TJX Hacker Gives Keynote At 'Offensive' Security Conference

An anonymous reader writes "Two hundred hackers from around the world gathered at a Miami Beach hotel Thursday and Friday for the Infiltrate Security conference, which focuses on systems hacking from the 'offensive' perspective (with slides). In a keynote address, Stephen Watt, who served two years in prison for writing the software used by his friend Alberto Gonzalez to steal millions of credit card numbers from TJX, Hannaford and other retailers, acknowledges he was a 'black hat' but denies that he was directly involved in TJX or any other specific job. Watt says his TCP sniffer logged critical data from a specified range of ports, which was then encrypted and uploaded to a remote server. Brad 'RenderMan' Haines gave a presentation on vulnerabilities of the Air Traffic Control system, including the FAA's 'NextGen' system which apparently carries forward the same weakness of unencrypted, unauthenticated location data passed between airplanes and control towers. Regarding the recent potential exploits publicized by Spanish researcher Hugo Teso, Haines says he pointed out similar to the FAA and its Canadian counterpart a year ago, but received only perfunctory response."

Looked interesting

[MrDoh!]

At that price to go though, yowza. Then again, one of the nicer hotels in Miami, next year if it could be at the doubletree next to the airport, I might be able to afford it.

Offense Hacking?

[TaoPhoenix]

How a group like this doesn't get pulled under by Security Theater is beyond me.

Re: Offense Hacking?

No need they are just monitored by way of FISA

Re:Offense Hacking?

[timholman]

How a group like this doesn't get pulled under by Security Theater is beyond me.

On the contrary, you let groups like this meet and hold their convention. And then you identify, photograph, and monitor every attendee. What better way to get the bad guys to voluntarily reveal themselves?

Governments have been doing this for a long, long time. Read about some of the things that the FBI did under J. Edgar Hoover; it will enlighten you.

Re:Offense Hacking?

[Architect_sasyr]

I'm always surprised about little things - unencrypted communications is actually kind of an obvious thing to do as far as I am concerned. I mean, screw trying to get a mars rover to reconnect because the clock died and the time is out of sync so the SSL is borked. I'd love to hear from someone who built the communications protocols up, to see if they were just lazy, uneducated, or thinking like the above.

Re:Offense Hacking?

Governments have been doing this for a long, long time. Read about some of the things that the FBI did under J. Edgar Hoover; it will enlighten you.

You don't need to go that far back. Look at what then did in response to the Occupy movement.

Re:Offense Hacking?

Because their people attend these conferences too. Governments pay huge amounts of money for exploits. Right behind them are the developer's who's code is being exploited.
Security Theater not only wants these groups to exist, they need them.

Sorry.

Not a hacker. Just a computer savvy criminal.

Much like the rest of the conference are security workers, not hackers. Regardless of what hat colour any of them claim.

Re:Sorry.

[lazy+genes]

The penalty should be the removal of a couple fingers.

Re:Sorry.

Hacking isn't 'breaking' into systems although 'breaking' into systems isn't necessarily trivial or mean your not a hacker either. I work with hackers and for hackers every day. Most of which have broken laws purely out of the ridiculousness of the criminal code. Just visiting a web site and 'exceeding' the terms of use makes one a criminal in the eyes of law enforcement. This despite the impossibility of anyone being able to figure out or follow TOS's given the severe number of different sites one is likely to access given any short period of time 'on the Internet'. It's likely your violating TOS you don't even know exist because of code being downloaded from third party servers (think advertising).

Re:Sorry.

And at the self-rationalization Olympics the scores are...

1.1...

0.3...

and the French judge gives a to score of 1.5, just because it's not Lance Armstrong on Oprah making excuses. (Lord, that was was even worse.)

Come on, if you're going to be that lame, at least staple a chicken to your groin or do *something* so we can actually laugh.

Re:Sorry.

Yes, that's the point. Being a hacker, doing the hacking, is completely orthogonal to breaking computer security (usually takes just a bit of cunning) and/or trying to strengthen it (a rather conservative, un-creative endeavour).

Thus: Anything computer security related, any side of the fence, any claimed hat colour, is not automatically "hacking", and thus does not a "hacker" make. Regardless of what these types themselves, the media, or even the law says. They are wrong.

Yes, I do know full well it's just a few soft voices up against a positive barrage of media, activist propaganda, an entire computer security industrial complex, even lawmakers. That matters not.

We need the term hacking to celebrate technological creativity, and cannot afford to waste it on these nitwits.

Re: Sorry.

It depends, some of these guys play on both sides of the game at the same time.

Some of them do have very good intentions. Half of the time they bring up the issue with those involved first. Unfortunately Its like exposing the black market of goods. To do so you have to think, act, and become the bad guy before you can expose it for what it really is, which is a big problem.

Exposing security issues takes a lot of courage because you don't know what kind of damage it can bring. Whether its personal or reputation, to even threats. Zimmerman created PGP and he was basically slapped around by the government.

  Usually its a last resort if no one is listening.

