navSEO

Erin Conroy

Last Updated: Nov 11, 2010

Barnaby Jack gives a demonstration on how automated teller machines can be hacked or “jackpotted”.

Ravindranath K / The National

ABU DHABI // With a one-fits-all master key he bought online for a few dollars, Barnaby Jack unlocked the panel of an ATM, plugged in a USB stick and uploaded his own firmware.

The screen displayed four lucky 7s and the word “jackpot”, then spat out the cash.

The “walk-up”, as he called it, was done onstage at the annual hackers conference, Black Hat, being held this year in Abu Dhabi.

Mr Jack, the director of security research for IOActive, was one of the code-savvy technicians exposing vulnerabilities in everything from mobile phones to software for sewer system infrastructure.

Not only was he able to pull cash from an ATM on the spot in less than a minute, Mr Jack was also able to control a similar machine remotely and extract details from its settings.

He could read the banknote count, for example, and the address of specific ATMs that would be printed on receipts, so that someone could be standing at the ATM location at the moment he told it to dispense money.

He could even command its camera to shut off or change the image. “Elvis could be robbing the ATM for all they know,” he said.

Of course, he uses the software he developed only to identify gaps in security and help ATM manufacturers to develop countermeasures.

The two companies he works with have already implemented changes, although there are still a few hundred thousand machines in retail stores with remote access enabled by default. Store owners either did not know how to disable the function or did not bother to, he said.

While bank ATMs were more sophisticated, he said, they were still hackable.

“For years, nobody had really looked at ATM software security, so when I first did this it was a bit of a wake-up call to these guys,” said Mr Jack, who is from New Zealand but lives in San Francisco. “Now they’ve taken a proactive stance.”

Another presenter at the conference showed how a mobile phone running Google’s Android operating system could be fully accessed through applications downloaded from malware-laden websites.

Once the software gains the privilege to download applications on a device remotely, it is able to gain further permission for scrolling through contacts and messages, said Nils, who works for MWR InfoSecurity and goes only by his first name. It can even enable the microphone to record a conversation while the phone is in someone’s pocket.

Although Google fixed the problem in its newest releases, the HTC Legend phone is still susceptible.

“Maybe this demonstration will force them to make the change,” said Nils, who is from Germany. He said he had gone by his first name since he began hacking at the age of 14 to avoid being contacted by “shady people” who were interested in his capabilities.

Jonathan Pollet, the founder of Red Tiger Security, does consulting on Scada systems – vast power grids for industries or infrastructure such as electricity, oil and gas pipelines, and wastewater management systems. He said security maintenance for such systems was often done only once or twice a year, leaving ample opportunity for attacks.

There have been cases of groups stealing control of systems for ransom, or disgruntled employees releasing valves that spilled raw sewage into public spaces.

“You’ll often have either people with inside knowledge, or outside groups looking to make money, who can easily take advantage of the lack of security framework,” he said, adding that Scada firewalls lagged behind other information technology by about five years.

The conference at the Emirates Palace hotel ends today, giving Mr Jack ample time for a fresh challenge in the realm of ATM hacking.

“I haven’t figured out the gold ATM at Emirates Palace yet, but I’m going to see what I can do,” he said.

econroy@thenational.ae

Back to the top

SEO Abu Dhabi, mobile phone, Mr Jack, security

THE PRESENTATIONS at Black Hat might make headlines, but what is important is what the show tells us about the overall state of the IT security industry.

In the years I’ve been covering the show, it has evolved from a motley crew of phreaks, hackers, crackers and security wonks to something that feels more and more like other IT security industry conferences. Black Hat means business now, and the smart IT companies are moving in.

Purists will tell you that Black Hat went to the dogs in 2005, when founder Jeff Moss, known as The Dark Tangent, sold the show to CMP Media. While it’s true that the briefings have suffered, in some ways it’s a sign that the hacking industry is getting old.

