Black Hat: Lots of hacks and a patriotic plea

Research reveals vulnerability to a key router protocol, as well as threats to critical infrastructure

Celebrating its 15th anniversary, Black Hat this year went beyond technical hacking and entered the realm of politics and patriotism with its choice of keynote speaker Cofer Black, former counterterrorism chief at the CIA, who called on attendees to consider joining government anti-cyberterrorism programs.

 

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com

“My world of terrorism has gone,” says Black, now retired after 28 years in the CIA. “Now it’s your turn.”

Stuxnet has forever changed the face of terrorism and the consequences of cyberattacks, Black says. The sophisticated worm that took over control mechanisms for centrifuges in Iran’s nuclear refinery and wore them out, had the impact of a physical assault.

“Stuxnet is the Rubicon of our future,” he says. “What had been college pranks cubed and squared has now changed into physical destruction of a national resource. This is huge.”

Black says budding cyber-counterterrorists must be ready to contribute but also be ready to encounter decision-makers being unprepared to accept that cyberattacks are the coming wave.

He says that leading up to 9/11, his CIA group knew a large-scale attack was coming, but not exactly when or where. The group had trouble convincing the Bush administration of its urgency, he says, until the World Trade Venter fell. “Men’s minds have difficulty accepting things with which they have no previous experience,” he says.

Black Hat offered a glimpse of the potential power of facial recognition combined with social network data mining to reveal personal information about individuals based solely on a photo of them. The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who presented the research.

He admits the method is far from foolproof, but that the individual pieces of technology are developing rapidly and could be ready for use in the real world in the foreseeable future. He is working on projections of how long it will take for the technologies involved to develop to the point of being reliable.

The point, Acquisti says, is to show that a framework of digital surveillance that can go from a person’s image to personal data exists today and will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. “This, I believe and fear, is the future we are walking into,” he says.

Another frightening presentation showed how simple it is to hack devices connected to phone networks, with the most dangerous implication being potential attacks against the control systems in utility networks, power grids and industrial manufacturing plants.

Don Bailey, a consultant with iSec Partners, demonstrated compromising a car alarm via vulnerabilities in phone networks, but made the point that the technique works equally well against Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure.