How do you dump the firmware from a "secure" voting machine? With a $15 open source hardware board

One of the highlights of this year's Defcon conference in Vegas was the Voting Machine Hacking Village, where security researchers tore apart the "secure" voting machines America trusts its democracy to. Read the rest

After Defcon, the FBI arrested the UK national who stopped Wannacry

Update: Here is the indictment. Hutchins is accused of making and selling a keylogger called the "Kronos banking trojan."

Marcus Hutchins is the 23 year old security researcher behind the @MalwareTechBlog Twitter account; he's the guy who figured out that the Wannacry worm had an accidental killswitch built in and then triggered it, stopping the ransomware epidemic in its tracks. Read the rest

Reidentification attack reveals German judge's porn-browsing habits

In their Defcon 25 presentation, "Dark Data", journalist Svea Eckert and data scientist Andreas Dewes described how easy it was to get a massive trove of "anonymized" browsing habits (collected by browser plugins) and then re-identify the people in the data-set, discovering (among other things), the porn-browsing habits of a German judge and the medication regime of a German MP. Read the rest

Defcon vote-hacking village shows that "secure" voting machines can be broken in minutes

Since the 2000 Bush-Gore election crisis and the hanging-chad controversy, voting machine vendors have been offering touchscreen voting machines as a solution to America's voting woes -- and security researchers have been pointing out that the products on offer were seriously, gravely defective. Read the rest

See you at Defcon this weekend!

I'm making the final(ish*) stop of my Walkaway tour at Defcon this weekend in Las Vegas, giving a speech on Saturday in Track 2 at 10AM called $BIGNUM steps forward, $TRUMPNUM steps back: how can we tell if we're winning?, followed by a book-signing at the No Starch Press table in the exhibitors' hall. Read the rest

Defcon's hotel business-center won't print from links or USBs

Defcon, the hacker and security conference, is coming to Caesar's Palace this weekend (I'm speaking!), and that means that the hotel needs to start thinking hard about the security of its systems, likely to be targeted both in earnest (by people who want to spy on attendees) and in jest (by attendees who want to prank their fellows by announcing that they've compromised everyone's systems). Read the rest

Security researchers: EFF's got your back at this summer's technical conferences

Are you a security researcher planning to present at Black Hat, Defcon, B-Sides or any of this summer's security events? Are you worried a big corporation or the government might attack you for revealing true facts about the defects in the security systems we entrust with our safety, privacy and health? Read the rest

Proof-of-concept ransomware for smart thermostats demoed at Defcon

Last week, Andrew Tierney and Ken Munro from Pen Test Partners demoed their proof-of-concept ransomware for smart thermostats, which relies on users being tricked into downloading malware that then roots the device and locks the user out while displaying a demand for one bitcoin. Read the rest

1 billion computer monitors vulnerable to undetectable firmware attacks

A team led by Ang Cui (previously) -- the guy who showed how he could take over your LAN by sending a print-job to your printer -- have presented research at Defcon, showing that malware on your computer can poison your monitor's firmware, creating nearly undetectable malware implants that can trick users by displaying fake information, and spy on the information being sent to the screen. Read the rest

Airport lounges will let anyone in, provided you can fake a QR code

When computer security expert and hardcore traveller Przemek Jaroszewski found that he couldn't enter an airline lounge in Warsaw because the automated reader mistakenly rejected his boarding card, he wrote a 600-line Javascript program that generated a QR code for "Batholemew Simpson," a business-class traveller on a flight departing that day. Read the rest

Researchers find over 100 spying Tor nodes that attempt to compromise darknet sites

When it comes to accessing public websites, Tor has an intrinsic security problem: though the nodes between your computer and the public internet are unable to see where the traffic is coming from or going to, the final hop in the network (known as an exit node) gets to know what webserver you are connecting to. Read the rest

Come see me at Defcon!

I'm speaking at Defcon this weekend in Las Vegas: my talk, "Fighting Back in the War on General Purpose Computers," is tomorrow (Friday) at 11AM in track 3, followed immediately by a signing at the No Starch Press table in the Champagne Ballroom at the Paris hotel. Read the rest

Decrypting EFF's DEFCON crypto-challenge tee

For this year's DEFCON conference, the Electronic Frontier Foundation released an encryption-puzzle t-shirt (with glow-in-the-dark clues!) designed by EFF Senior Designer Hugh D'Andrade and Staff Technologist Micah Lee. The puzzle was fiendishly clever and made for a beautiful tee, and now it has been cracked by some of DEFCON's intrepid attendees, the first ten of whom stand to win a beautiful, limited edition, signed print. Read the rest

Ethical questions for security experts

Alex Stamos's Defcon 21 presentation The White Hat’s Dilemma is a compelling and fascinating look at the ethical issues associated with information security work in the era of mass surveillance, cyberwar, and high-tech extortion and crime. Read the rest

Attacking the popular Kwikset lock: open in 15 seconds with a screwdriver and a paper clip

Kwikset makes an incredibly popular line of reprogrammable locks that can be easily re-keyed, meaning that landlords don't have to physically change the locks when their tenants move out. Kwikset boasts that their locks are extremely secure, but Marc Weber Tobias and Toby Bluzmanis will present six Kwikset vulnerabilities at DEFCON; their demo includes an attack that opens the lock "in 15 seconds with a screwdriver and a paper clip." Tobias and Bluzmanis have spoken to Kwikset technicians about this, and in recorded conversations, the Kwikset employees insisted that the product was secure, something that can't be taken seriously if you've seen Bluzmanis and Tobias work on them. Read the rest

PIN-punching $200 robot can brute force every Android numeric screen-password in 19 hours

Justin Engler and Paul Vines will demo a robot called the Robotic Reconfigurable Button Basher (R2B2) at Defcon; it can work its way through every numeric screen-lock Android password in 19 hours. They built for for less than $200, including the 3D printed parts. It doesn't work on screen-patterns (they're working on that) nor on Ios devices (which exponentially increase the lockout times between unsuccessful password attempts). They're also whomping up new versions that can simulate screen-taps with electrodes, which will run much faster. They're also working on versions that can work against hotel-room safes, ATMs, and other PIN-pad devices. It's a good argument for a longer PIN (six-digit PINs take 80 days to crack), and for using robust and random PINs (26% of users use one of 20 PINs). Read the rest

Defcon de-invites the spooks

Defcon is an astounding hacker convention held annually in Las Vegas, and is known as an extraordinary environment in which spooks and hackers mix freely -- last year, the head of the NSA gave a keynote in which he called for cooperation between security professionals and America's spies. That cooperation is being paused, and may be coming to an end. In Feds, we need some time apart, a posting on the Defcon site, The Dark Tangent (AKA Jeff Moss -- Defcon's owner and hacker-in-chief) says:

For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.

When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.

This will give everybody time to think about how we got here, and what comes next.

Read the rest

More posts