LAS VEGAS, Nevada, Aug 1, (AFP): A computer espionage specialist has laid out blueprints for building a cyber army capable of crashing through US defenses.
Readying an unstoppable Internet invasion would take two years and a total of 100 million dollars, according to Charlie Miller, who spent five years with the US National Security Agency under then-director Michael Hayden.
Now a researcher with Baltimore-based Independent Security Evaluators, Miller on Saturday shared his battle plan with hackers at a DefCon gathering in Las Vegas.
“I pretended North Korea asked me to scope out the job of orchestrating a cyber attack on the United States,” Miller told AFP. “I lay it out as I would do it realistically.”
Miller explained that he had actually been asked by the Cooperative Cyber Defence Centre of Excellence in Estonia to play general in the theoretical attack scenario.
He shared his results at a Nato briefing in that country in June.
“I already knew it was easy, but now I know in detail how easy it would be,” said. “We are certainly very vulnerable.”
Miller described the 100-million-dollar price tag as a bargain compared to how much money is spent on cyber defense.
He crafted a broad strategy to target smart grids, banks, communications and all other aspects of a nation’s technology infrastructure.
The cyber army would number about a thousand soldiers ranging from elite computer commandos to basic college trained geeks, according to the plan.
A key to success was stealthily breaching networks and establishing beachheads in computer systems during the two years before the main cyber invasion.
“Once you give me two years to get set up you are basically screwed,” Miller said. “But, during the two years you have the opportunity to see what is going on and stop it before it gets going.”
Miller determined that single targets, such as stock market or military networks, could be attacked much more economically.
North Korea was used in the war scenario on the premise that it has a tactical advantage in being so behind the technology times that crashing the entire global internet would leave it unscathed.
North Korea was also seen as unconstrained by alliances or friendships with other countries with more to lose in an Internet Armageddon.
“It could be anyone attacking anyone, but North Korea has an advantage,” he said of his winning cyber battle plan.
“Some countries could already be in position. We can chose to limit our dependency on the Internet, which isn’t realistic, or do our best to detect it and use politics to prevent it.”
Miller took solace in the belief that some of the top computer experts needed to execute his plan would likely refuse to cooperate out of patriotism, morality, or plain fear.
“They might be scared you are going to kill them,” Miller said. “It’s a realistic thing to think about.”
National Security Corporation president Mark Harding recalled graduating from officers school in the Navy having completed a thesis on how unprepared the country’s military is for cyber war.
“There are people I know who have indicated they can take the entire Internet down and they can,” Harding said.
“But, they don’t because they believe in doing no damage and not taking anything that isn’t theirs. It’s when you lack a skill set of morality and discipline when you end up on the dark side.”
High-tech locks
A hacker on Saturday brought mobile phone snooping to the modestly financed, showing how to build a call-catching system for about $1,500.
Chris Paget demonstrated his creation for more than a thousand people crammed into a grand room at a DefCon gathering of hackers in Las Vegas, warning them to turn off their phones if they wanted to be spared.
“I can intercept cell phone calls with 1,500 dollars worth of radio gear and a laptop,” Paget said after the talk.
“You handset thinks I’m your cell phone tower and I get to control your calls. These attacks used to cost millions of dollars, now you can do it for a lot less.”
The gear included an antenna and radio equipment and broadcast a GSM signal that imitated a legitimate telecom service tower, prompting handsets to automatically connect.
A hacker could then pretend to be the telecom service provider, forwarding calls to intended recipients and listening in.
“I can target specific people if I want to spy and I can command only certain types of phones to connect,” Paget said. “An attacker could easily take advantage of this.”
Mobile phone snoops with this gear could snag credit card or account information from calls made to shops or banks. Companies could be staked out in the hope insiders would reveal valuable information during calls.
His creation worked only on mobile phones using the GSM network and not more secure 3G, third generation, networks.
“GSM is broken,” Paget said. “It is up to telecom providers when to shift from GMS to 3G networks. GMS is widely deployed with millions of handsets in use.”
However, someone could use a noise generator and a power amplifier could easily jam a 3G network and prompt handsets to resort to GSM systems commonly used as backup systems, according to Paget.
He gestured to a noise generator he bought online for $450 and a power amplifier purchased on the Internet for $400.
“I’m not turning this thing on,” Paget said. “It would knock out pretty much every cell phone there is for most of Las Vegas.”
The system only grabs outgoing calls since it has fooled handsets.
Since the phones have disconnected from real telecom service providers, they are considered gone from the networks and incoming calls are routed directly to voice mail boxes.
There is a way for hackers to use credentials from duped handsets to impersonate the phones to carriers, according to Paget.
His talk was almost scuttled by the US Federal Communications Commission, which reached out to him with concerns about the danger it might pose or statutes it might violate.
“There was so much shenanigans involved making sure I could get on stage,” Paget said after the DefCon briefing. “The good news is that it is all over and I haven’t been arrested.”
Security maverick Marc Tobias showed hackers on Saturday how simple it is to defeat some of the world’s top high-tech locks.
“These locks might be winning awards but they are forgetting the basics,” Tobias said while giving AFP a first-hand look at how to crack several models. “They might be clever, but they aren’t secure.”
