Monday, August 18, 2008

Sorry Charlie...The Cat's Outta the Bag

Last week I wrote in a post entitled "Sorry Charlie...You've Been Hacked" I talked about the two MIT engineering students who were hit with a restraining order which prevented them from delivering their talk on vulnerabilities that they found in Boston’s subway fare card system.

The Massachusetts Bay Transit Authority took legal action just before the students were going to discuss generating fare cards, reverse-engineering magnetic stripes, and hacking the RFID technology in the cards.

Ironically,
the very same presentation, including the sordid details of their hack ended up leaking (in a prime example of how things sometimes don't work out the way you envision them)...through the very same public court filings the MBTA submitted in an effort to keep them sequestered. Here are the presentation slides

Now, I'm no techie/tekkie? (see I don't even know how to spell it) but I know a little bit about magnetic stripes and RFID, and I found the presentation to be most interesting, so take a look if you wish. I don't know how long they'll be up there.

In a related matter, now that Defcon 16 has come and gone, I thought I'd share this story from DarkReading.com talking a little bit about the event:


All it takes is one look at the Defcon 16 hackable attendee badge to understand the difference between the world’s largest hacker convention and other security conferences.

The hard plastic badge includes its own microprocessor, SD card slot, USB ports, and an LED that can remotely turn off a TV. Defcon attendees could use their badge to hack other peoples’ badges or just wear it as bling. It’s such a hot item that on the first day of the Las Vegas show, the conference session rooms nearly emptied when it was announced that the badges had finally arrived at the registration desk after a shipment delay that morning.

While Defcon and its sister conference Black Hat USA share some of the same organizers, themes, and research hacks, Defcon's emphasis on hands-on hacking and its hardcore hacker culture set it apart. Defcon 16 featured multiple hacking contests, including one run by seasoned hackers who set traps and challenges for the masses trying to infiltrate a server, phone phreaking, and a $5,000 prize for being the last person left awake (and aware) after sitting through 30 hours of vendor pitches.


Interestingly, one of the more compelling research presentations never saw the light of day at Defcon: The MIT Charlie Card, Massachusetts Bay Transit Authority WarCarting Presentation) (see picture on right for what it takes to "warcart")


And for hackers or penetration testers who were feeling a little stagnated in their work, or who are operating on more of a shoestring budget these days, researchers from Errata Security shared some tricks of the trade they have come up with for doing more (hacking) with less. (See 'Bringing Sexy Back' to Hacking.)

Errata’s Robert Graham and David Maynor outfitted an Apple iPhone with WiFi-sniffing tools that they FedEx to their clients’ sites to conduct remote WiFi security audits. They may even up the ante by adding fuzzing and the Metasploit hacking tool to the iPhone as well for more advanced remote penetration tests.

A former Federal Trade Commission (FTC) official gave Defcon attendees tips for what to do (and not to do) after suffering a security breach, as well as how to make nice with law enforcement, which can smooth the way for that day when you have to go public about a breach your organization has suffered. (See What to Do After a Breach.)

Kelly Jackson Higgins, Senior Editor, Dark Reading

Disqus for ePayment News