Today the problem is that a lot of people are doing this for the publicity almost as though they are more concerned with fortune and fame and story time, than of securing anything. Understandable considering a great deal of companies spend more on their fancy business cards and chairs than they do on real security.

But what do I know,
When I post things...........and

After all I am a
Vafrous vadelect, vexatiously veiled, veraciously viator valuing vaniloquence, visibly vitative

Vis-Ã-vis
virucide

Via Vic 20

Re:Sorry.

This reminds me of the NFL, where assistant coaches typically spend their entire career on one side of the ball, i.e. offense or defense. Naively you might think, gee, if you need to properly understand what the guys on the other side are up to, shouldn't you be equally adept at coaching both? It's not like the coach needs physical skills, beyond the ordinary demonstration of moves that any healthy former player would have.

Re:Sorry.

We need the term hacking to celebrate technological creativity

It doesn't, it hasn't in a long time, and when it did it was only among a very small, tightly focused group. Maybe try coming up with a term that isn't also used to mean "chopping up" or "breaking apart violently" or "smashing through". The word has destructive connotations, and despite several decades of complaining by industry insiders, nothing is changing.
So suck it up, Princess, and get on with your life.

Aviation Electronics

[ArchieBunker]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

Re:Aviation Electronics

[MrDoh!]

Not to mention the weather info is sent around the world using Baudot code. 5 bit ticker tape. Awesome.

Re:Aviation Electronics

[stox]

There is a very good reason for using Amplitude Modulation. Frequency Modulation suffers from the capture effect, where a stronger signal in an adjacent frequency will be received instead of the desired signal. AM does not suffer from this. You can also make out an AM transmission underneath a stonger transmission on the same frequency. Digital transmissions are competely unreliable in very low signal to noise situations. Digital works, or it doesn't. At least with AM, you will get fragments of the transmission.

Re:Aviation Electronics

[tlhIngan]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

AM isn't outdated. It's the perfect modulation for aviation. It's got great behavior when two transmitters use the same frequency - namely, any receivers in the vicinity squeal. Second, more powerful transmitter can transmit "on top" of the squeal and still carry useful information.

The first point is important as most aviation communication frequencies are simplex - it's VERY easy to accidentally transmit over someone else. By squealing, the receiver is told that the transmission is being interfered with. With other modulations, it's not often obvious this happened - with FM, the strongest signal wins and is demodulated (weaker ones simply disappear). Digital modes depend on how they're modulated - but it can easily end up as a string of pure bit errors (remember, the receiver sees both signals simultaneously) with no indications as to the cause.

The second point is important because an aircraft radio is around 20-25W, while ATC can easily be 200+W. This is important as ATC may be giving one plane instructions while someone else is trying to contact ATC and they step on each other. The plane receiving instructions from ATC gets a squeal, but because of the difference in transmit power, it's possible for the pilot to actually hear ATC on top of the squeal. If the pilot couldn't make out the instructions, the squeal alerts them that it's because of interference. Had it been FM, a plane could've stepped over and sheer coincidence would mean it forms a plausible, but incorrect, instruction.

Finally, you have to remember that any technology you implement has to scale from airliners to little general aviation planes - the latter often owned by people who don't have a lot of extra money. Canada recently got into a bit of trouble because they mandated 406MHz ELTs as mandatory equipment. Average cost with installation is a little north of $5K for a basic model, $7K+ if you want a fancier one like one with built-in GPS (versus one that relies on aircraft GPS).

It may surprise you, but most pilots aren't super-rich - they're typically middle class people where flying is a hobby. And unless you're a decades-long career pilot, pay is horrendous (easily just $16K annually if you're just starting out to $32K as captain in a small regional airline). Heck, if you fly, you'll hear some *terrible* radios.

So AM works just fine - probably still one of the best modulations around for the purpose, and given its operating conditions, has the best side effects at handling multiple transmissions, all at the cost of audio fidelity. But given that communications are generally well structured, it's possible to comprehend even the worst transmission.

For general aviation, the biggest thing about ADS-B is that it most likely won't be a panel mounted instrument, but using one of the cheapest pieces of equipment ever - an iPad. There are now a few ADS-B receivers that interface to WiFi or Bluetooth that communicate with apps running on iPad and smartphones that serve as data inputs, and others that include an air data and attitude measuring system to give you unofficial instrumentation as well.

Re:Aviation Electronics

[n6mod]

Thank you. Ham here, and the obvious benefits of AM for mission critical communication are lost on a lot of people because "it's old, so it must suck."

Now... There's a point about the FAA being slow to change... the number of 3CX800's the FAA buys is embarrassing, but it keeps them in production for the rest of us. :)

Re:Aviation Electronics

There's a good reason they're still using AM: What happens when two stations broadcast at the same time? What would FM do?

Figure out graceful degradation for authenticated digital modes and you'll have them interested for sure. They have lots of spectrum and channels yet are always clamouring for more.

That's not the only problem, though. There's also that the whole world, effectively every single aeroplane and ground station, will have to upgrade.

And, of course, in their safety first against accident culture they value systems that work, and so design for that, not so much against adversarial attack. A bit like how the fire department would like you to do things the police department tells you not to, and vice versa.

