Department of Defense tries to court hackers

Las Vegas, Nevada (CNN) -- Dear hackers: The U.S. government wants you.

Or, at the very least, the Department of Defense's research wing wants to pay you to help it block cyber threats, a project manager at the Defense Advanced Research Projects Agency said Thursday.

Former hacker Peiter Zatko announced the start of a fund-the-hackers program, called Cyber Fast Track, in a keynote talk at the Black Hat conference, which is aimed at hackers and computer security experts. The program began officially late Wednesday, he said.

Experts say the government has done a lousy job in the past of getting money to security researchers quickly enough for them to actually help mitigate cyber threats. Or the feds have avoided dealing with hackers entirely.

"One of the ways I see fixing it is bridging the gap between the government and the hacker community," said Zatko, who goes by the handle "Mudge."

By "hacker," he doesn't mean criminal. He's referring to people who try to break computer systems with the goal of making them more secure. These people are sometimes referred to in the security industry as "white hats," as opposed to nefarious "black hats."

"We have all sorts of other criminals, be it in politics or finance, and those elements may be bigger than the criminal element in the hacker community," he said.

Other wings of the government appear to be courting the hacker community as well. The Federal Bureau of Investigation and the Internal Revenue Service both have booths set up on the expo floor here at Caesars Palace. Federal agents are so commonplace at this hacker conference -- and at another, called DEF CON, which happens later this week -- that some of the hackers have held a "Spot the Fed" contest, with T-shirts as prizes.

Law enforcement and hackers don't always play well in these arenas. Speakers at past Black Hat and DEF CON conferences have been threatened with injunctions aimed at stopping them from explaining how to hack into certain systems.

The hackers say they're making public such exploits for the public's own good. If they can find the bugs, then bad guys who want to steal information and make money could, too.

In an interview after his talk, Zatko declined to say how much money DARPA will put into the new program, or how big the individual grants will be.

The goal is to fund independent security researchers, who currently do much of their work on nights and weekends without pay, in hopes that they will help make the Internet safer.

One of those hacker-researchers is Dino Dai Zovi, who says his girlfriend gets annoyed that he spends almost all of his free time on his computer.

"Look at the bags under my eyes -- I never stop working," he said.

Dai Zovi said the DARPA program will help hackers actually get paid for their work.

The stakes for the new program are also high.

Zatko, the hacker-turned-DARPA official, said the number of malware attacks continues to increase even as government agencies spend more money to stop them.

In 2000, he said, there were about 1,400 "incidents of malicious cyber activity." Nine years later, that number had jumped to more than 71,000.

Current computer systems are needlessly complicated, he said, which leaves them more open to malicious hacking. He suggested that researchers work, for example, to simplify Microsoft Word with its list of 3,000 fonts and many potential exploits.

Zatko, whose notable life as a hacker has been the inspiration for fictional characters, said he's trying to change how the government works from the inside.

"I hope the old Mudge of 1999 is looking at the current Mudge of 2011 and saying, 'Yeah, you're wearing a pocket square and you don't have long hair,' " he said, " 'but, yeah, you're still remaining true to the cause.' "
Read More >>

Read More

'Shady RAT' hacking claims overblown, say security firms

Computerworld - Two security companies are questioning claims that a cyber espionage campaign uncovered by a rival firm was sophisticated or even extraordinary.

On Tuesday, antivirus vendor McAfee described a five-year hacker operation that infiltrated more than 70 U.S. and foreign government agencies, defense contractors and international organizations to plant malware that in some cases hid on networks for years.

In its report, McAfee said it was "surprised by the enormous diversity of the victim organizations" and "taken aback by the audacity of the perpetrators."

News stories about the report seized on the word "unprecedented" in the McAfee report to characterize the scale of the intrusions.

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth," said McAfee, referring to the now-nearly-constant attacks on Western companies and organizations by campaigns like Shady RAT.

