TJX Hacker Gives Keynote At 'Offensive' Security Conference

An anonymous reader writes "Two hundred hackers from around the world gathered at a Miami Beach hotel Thursday and Friday for the Infiltrate Security conference, which focuses on systems hacking from the 'offensive' perspective (with slides). In a keynote address, Stephen Watt, who served two years in prison for writing the software used by his friend Alberto Gonzalez to steal millions of credit card numbers from TJX, Hannaford and other retailers, acknowledges he was a 'black hat' but denies that he was directly involved in TJX or any other specific job. Watt says his TCP sniffer logged critical data from a specified range of ports, which was then encrypted and uploaded to a remote server. Brad 'RenderMan' Haines gave a presentation on vulnerabilities of the Air Traffic Control system, including the FAA's 'NextGen' system which apparently carries forward the same weakness of unencrypted, unauthenticated location data passed between airplanes and control towers. Regarding the recent potential exploits publicized by Spanish researcher Hugo Teso, Haines says he pointed out similar to the FAA and its Canadian counterpart a year ago, but received only perfunctory response."

Offense Hacking?

[TaoPhoenix]

How a group like this doesn't get pulled under by Security Theater is beyond me.

Re:Offense Hacking?

[timholman]

How a group like this doesn't get pulled under by Security Theater is beyond me.

On the contrary, you let groups like this meet and hold their convention. And then you identify, photograph, and monitor every attendee. What better way to get the bad guys to voluntarily reveal themselves?

Governments have been doing this for a long, long time. Read about some of the things that the FBI did under J. Edgar Hoover; it will enlighten you.

Re:Offense Hacking?

[Architect_sasyr]

I'm always surprised about little things - unencrypted communications is actually kind of an obvious thing to do as far as I am concerned. I mean, screw trying to get a mars rover to reconnect because the clock died and the time is out of sync so the SSL is borked. I'd love to hear from someone who built the communications protocols up, to see if they were just lazy, uneducated, or thinking like the above.

Sorry.

Not a hacker. Just a computer savvy criminal.

Much like the rest of the conference are security workers, not hackers. Regardless of what hat colour any of them claim.

Aviation Electronics

[ArchieBunker]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

Re:Aviation Electronics

[MrDoh!]

Not to mention the weather info is sent around the world using Baudot code. 5 bit ticker tape. Awesome.

Re:Aviation Electronics

[stox]

There is a very good reason for using Amplitude Modulation. Frequency Modulation suffers from the capture effect, where a stronger signal in an adjacent frequency will be received instead of the desired signal. AM does not suffer from this. You can also make out an AM transmission underneath a stonger transmission on the same frequency. Digital transmissions are competely unreliable in very low signal to noise situations. Digital works, or it doesn't. At least with AM, you will get fragments of the transmission.

Re:Aviation Electronics

[tlhIngan]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

AM isn't outdated. It's the perfect modulation for aviation. It's got great behavior when two transmitters use the same frequency - namely, any receivers in the vicinity squeal. Second, more powerful transmitter can transmit "on top" of the squeal and still carry useful information.

The first point is important as most aviation communication frequencies are simplex - it's VERY easy to accidentally transmit over someone else. By squealing, the receiver is told that the transmission is being interfered with. With other modulations, it's not often obvious this happened - with FM, the strongest signal wins and is demodulated (weaker ones simply disappear). Digital modes depend on how they're modulated - but it can easily end up as a string of pure bit errors (remember, the receiver sees both signals simultaneously) with no indications as to the cause.

The second point is important because an aircraft radio is around 20-25W, while ATC can easily be 200+W. This is important as ATC may be giving one plane instructions while someone else is trying to contact ATC and they step on each other. The plane receiving instructions from ATC gets a squeal, but because of the difference in transmit power, it's possible for the pilot to actually hear ATC on top of the squeal. If the pilot couldn't make out the instructions, the squeal alerts them that it's because of interference. Had it been FM, a plane could've stepped over and sheer coincidence would mean it forms a plausible, but incorrect, instruction.

Finally, you have to remember that any technology you implement has to scale from airliners to little general aviation planes - the latter often owned by people who don't have a lot of extra money. Canada recently got into a bit of trouble because they mandated 406MHz ELTs as mandatory equipment. Average cost with installation is a little north of $5K for a basic model, $7K+ if you want a fancier one like one with built-in GPS (versus one that relies on aircraft GPS).