Still and all, their systems are often better designed than the equivalent you'd get from, say, a car manufacturer, at least for the technology of the time. Of course, not least because of the cost, they stick with that technology for a long, long time.

All this makes designing better systems quite the challenge. Are you up to it?

Re:Aviation Electronics

[darkHanzz]

The point about FM is clear. Digital modulation, however, can easily beat AM modulation, if properly designed. GPS satelittes all transmit on the same frequency, it's the digital (de)modulation that makes it possible to receive *all* of them.

Re:Aviation Electronics

[n6mod]

With a substantial engineering effort, it might be possible to present all decoded signals in a useful way. I shudder to imagine the UI/UX discussions around that. Do you play back everything you decoded simultaneously? Or do you play them back in sequence? What do you do if the last 'double' is still being played back when another transmission comes in?

Sorry, but I'll put my faith in aviators ability to communicate, and the great mixer in the sky that AM gives you.

Re:Aviation Electronics

[Shoten]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

This is only half of the problem, and not the bigger half. The problem is that systems like ACARS and ADS have availability as their highest priority. If you build something akin to the OSI model that instead focuses on discrete components rather than functions, you end up with a stack that is taller when you add encryption on top of it; that extra layer on the top is one more thing that can fail, and which frequently does fail. Yes, authentication (much more important than encryption...an attacker spoofing the location of a plane is more dangerous than an attacker learning where the plane is) is important, but the risk of losing availability is serious. If there were encryption or authentication in place and a plane were misconfigured, it would become invisible both to the ground tower and to other planes...obviously, this is a HUGE problem. So it's not exactly fair to look upon this as the authorities simply being asleep at the wheel...there's actually been thought put into this, and to date the tradeoff hasn't been there. This attack requires either an SDR (which didn't exist a decade ago and is still somewhat exotic) or dedicated avionics equipment (not man portable). Back when these systems were developed, the attack wasn't even possible, much less feasible, and they did succeed in reducing the number of mid-air near misses with these protocols and their concurrent systems.

And I'm with you...it's amazing to me how people think that the industry can change things rapidly. It takes *forever* to test new systems to assure that they will be as reliable as needed...and they never pass the first test. But the reasons why they have things like AM-based radio communications isn't slowness to respond, it's reliability. They've been rapid to adopt new things in the name of safety, such as the ability to detect microbursts (which caused some crashes and a lot of close calls, once upon a time). As soon as the meteorological world learned what kind of event was causing these issues, it only took a few years for deployment of a way to detect and respond to them.

Assholes

[bill_mcgonigle]

I got my cards revoked on both incidents. No direct losses, but cost me about 5 hrs each time re-configuring various bill pays and such, and these were just months apart.

Multiply that against the affected cardholder base and these people are just parasites on society. Sure, it's 2013 and VISA's authentication sucks, but it takes two to tango.

Offensive conferences

[UberDude]

PyCon really started a trend!

Re:Offensive conferences

There was a talk scheduled about dongles but the speaker pulled out at the last second. Er, the talk was cancelled....

Next time someone tells me they can hack me, I'll

send them the same one word response: "Perfunctory."

my opinion

gatherings of computer criminals should be banned,

Re:my opinion

"Freedom of Assembly" ring any bells you fucking troglodyte?

Based on the Aaron Swartz definition of "Computer Crime" anyone what uses an alias on Google Plus/Gmail or Facebook is a computer criminal.

http://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
http://www.sans.org/reading_room/whitepapers/legal/federal-computer-crime-laws_1446

Re: my opinion

[Misterfixit]

I disagree. Aside from freedom of assembly, another comment was about collecting intelligence on attendees. I was at the conference and wore my NSA badge all the time along with the rather amateurish "attendee" badge. Several guys looked and said "Dude! Awesome hack! I want one too!" Sure thing "dude" just come to work for us in S-Group at the Friendship Annex. It was interesting and I got the cd with the Dongle power points on it - author might be a good hire if he/she can pass the poly exam. Not to worry, they don't ask about fucking chickens anymore.

Trust is an illusion

[WaffleMonster]

Virtually all of air/sea transportation use non-integrity protected signals and carriers with near zero resistance to intentional jamming. Access to GPS can be trivially denied. GPS position can be spoofed even if using encrypted channels without having access to encrpytion keys.

Personally I prefer in the clear better than alternative where every airport and every plane in the world has to establish some form of trust relationship. There are too many people and interests involved to where it is not reasonable to believe keys won't leak out or in some other way be compromised.

It is better to design systems working in the clear with associated scope limitations and healthy doeses of paranoia than to have instances of engineers saying or thinking "well this is secure" .. as long as its only used to improve safety margins, refine fixes based on flight plan/radar and any disagreement is flaged this might stand a chance of being a reasonable decision in light of practical limitations on trust.

Re:Trust is an illusion

Can u imagine that spooks have some kewl tech to fuck with aircraft ...
I'm sure that couldn't b...
Could it, sen wellstone ?
What say u, JFK Jr ?
How 'bout it, Mr Reuther ?
Just koo koo kwazy talk...