Moscow-based Kaspersky Lab on Thursday begged to differ, saying that McAfee has simply not provided enough information to justify the claims being bandied about.

"The report contains nothing on what particular data has been stolen or how many computers in each organization were hit by the attacks," said Alex Gostev, Kaspersky's chief security expert, in an emailed statement. "Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyber attack in history is premature."

Although McAfee's report on what it dubbed "Operation Shady RAT" (download PDF) was filled with details -- it noted how long the malware had remained hidden on each of the 72 victims, and provided a timeline on the various compromises -- it did not, in fact, explicitly claim that data had been stolen.

Other security researchers have chimed in as well to rebut claims that the Shady RAT attacks were sophisticated or even out of the ordinary.

"Is the attack described in Operation Shady RAT a truly advanced persistent threat?" asked Symantec researcher Hon Lau in a Thursday blog post. "I would contend that it isn't."

Advanced persistent threat, or APT, is the term that's been widely used to describe targeted attacks against specific companies or organizations that try to burrow into a computer network and pillage information.

The word "advanced" is a misnomer, said Lau in a write-up of Symantec's own analysis of Shady RAT, which filled in many of the details omitted by McAfee, including the type of malware involved, the techniques hackers used to plant their attack code on PCs and the exploits they used.

Lau popped the "advanced" balloon by citing the sloppiness of the attackers, who left their own command-and-control (C&C) servers open to probing, and for their use of "relatively non-sophisticated malware and techniques."
Read More >>

Read More

DIY Spy Drone Sniffs Wi-Fi, Intercepts Phone Calls

LAS VEGAS — What do you do when the target you’re spying on slips behind his home-security gates and beyond your reach?

Launch your personal, specially equipped WASP drone — short for Wireless Aerial Surveillance Platform — to fly overhead and sniff his Wi-Fi network, intercept his cellphone calls, or launch denial-of-service attacks with jamming signals.

These are just a few of the uses of the unmanned aerial vehicle that security researchers Mike Tassey and Richard Perkins demonstrated at the Black Hat security conference here Wednesday.

At a cost of about $6,000, the two converted a surplus FMQ-117B U.S. Army target drone into their personal remote-controlled spy plane, complete with Wi-Fi and hacking tools, such as an IMSI catcher and antenna to spoof a GSM cell tower and intercept calls. It also had a network-sniffing tool and a dictionary of 340 million words for brute-forcing network passwords.

The GSM hack was inspired by a talk given at last year’s DefCon hacker conference by Chris Paget, who showed how to create a cellphone base station that tricks nearby handsets into routing their outbound calls through it instead of through commercial cell towers.

That routing allows someone to intercept even encrypted calls in the clear. The device tricks phones into disabling encryption, and records call details and content before they’re routed to their intended receiver through voice-over-internet protocol or redirected to anywhere else the hacker wants to send them.

The drone takes that concept and gives it flight. The plane weighs 14 pounds and is 6 feet long. Per FAA regulations, it can legally fly only under 400 feet and within line of sight. But the height is sufficient to quiet any noise the drone might produce, which the researchers said is minimal, and still allow the plane to circle overhead unobtrusively.

It can be programmed with GPS coordinates and Google maps to fly a predetermined course, but requires remote control help to take off and land.

The two security researchers created the spy plane as a proof of concept to show what criminals, terrorists and others might also soon be using for their nefarious activities.

Tassey, a security consultant to Wall Street and the U.S. intelligence community, told the conference crowd that if the two of them could think up and build a personal spy drone, others were likely already thinking about it, too.

The spy drones have multiple uses, both good and bad. Hackers could use them to fly above corporations to steal intellectual property and other data from a network, as well as launch denial-of-service or man-in-the-middle attacks. They could also transmit a cellphone jamming signal to frustrate an enemy’s communications.

“It’s hard to keep something that’s flying from getting over your facility,” Tassey said.

