DefCon Delays Can't Stop the Madness
LAS VEGAS, Aug. 4 -- DefCon, the nation's largest annual hacker conference, is well underway here at the Riveria Hotel and Casino, and as usual there is just far too much to see and do to really take it all in. The conference hit a minor speed bump this morning, after the local fire marshal took her sweet time inspecting the conference setup, pushing back all of the first day's talks by a full two hours. Conspiracy theories abound as to why the con was delayed, but the most oft-uttered explanation is that perhaps the inspector has a general distaste for the type of crowd in attendance here.
There are more plausible explanations: The sheer size of this year's con is enough to make anyone in charge of crowd control blink twice in amazement. This place is completely packed, teeming with at least 6,000 hackers (the conference organizers had 6,000 badges to give out, and they ran out of them shortly after registration began).
I've also heard from several attendees that the hotel's sprinkler system was hacked, as well as the devices that control the elevators. I've not been able to confirm either claim yet, but I'm told that hacking hotel elevators is fairly regular occurence at DefCon and hardly a challenge for this bunch. I rode the elevators early in the day and was perplexed to find the digital floor level indicator displaying the hotel's top floor just after I'd gotten on the lift from the ground floor. Last year, someone hacked into the ATM at the Alexis Park Hotel (the site of the past three DefCons), though I have yet to spot a cash machine anywhere near the main area of the Riviera.
Already, there are dozens of names on the "Wall of Sheep," a running tally of the unsuspecting or foolhardy souls who venture to log in to various unencrypted Web sites over the hotel's wired, wireless or Bluetooth networks. As of 3 p.m. PT Friday I spotted at least five Myspace.com user-account credentials on the wall, as well as user name and password info for someone at networking giant Cisco and another at a Hawaii state government Web site. At the rate the sheep are piling up this year, we are likely to see more than 100 victims listed on the wall.
The conference tracks here have for the most part been fairly solid and largely devoid of half-baked presentations. Defcon speaker Rick Hill -- a security engineer for Reston, Va.-based IT consulting firm Tenacity Solutions Inc. -- showed an innovative method for locating wireless networks using a kit he installed atop a replica of the 1950s research rocket Nike Smoke. In the rocket's nose cone, Hill embedded an Ipaq handheld computer with an attached 802.11b/g wireless card, as well as an onboard computer and a powerful antenna. He tested the rocket in a rural area of Culpeper, Va., shooting the missile up to an altitude of 6,800 feet, with a large parachute allowing the rocket more than six minutes of scanning for wireless networks within a 50-mile radius.
While the entire mission was a success, that particular launch netted only two networks. Hill said the technique showed its promise, but also the method's inherent limitations -- testing such projectiles in densely populated areas would be dangerous (and probably illegal ... Hill had to get clearance from the Federal Aviation Administration, required for any launch higher than 2,000 feet). For anyone interested in additional specifications on this project, I hope to be able to post a copy of his slides here, but for now the file upload tool we're using says it's too large (the PDF is more than 3.4 megabytes).
Collin Mulliner, a member of the Trifinite Group, which researches mobile device security issues, pointed to a number of exploitable flaws he found in wireless handheld Pocket PC phones powered by Windows CE 4.2x that could be used to remotely install software on the phones. You can check out his presentation here.
Jay Beale, a researcher with the security consultancy group Intelgaurdians, gave an entertaining and excellent talk on weaknesses he found while reviewing the firewall that ships with Mac OS X systems. Beale said that while the Mac firewall is not turned on by default, his research showed some pretty big holes in the hacker shield. Beale found that the firewall that comes with Mac OS X Panther does not block simple pings (network probes used to tell whether a host on the network is reachable) or communications sent via the user datagram protocol (UDP).
Unlike the "transmission control protocol" (TCP), which requires a three-way "handshake" between, say, a Web browser and a Web site to ensure that all of the data segments in the request are reliably exchanged, UDP traffic doesn't bother to check whether everything is sent the way it was meant to. While data requests and transfers over UDP do not provide the reliability and ordering guarantees of TCP traffic, such requests are much faster than TCP connections, and such are more ideally suited for data exchanges that demand swiftness, such as streaming media applications and Internet-based telephone conversations, for example.
The firewall that ships with Mac OS X Tiger doesn't block incoming ping or UDP traffic either unless the user clicks on the "advanced" tab of the firewall settings, Beale said. But even users who click on the "block UDP traffic" box in the firewall's advanced settings won't be completely protected, as his research showed that the firewall will still allow UDP traffic as long as it appears to have been generated by either the service that dynamically assigns network addresses to new devices on the network, or comes from a Mac service called Zeroconf (a.k.a "Bonjour"), an OS X feature designed to make it easy for Apple applications and devices like iTunes, wireless cameras and printers to communicate with the system.
The upshot of this weakness, Beale said, is that it is enough for an attacker to mimic the types of network signals sent by devices using these communications channels in order to bypass the OS X firewall and scan a targeted system, whereapon the attacker could learn not only the security update or patch level of the machine, but also the machine's assigned name (which could hold clues as to specific username accounts on the system), as well as which applications are running on the computer.
Beale is perhaps best known as the author of Bastille, a program designed to harden the security of machines running different flavors of the Linux operating system. Beale said that in the next week or so he plans to release a version of Bastille for OS X users. Security Fix will post another entry when Beale finishes work on the tool. More information from his talk is available via these slides that he made available.
Posted by: Anonymous | August 5, 2006 10:43 PM | Report abuse
Posted by: Matt Murphy | August 6, 2006 1:11 AM | Report abuse
Posted by: Adam | August 7, 2006 11:04 AM | Report abuse
Posted by: nous | August 7, 2006 2:13 PM | Report abuse
Posted by: Amazed_at_the_Sheep | August 7, 2006 6:52 PM | Report abuse
Posted by: Adam | August 7, 2006 8:08 PM | Report abuse
Posted by: Mark Odell | August 8, 2006 12:28 PM | Report abuse
The comments to this entry are closed.