I nearly choked on my lunch at the Wednesday press conference when renowned hacker Dan Kaminsky turned up in a suit for possibly the second most historic press conference of his life.

I’m ashamed to say I gave him a little ribbing about it, as did others, but in fact it’s a very positive sign. And he wasnt alone. Moxie Marlinspike was wearing a collar, and a lot of otherwise non-conformists were looking surprisingly dapper.

I was told afterwards that the venture capitalists behind Kaminsky’s new company Recursion Ventures had taken him shopping and enrolled him in a gym. I’m not sure how true that is, but he’s looking good and achieving some great things. DNSSec is something to be very proud of.

“You need the research and the breaking, but it can’t stop there,” said Kaminsky. “You have to work on a fix, get it out there, and then occasionally put on a suit.”

The hacking industry is growing up. The early pioneers are now working out which side they want to go on, and all the gradations in between.

It used to be the dream of every script kiddie that they’d discover a great hack and then be hired by the National Security Agency or a security firm, and spend the rest of their life hacking around in the company of glamorous nymphomaniac spies.

Shows like Chuck perpetuate the myth, but instead the hacking community has got smart.

Just as criminals have realised that malware is much more useful for profit rather than bragging rights, the hacker industry is coming to the conclusion that there’s a better life to be had at solving problems than being sarky.

But this is a two-way street. Companies that used to hoard information like politicians go after directorships are now talking to each other, and shared information offers the best shot at providing long-term security. As many have acknowledged, the criminal hackers have been winning the security wars.

Cisco’s chief security officer John Stewart summed it up perfectly. “We all get together and there aren’t many venues in which we get to do this,” he said,

“On the first-principles effort, we’re largely very interested in the same thing: keeping what we use on a day-to-day basis safe enough for us to use. Research is turning into a profit model.”

For a conference that used to play ‘Spot the Fed’, the idea that a Department of Homeland Security director – even if it was a very poor keynote speech – and an ex-head of the NSA would be giving presentations is a sign of real change.

Now the US Department of Defense is actively recruiting at the show, and all the major security firms are keeping an eye out for hot new talent as well.

Black Hat has lost its hacker edge in the process, though. The critics are right; it’s a corporate affair now. But this is no bad thing. That corporates and government are willing to talk to the experts, rather than engaging in mindless enforcement, can be seen as progress.

This was also the biggest show in Black Hat history. The lunch area hosts over 5,000 people and a second room had to be opened up. That’s a lot of very dedicated people, albeit with plenty of hangers on. However, the overspill of enthusiasts doesn’t stop there.

The Bsides conference, running concurrently with Black Hat, is seen by some as a sideshow, but in fact it’s more a collection of the companies that weren’t big enough to make it onto the main stage. Big doesn’t necessarily mean smart, and the Bsides show looks very interesting.

But Defcon has picked up Black Hat’s mantle. Moss made a very smart move in not selling this conference along with Black Hat and, if companies and enthusiasts want to see what’s really cutting edge, they should head over to that show.

SEO Black Hat, IT security, security, security industry

Black Hat’s Live Video Stream Hacked

Michael Coates, a web security expert at Mozilla, discovered he could access the live stream of the conference, which Black Hat was charging $395, free. Coates notified the third-party company providing the video stream and it was fixed within hours. Coates notes the irony and uses it as teaching point: even the most security aware organizations will still have faults, and enterprises much vet third-party providers.

Spoofing Cell Phone Base Stations

Do employees in your enterprise use cell phones to discuss sensitive matters? Worrying about hackers intercepting your cell phone calls may seem pass, but a demonstration at Defcon by Chris Paget may make you think otherwise: Paget has devised a fake cell phone tower that can intercept even encrypted outgoing calls.

Google Fraught with Malware Risks

At Black Hat, security vendor Barracuda Networks released its Mid-Year Security Report showing that Google links to twice as much malware as Bing, Yahoo! and Twitter combined.

SEO Black Hat, cell phone, DefCon, security