It may surprise you, but most pilots aren't super-rich - they're typically middle class people where flying is a hobby. And unless you're a decades-long career pilot, pay is horrendous (easily just $16K annually if you're just starting out to $32K as captain in a small regional airline). Heck, if you fly, you'll hear some *terrible* radios.

So AM works just fine - probably still one of the best modulations around for the purpose, and given its operating conditions, has the best side effects at handling multiple transmissions, all at the cost of audio fidelity. But given that communications are generally well structured, it's possible to comprehend even the worst transmission.

For general aviation, the biggest thing about ADS-B is that it most likely won't be a panel mounted instrument, but using one of the cheapest pieces of equipment ever - an iPad. There are now a few ADS-B receivers that interface to WiFi or Bluetooth that communicate with apps running on iPad and smartphones that serve as data inputs, and others that include an air data and attitude measuring system to give you unofficial instrumentation as well.

Re:Aviation Electronics

[n6mod]

Thank you. Ham here, and the obvious benefits of AM for mission critical communication are lost on a lot of people because "it's old, so it must suck."

Now... There's a point about the FAA being slow to change... the number of 3CX800's the FAA buys is embarrassing, but it keeps them in production for the rest of us. :)

Re:Aviation Electronics

[darkHanzz]

The point about FM is clear. Digital modulation, however, can easily beat AM modulation, if properly designed. GPS satelittes all transmit on the same frequency, it's the digital (de)modulation that makes it possible to receive *all* of them.

Re:Aviation Electronics

[n6mod]

With a substantial engineering effort, it might be possible to present all decoded signals in a useful way. I shudder to imagine the UI/UX discussions around that. Do you play back everything you decoded simultaneously? Or do you play them back in sequence? What do you do if the last 'double' is still being played back when another transmission comes in?

Sorry, but I'll put my faith in aviators ability to communicate, and the great mixer in the sky that AM gives you.

Re:Aviation Electronics

[Shoten]

The aviation industry is slow to make changes to anything. Their radios still use amplitude modulation and people expect them all of a sudden to switch to encrypted digital protocols?

This is only half of the problem, and not the bigger half. The problem is that systems like ACARS and ADS have availability as their highest priority. If you build something akin to the OSI model that instead focuses on discrete components rather than functions, you end up with a stack that is taller when you add encryption on top of it; that extra layer on the top is one more thing that can fail, and which frequently does fail. Yes, authentication (much more important than encryption...an attacker spoofing the location of a plane is more dangerous than an attacker learning where the plane is) is important, but the risk of losing availability is serious. If there were encryption or authentication in place and a plane were misconfigured, it would become invisible both to the ground tower and to other planes...obviously, this is a HUGE problem. So it's not exactly fair to look upon this as the authorities simply being asleep at the wheel...there's actually been thought put into this, and to date the tradeoff hasn't been there. This attack requires either an SDR (which didn't exist a decade ago and is still somewhat exotic) or dedicated avionics equipment (not man portable). Back when these systems were developed, the attack wasn't even possible, much less feasible, and they did succeed in reducing the number of mid-air near misses with these protocols and their concurrent systems.

And I'm with you...it's amazing to me how people think that the industry can change things rapidly. It takes *forever* to test new systems to assure that they will be as reliable as needed...and they never pass the first test. But the reasons why they have things like AM-based radio communications isn't slowness to respond, it's reliability. They've been rapid to adopt new things in the name of safety, such as the ability to detect microbursts (which caused some crashes and a lot of close calls, once upon a time). As soon as the meteorological world learned what kind of event was causing these issues, it only took a few years for deployment of a way to detect and respond to them.

Offensive conferences

[UberDude]

PyCon really started a trend!

Trust is an illusion

[WaffleMonster]

Virtually all of air/sea transportation use non-integrity protected signals and carriers with near zero resistance to intentional jamming. Access to GPS can be trivially denied. GPS position can be spoofed even if using encrypted channels without having access to encrpytion keys.

Personally I prefer in the clear better than alternative where every airport and every plane in the world has to establish some form of trust relationship. There are too many people and interests involved to where it is not reasonable to believe keys won't leak out or in some other way be compromised.

It is better to design systems working in the clear with associated scope limitations and healthy doeses of paranoia than to have instances of engineers saying or thinking "well this is secure" .. as long as its only used to improve safety margins, refine fixes based on flight plan/radar and any disagreement is flaged this might stand a chance of being a reasonable decision in light of practical limitations on trust.