A Biolock model 333 designed to scan fingerprints and unlock for chosen people was opened by simply pushing a paper clip into a key slot.
An Amsec ES1014 digital safe was breached by sliding a flat metal file folder hangar through through a crack at the edge of the door and pressing an interior button allowing the access code to be reset.
Tobias grew passionate when it came to an award-winning electromagnetic lock made in China for Finland-based iLoq.
The innovative iLoq used the action of a key being pushed into the lock to generate power for electronics that then checked data in a chip on the key to determine whether the user is cleared for access.
Tobias and lock-cracking colleague Tobias Bluzmanis pointed out that the iLoq design counted on a small hook being tripped to reset the devices as a key was removed.
In what they referred to as a viable inside attack possible on locks geared for office settings, someone could borrow a key and shave tiny bit of metal from the tip and it would no longer catch the iLoq reset hook.
A pocket-sized tool available in US stores for about $60 could be used to grind down the hook in seconds, the men demonstrated.
With either method, the result would be that once a valid key is used to open the iLoq it will yield to any key or even a screw driver stuck in the slot because it remains stuck in the unlocked position.
An audit trail left by a compromised iLoq would stop at the person whose key legitimately opened the lock.
“It is really clever, but it is also very defective,” said Tobias, a longtime advocate for tougher standards in the lock industry.
“Electromechanical locks are more secure if done right. The question is whether the technology is implemented properly.”
The security.org crew opened a Kwikset programmable “smartkey” lock with a key blank, a screw driver and a vice grip tool.
Tobias and his team consistently show up at the annual DefCon gathering in Las Vegas to pop locks with wires, magnets, air, shock, screw drivers and other improvised tools.
Their presentation this year was met with hoots and applause.
Lock-picking holds a natural appeal to hackers, who thrive on bending hardware or software to their wills.
ATM jackpots
Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.
The New Zealand native on Saturday demonstrated his “ATM jackpotting” discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.
“You don’t have to go to the ATM at all,” Jack told AFP after briefing fellow software savants. “You can do it from the comfort of your own bedroom.”
Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other “stand-alone” venues in the United States but said the flaw likely exists in machines at banks.
Banks use “remote management” software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.
He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.
He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.
“When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position,” Jack said.
“This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses.”
Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.
“We shouldn’t dwell on the walk-up attack, because no physical access is required,” Jack said. “They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage.”
He didn’t reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.
“I might get my butt in hot water if I released the code,” said the IO Active software security researcher who did the ATM hack ‘as a hobby.’
“I was careful not to release the keys to the kingdom.”
Jack said he doesn’t know if criminals have exploited the software flaw “in the wild” but that it is tough to be certain.
“It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it,” Jack said, admitting he has grown wary of ATMs. “I just keep my cash under the bed now, mate.”
Facebook
Hackers are weighing in on the Facebook privacy controversy with creations that help people strengthen privacy or empty profile pages at the world’s leading social networking service.
American Civil Liberties Union (ACLU) technology fellow Chris Conley showed off an arsenal of such applications at the infamous DefCon gathering, which kicked off Friday in Las Vegas.
“They are needed because people don’t have control of their privacy and don’t really understand,” Conley said after the presentation.
“They give people options.”
A program written by Conley displays pictures, posts, or other profile data being accessed by applications at Facebook accounts. People can then see what personal information programs are gleaning from their pages.
News stories about privacy control issues at Facebook may slip people’s minds by the time they sit down at their computers, but Conley’s application grabs their attention with a winning subject — themselves.
“People love to hear about themselves, that is the thing that Facebook is great at,” said Ceren Ercen, who worked briefly for the California company and wore a T-shirt bearing the words “Disgruntled Facebook ex-employee.”
“People don’t have the attention spans to carry over concerns they have to actual Facebook usage.”
Ercen added that during her brief stint at Facebook she had “serious problems” regarding the privacy of users and that she wasn’t alone.
Applications shared by Conley included a software tool that helps people change Facebook privacy settings using simple color coding to demystify the process.
Other programs let people pack-up Facebook profile data in order to take it elsewhere or stop the social-networking service getting automated feedback about where members go elsewhere on the Internet.
“The long-term goal is they should become obsolete because Facebook has addressed this in some way,” Conley said. “We would like Facebook to be doing this.”
Conley’s application, available online, at dotrights.org has been used by 150,000 people.
“I think people don’t see the real potential damage of their information going out the door,” a DefCon veteran who asked not to be named said after attending Conley’s presentation.
Facebook this week launched a Web page devoted to staying safe on the Internet.
The “Safety Page” highlights news and initiatives focused on ways people can keep data secure at the social-networking community.
The new page augments a virtual Safety Center that Facebook introduced in April and was based on a “security page” that boasted more than 2.2 million “fans.”
The number of people using Facebook recently topped the 500 million mark, meaning one in every 14 people on the planet has now signed up to the social network.
The launch of the Safety Page came in the wake of demands by the ACLU and other privacy activists and governments that Facebook give users more control over the use of their personal data.
A coalition of privacy groups, in an open letter to Facebook co-founder and chief executive Mark Zuckerberg last month, welcomed the social network’s recent overhaul of its privacy controls but said additional steps were needed.