Computer security is a famously murky world that tends to generate alarmist headlines–like the ones about Apple‘s vulnerabilities from last week. Defcon 2009 has just finished, and lived up to this reputation in many, surprising, ways. We’ve rounded up some of the best worst most interesting bits of news.
Closing Down the FAA
Righter Kunkel, a computer security expert and pilot who spoke at the conference, delivered some very scary news to the FAA–and, indeed, to nervous fliers the world over. According to Kunkel, the FAA’s network is extremely at risk from a denial of service attack. And, unlike some computer network vulnerabilities which require devious coding and clever implementations, it seems that gaining access to the FAA’s is terrifyingly simple.
Assume you’re a hacker with malicious intent, you first have to get fake ID, and use that to get a flying-fitness medical certificate. With this, you’d obtain a student pilot’s certificate number, and thus gain access to the FAA’s flight plan submission system (a legal requirement for flights within the U.S.). Then, since you’re now a trusted member, you issue such a deluge of fake flight plans that the system is overloaded and no longer working.
Kunkel held back some of the details, of course–he has no wish to bring down the system and endanger lives. Instead, he hopes that the exploits he revealed that could serious damage flying operations in the country will get the FAA to perk up its network security.
Hacking the iPhone
The iPhone, as a seriously hot piece of tech magic, basically generates its own PR now…but last week it gathered some bad news. Just like any other smartphone out there, it’s vulnerable to attack–and a malicious hacker could seriously screw with your life in a system revealed by Charlie Miller and Collin Mulliner. VentureBeat’s Dean Takahashi spoke to Miller at Defcon, and got him to spill the beans on the SMS-based iPhone hack he uncovered.
The interesting things Miller revealed here include the fact that the attack could flood a cellphone network with so many SMS’s it could affect the phone for an extended period, as the network catches up with the SMS backlog. And there’s the amazing bit of news that it only took a week to expose the vulernability, and just two and a half weeks to write the exploit. Yet it took six weeks for Apple to respond. That’s good news in the end, because this exploit is nastier than many other smartphone hacks since it gives a hacker root access to the phone, and requires no input from the user to activate.
And let’s not forget Miller’s throwaway line: “Windows is actually really hard to break, and Mac is a lot easier.”
Trusted Security System Gets Itself Hacked
One of the ways Web sites and users protect themselves against hack attacks is by the use of Secure Sockets Layer certificates. It’s SSL that’s in play whenever your browser displays a little padlocked sign when you login at your bank, for example. It works by exchanging pre-verified data certificates that a company has to buy so that the in-browser security recognizes the site as legitimate.
Three different hackers–Moxie Marlinspike, Dan Kaminsky, and Len Sassaman–revealed serious flaws in the SSL system that would let a hacker eavesdrop on your Web-based dealings with your bank, steal credit card numbers and private data, and even hijack a PC’s auto-update system to automatically install malware.
It’s pretty serious stuff, since SSL is supposed to protect users, not expose them to risk. But there’s one mitigating factor: The hacker has to gain access to your network to enable the hack. But, assuming a hacker is determined, it’s apparently not all that sophisticated to turn on the hack (which centers on how browsers interpret null characters in SSL certificates).
Defcon Attendees Get Hacked
Details on this one are a little fuzzy, but it looks like some people attending Defcon may have ended up the victims of a scam themselves, and it’s an absolute classic: The fake ATM unit. Apparently installed for an unknown interval, the entirely false box was situated in a “security blackspot” in the nearby Riviera Hotel’s casino. It had a PC inside, and presumably was being used to skim people’s cards and PIN numbers. It was an entirely unbranded unit, and that’s what gave it away–an unnamed Defcon attendee noticed its LED was the wrong color, and the plexiglass screen was too dark.
That’s an impressive level of detail to notice, but perhaps not surprising given that attention to detail is the meat and drink of computer hackers. The machine is now in the police’s hands.
North Korea Hacks Defcon?
Perhaps the strangest, or most worrisome news from the entire conference: Four South Korean journalists were ejected from the proceedings because it seems they weren’t journalists at all. In fact, three of them may even have been on an “intelligence gathering” mission–they were, in effect, spies.
The alarm was raised by several attendee hackers, who noted that the interviews the group conducted involved “inappropriate” questions that were out of keeping with normal journalistic investigation of a story. They attended one day of the Defcon Black Hat hacking conference before being rumbled and then ejected.
Defcon organizers report that this is no surprise. They’ve caught members from Mossad there before. Korea, of course, is of particular interest at the moment thanks to rumors of North Korean hackers’ involvement in recent denial of service and data theft attacks on both South Korean and U.S. government Web sites. Though it’s a leap of faith, it’s not too hard to imagine that the party removed from Defcon was in some way connected with North Korean interests, rather than Southern ones.