nervous flier, the Federal Aviation Administration (FAA) hacking talk by Righter Kunkel would have given you nightmares.
The FAA controls all air traffic over the continental US and the consequences could be catastrophic if it was shut down in some way. Large-scale cancellation of flights would be inevitable, and any planes in the air would conceivably be left flying blind.
Kunkel, himself a pilot, found that getting into the system was easy, and required little more than a fake ID. The attacker could register for a flying-fitness medical certificate and use this to get a student pilot's certificate number.
This would allow access to the FAA's flight plan submission system, since a full plan must be given before every flight.
By using denial-of-service methods an attacker could flood the FAA's computers with false flight plans using a simple script and shut down the network.
There's more to it than that, and Kunkel rightly kept those details to himself, but it makes you think.
8. The Feds
Back in the early days of the conferences, the federal criminal authorities would try to infiltrate the events to gain information on attackers and their tactics. They were so persistent that a 'Spot the Fed' competition was set up for attendees.
But everyone's matured since then, and current and ex-members of the law enforcement community are not only welcome but have their own conference sessions in which they discuss frankly the positive side of working within the law and some of the mistakes they have made over the years.
The result is a much more sensible arrangement. Hackers can see that not everyone with a badge is a brainwashed tool of 'The Man' who is looking to crack down on them as part of a fascist campaign, and in return the feds get to see that hackers are intelligent, highly-motivated people who could be of great benefit to their country, rather than dismissing them as nothing more than common criminals and weirdos.
As a result, the government has even started using Black Hat to recruit allies in the fight against organised crime and terrorism. This is a wise move and makes us all safer.
7. SMS hacking
SMS hacking has been around for a while, but researchers Charlie Miller and Collin Mulliner caused a storm by showing how easy it was to hack Apple's iPhone with a simple set of text messages.
By sending the right code to the phone the researchers found they could take complete control of the device, and use it to hijack other devices. The only way to stop it is to shut the phone down completely.
It was a masterful piece of work but raised some very worrying concerns. Since the attacks can be spread to other smartphones, it raises the possibility of a phone worm, which would spread over the network and possibly take down large parts of the phone system. A worrying thought indeed.
More worrying was the ease with which the bug was found. It took them a week to find the flaw, and two and a half weeks to write an exploit. Apple took six weeks to fix it.
6. Software updates
Software updates are a part of life and, by and large, make computing a lot safer. However, that may no longer be the case.
Two Israeli researchers, Itzik Kotler and Tomer Bitton from Radware, found a way to use the software update process to inject malware into a target. They found the flaw in over 100 applications, including Skype.
The attack uses Wi-Fi to detect computers looking for software updates using HTTP, and jumps onto the signal before the application servers issuing the updates can send the code. It then tells the user that there is code ready for upload (even if no updates are needed) and injects malware onto the target computer.
It's an especially scary attack because patch management is vital for secure computing. To have it subverted is going to have people second-guessing their own systems.
5. Cloud computing
Cloud computing is the buzzword of the industry at the moment, but plenty of people are expressing severe doubts about its security.
In some ways, cloud computing is nothing more than an extension of the old client/server model that was the basis of early computing. But the idea today is that companies should outsource certain key functions to third-party providers that would hold the data for you.
Naturally the bean-counters love this, since it allows them to get rid of costly infrastructure and staff. IT staff, however, are more wary. They point out that, in some cases, it could mean that companies lose control of their data and expose themselves to liability. After all, data is key to success these days.
Take Google Apps, for example. All the information on Gmail and Google Apps is stored in the company's servers in the US. Google is a reputable company, but under the American Patriot Act the US government has the legal right to access all and any information on servers in its country. This raised all sorts of red flags for European visitors.
4. AES hacking
The Advanced Encryption Standard (AES) is supposed to be the gold standard of cryptography. A while ago someone produced a theoretical attack, but it was hardly practical. Unfortunately, there's a new attack and it works.
Discovered by Alex Biryukov, Orr Dunkelman, Nathan Keller, Dmitry Khovratovich and Adi Shamir, the new attack is all the more devastating because it works against AES using a 256-bit key length, which is supposed to be the really safe form of encryption. The difficulty in breaking encryption is related to key length and, while most people are happy with AES 128, the more paranoid, or those with really valuable data, use AES 256.
The attack isn't perfect by any means. It can only be used against AES 256, it still takes a huge amount of time and it requires the attacker to have access to some pretty scary information. But AES failing is a major worry nevertheless.
3. ATM hacking
Cash machines are an essential part of life these days. When was the last time you went to a bank and actually cashed a cheque when you could just have used a cash machine?
As such they are a very valuable target for data thieves. In the past the chief method of getting ATM PINs was shoulder surfing, peering over a target to get their number and then stealing the card. More advanced criminals put a card reader over the front of the ATM card slot and a camera in the lid to record keystrokes.
But Italian researchers Andrea Barisani and Daniele Bianco showed that entering a PIN causes fluctuations in a terminal's power supply that could reveal the number via the earth wire. More worryingly, the same hack could be carried out on a standard PS/2 keyboard. Maybe it's time to look at cheques again.
2. Microsoft
In the past, Microsoft has taken to advanced security like a duck to volcanic lava, but the company is making serious efforts to engage the community to solve its security problems.
At the conference this year, Microsoft showed its commitment to working with the hacking and IT community. Microsoft code isn't necessarily less secure than any other company's, but its near-monopoly position makes it the number-one target and, with the global cracking community going after it, stern remedies are needed.
This time Microsoft released a new tool that allows IT administrators to scan the hexadecimal code behind its documents, which would let someone with limited technical skill find out whether malware was embedded in one of its files, a favourite method of attackers.
In addition Microsoft reinforced its Exploitability Index, which allows IT managers to manage risk more effectively and decide what areas need addressing more quickly than others.
1. Secure Socket Layer
Secure Socket Layer (SSL) security is now key to the global economy. As researcher Dan Kaminsky put it, SSL is what persuades millions of internet users to hand over their credit card details and engage in e-commerce. That's why his paper on how to crack it was the best attended talk of the show.
Kaminsky and his partners Len Sassaman and Meredith Patterson showed how SSL could be subverted by a 'man in the middle' attack. Another researcher, Moxie Marlinspike, showed another attack vector on the technology, even more elegant than the first. Not surprisingly, both talks were packed out, so much so that every available inch of floor space was taken and people were crowding round the doorways trying to get a look.
Thankfully, the industry has rallied round to deal with the issue, but it was the highlight (or low-light for the security-paranoid) of the show.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
