Friday, 22 August 2008

Be Afraid! Be very Afraid!

Posted by: Ian Angell

Be afraid! Be very afraid! Paranoia. That’s what I learned at this year’s back-to-back Black Hat and DefCon conferences in Las Vegas – among the computer world’s premier security events. In the former, hackers line up to tell Chief Security Officers of the latest vulnerabilities in their companies’ computer systems. In the latter, the hackers tell each other of the latest ‘cool’ flaws.

And those vulnerabilities range from the sublime to the ridiculous. Over coffee, a pasty faced youth in dreadlocks enthused over his discovery that by passing certain sequences of electronic signals into the XXXX chip, he could bypass the security and learn all its secrets. A more soberly dressed pair of presenters told of how a certain banking system contained a very embarrassing flaw. Pay a negative sum of money into another’s bank account, and that amount flows back into yours!

At Black Hat we were invited to access the Internet via a free but hostile wireless network that was ‘aggressively monitored.’ If they managed to hack into your system then you were shamed with your name placed on the ‘Wall of Sheep.’ It was a long list. A coward, I used a wired network, but as it turned out that too got hacked!

The talks listed vulnerabilities in system after system, many I had never heard of. But not hearing of them was no comfort – they were all deeply embedded, fundamental parts of the computer systems I use every day, or in the banking system that holds my hard earned money, or in prescription drug dispensing systems, or in heart pacemakers, or in Radio Frequency Identification (RFID) cards and similar chips. Think of the recent problems with Oyster cards. And its not just malicious attacks on such systems – the intrinsic and ever-increasing complexity means that cack handed attempts at correcting the faults can be just as devastating. It’s not just TfL who has problems. As I am writing, the Massachusetts Bay Transit Authority is seeking a restraining order to gag three students from MIT talking at DefCon.

Everyone is in denial. I was being told that every system is compromised, from top to bottom - from the most sophisticated software layer to the lowest level of electronic activity. It seems that only the threat of legitimate violence by the state against troublemakers was keeping the show on the road. Attending the ‘Meet the Feds’ panel was a must, but I failed to get in.

Crowds of Hell’s Angels, goths, tattooed mohawks in tartan, multiple body-piercings, adolescent geeks and pony-tailed denim-clad pensioners had already crammed the room. Exasperated fire marshalls ushered the excess audience away into other more esoteric presentations, normally the reserve of smug in-crowds. No matter, the chief Fed thoughtfully wore a big sheriff’s star on his chest, and was happy to talk later with all who approached him … although his miserable message was of a tidal wave of security threats.

Be afraid! Be very afraid! I’m seriously considering abandoning the Internet, and taking up knitting.

No comments: