When hackers and their foes share the stage

Even the ATMs were suspect at this year's DefCon conference, an annual meeting where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, even sending e-mails or answering cellphones seemed risky at the hackers convention last weekend.

DefCon is a no man's land where customary adversaries - federal agents and digital mavericks - are supposed to share ideas about making the Internet safer. But it is really a showcase for flexing hacker muscle.

At the 13th annual meeting this year, hot topics included a demonstration of how easy it may be to attack supposedly foolproof biometric safeguards, which determine a person's identity by scanning things like thumb prints, irises and voice patterns.

Banks, supermarkets and even some airports have begun to rely on such systems, but one security specialist, who goes by the name Zamboni, challenged hackers to bypass biometrics by attacking their back-end systems networks.

"Attack it like you would Microsoft or Linux," he advised.

Radio frequency identification tags that send wireless signals and that are used to track a growing list of items, including retail merchandise, animals and U.S. military shipments, also came under scrutiny.

A group of participants climbed onto the hotel roof to demonstrate that these tags can be read from a distance of as much as 69 feet, or 21 meters. The tags have been proposed for things like U.S. passports, prompting fears that kidnappers could read the tags from a distance - as the demonstration confirmed - to pick Americans out of a crowd.

Tag manufacturers had maintained that the signals did not reach more than 20 feet, said John Hering, one of the founders of Flexilis, the company that conducted the experiment.

"Our goal is to raise awareness," said Hering, who is 22. "Our hope is to spawn other research so that people will move to secure this technology before it becomes a problem."

Erik Michielsen, an analyst at ABI Research, chuckled at the Flexilis claims.

"These are great questions that need to be raised," he said, but radio frequency identification technology varies with the application and is often encrypted. Encryption technology scrambles data to make it unreadable to everyone except the recipient.

Also at the conference was Robert Morris, former chief scientist for the National Security Agency, who warned of the vulnerabilities of banks' teller machines, which he predicted would become the next "pot of gold" for hackers.

Morris said thieves had been able to seize people's bank cards and find out their passwords by changing the software in old ATMs bought through eBay for as little as $1,000 and placing the machines in public venues.

Another speaker, Phil Zimmermann, a cryptographer, said the Internet had become a "crime-ridden slum." Both hackers and security experts said security would be better if users were less lazy.

To make their point, they pilfered Internet passwords from convention attendees. Those who had gone to the Internet via the hotel's unsecured wireless system could see their names and part of their passwords scrolling across a huge public screen, dubbed the "Wall of Sheep." Among the exposed "sheep" were an engineer from Cisco Systems, several Apple employees and a Harvard professor.

An annual highlight of the conference is the "Meet the Feds" panel, which this year included representatives from the FBI, the National Security Agency and the Treasury and Defense departments.

Panel members said they would love to hire the "best and brightest" hackers but cautioned that the offer would not be extended to criminals. During the session, Jim Christy, an agent in the Defense Department's Cyber Crime Center, asked the audience to stand.

"If you've never broken the law, sit down," he said. Many sat down immediately, but many others appeared to hesitate before everyone eventually took their seats.

O.K., Christy joked, now we can turn off the cameras.

LAS VEGAS Even the ATMs were suspect at this year's DefCon conference, an annual meeting where hackers play intrusion games at the bleeding edge of computer security.

With some of the world's best digital break-in artists pecking away at their laptops, even sending e-mails or answering cellphones seemed risky at the hackers convention last weekend.

DefCon is a no man's land where customary adversaries - federal agents and digital mavericks - are supposed to share ideas about making the Internet safer. But it is really a showcase for flexing hacker muscle.


read the rest here:
http://www.iht.com/articles/2005/08/...ess/hacker.php