Tuesday, July 22, 2008
Hacking with no technology- Last HOPE to become Next HOPE
--The typical image of a hacker is a kid hunched over his keyboard in the wee hours of the night staring at commands on his computer screen that unlock the secrets of the national government.
But, according to someone who knows better, the woman sitting next to you in the airport or Starbucks fiddling with her digital camera while you work on your company's confidential sales data could be just as dangerous.
Security researcher Johnny Long speaks at Last HOPE.
(Credit: Elinor Mills)
One of the more fascinating talks at the Last HOPE hacker conference this weekend was by Johnny Long, a security researcher who hacks, writes books on hacking, and founded Hackers for Charity, which helps children and others in underdeveloped countries.
On Sunday evening, he told about an epiphany he had when he and a friend were thwarted in their attempts to get into a highly secured building. Long was ready to give up. But his friend had another plan. He got a coat hanger and a rag and proceeded to break the window in the door. He then reached in with the straightened coat hanger and the door opened up.
"What he had done was defeat this multimillion-dollar security system with trash," Long said. "The touch bar doesn't know the difference between a wet wash cloth and a hand."
The message? "There's a lot of room for...solving problems in simple ways," he said.
Some of those simple ways to get access to supposedly secured systems, such as buildings or computer networks, without using technology include: shoulder surfing, which is viewing exposed information on computer screens; dumpster diving; and if you can't get in the front door, trying the smoker entrance where you'll be less likely to be interrogated.
Long showed photos of laptop screens he had managed to photograph in airports and other public places where executives and military officials were casually but unwittingly revealing confidential and sensitive information to anyone within a few feet. It's clear--nobody tries to hide what buttons they are pushing on pass code secured doors, even at the airport's TSA room, based on his ample photographic evidence.
You have to wonder, if Long could snoop so easily, what data can someone who is really targeting a source get at.
He showed photos of ATM, grocery store check-out and other public kiosks with error messages or in some other state that they could be easily compromised.
Long also talked about how easy it is to "sniff" a hotel's billing and room entertainment network over the cable system and view other peoples' room charges and activities, such as porn surfing, logging into banking accounts, and e-mail communications.
Then there are what he called the "Jedi wave" and "fed blend" techniques of getting past security guards and mingling with federal officials by wearing a fake badge and just acting like you belong.
Blending in is the key to getting access, he said. Wearing a uniform will get you in anywhere, and telephone repair, FedEx delivery, and other uniforms are readily available on eBay and other sites
Last HOPE to become Next HOPE
In case you were worried, HOPE is not dead.
(Credit: Last HOPE)
Just as hackers experiment with technology, push boundaries, and subvert the concepts of what it means to be safe and secure, the organizers of the HOPE (Hackers on Planet Earth) conference have had some fun of their own.
Despite calling the event this weekend "Last HOPE," it won't be the final one; just the most recent one, organizer Emmanuel Goldstein told attendees at the closing ceremonies Sunday night.
There will be another one in two years. It will be called "Next HOPE," he said.
That was good news for the approximately 3,000 attendees of this year's confab, which was the seventh since 1994.
Word of plans to tear down the 90-year-old venue, Hotel Pennsylvania, and Goldstein's naming of the conference this year and use of funereal theme, had many in the community wondering if this was the event's swan song.
Goldstein has a predilection for wordplay--previous names were Beyond HOPE, H2K in 2000, and H2K2 in 2002.