A drone could also be used to single out a target, using the target’s cellphone to identify him in a crowd, and then follow his movements. And it would be handy for drug smuggling, or for terrorists to trigger a dirty bomb.

But the drones don’t just have malicious uses. The researchers point out that they would be great for providing emergency cellular access to regions hit by a disaster.

The drones could also be outfitted with infrared cameras and shape-recognition technology to run search-and-rescue missions for lost hikers. The military could use them for electronic countermeasures to jam enemy signals or as communication relays flown over remote areas to allow soldiers on two sides of a mountain, for example, to communicate.

“You don’t need a PhD from MIT to do this,” Perkins said.
Read More >>

Read More

Honda recalls 2.5m cars over auto bearing bust-up

Honda has been forced to recall several of the models in its range, including the 2005-2010 Accord, across US, China and elsewhere after issues with the automatic transmission that could see the engine cut out unexpectedly. Although Honda says neither injuries nor deaths have been caused by the issue, it will nonetheless be forced to bring 2.49m vehicles in and reprogram the transmission control module so as to be more gentle with the gears.

The issue, Honda says, can occur when drivers quickly shift between reverse, neutral and drive, something that could take place if the car is stuck in grass or mud as the owner attempts to rock themselves out. That frequent changing can damage the automatic transmission secondary shaft bearing, prompting difficulties engaging park or, potentially more dangerous, leaving the engine prone to stalling.

Approximately 1.5m of the affected cars are in the US, while 760,515 are in China. In the US, certain 2005-2010 4-cylinder Accord, 2007-2010 CR-V and 2005-2008 Element vehicles will be brought back in; select Odyssey and Spirior models are also at risk. Owners can check their car’s status in the recall here.
Read More >>

Read More

Your face -- and the Web -- can tell everything about you

By Bob Sullivan

Imagine being able to sit down in a bar, snap a few photos of people and quickly learn who they are, who their friends are, where they live, what kind of music they like ... even predict their Social Security number.

Now, imagine you could visit one of those anonymous online dating sites and quickly identify nearly every person there, just from their photos, despite efforts to keep their online romance search a secret.

Such technology is so creepy that it was developed, and withheld, by Google — the one initiative that Google deemed too dangerous to release to the world, according to former CEO Eric Schmidt.

Too late, says Carnegie Mellon University researcher Alessandro Acquisti.

"That genie is already out of the bottle," he said Thursday, shortly before a presentation at the annual Las Vegas Black Hat hackers' convention that's sure to trouble online daters, bar hoppers and anyone who ever walks down the street.

Using off-the-shelf facial recognition software and simple Internet data mining techniques, Acquisti says he's proven that most people can now be identified simply through a photograph of their face — and anyone can do the sleuthing. In other words, our faces have become our identities, and there little hope of remaining anonymous in a world where billions of photographs are taken and posted online every month.

"If we were able to do it, anyone is able to do it," Acquisti said. “The goal here is not to generate fear, but we are very close to a point where the convergence of technologies will make it possible for online and offline data to blend seamlessly ... and for strangers on the street to predict certain information about you from your picture."

With some 2.5 billion photos per month posted to Facebook, odds are very good that you can be recognized, he said.

"For most of us, there is already a photo of us online. It is close to impossible to take this data back," he said.

Using the unnerving term "augmented reality,” Acquisiti conjures up disturbing scenarios that involve law enforcement officials, marketers and other strangers constantly marrying offline and online data. Observers could overlay detailed information like political affiliation on pictures of crowds at protests, for example, creating a scary new form of crowd control, he suggested. Meanwhile, facial images could succeed in creating a national ID where enhancements to driver’s licenses have repeatedly failed, said Acquisti in his report, titled “Privacy in the Age of Augmented Reality.”

“Notwithstanding Americans' resistance to a Real ID infrastructure, as consumers of social networks we have consented to a de facto Real ID that markets and information technology, rather than government and regulation, have created,” it said.
Read More >>

Read More