Slashdot Mirror
Ask Slashdot: Favorite Thing Out of This Year's Black Hat?
Nerval's Lobster writes "This year's Black Hat conference wasn't just about the NSA director defending his agency's surveillance practices (and getting a bit heckled in the process). Other topics included hacking iOS devices via a modified charging station, eavesdropping on smartphones via compromised femtocells, demonstrating a password-security testing tools that leverage AWS (and 9TB of rainbow tables) to crush weak passwords, and compromising RFID tags with impunity. What was your favorite news out of Black Hat?"
http://blockwatch.ioactive.com:8888/
It's pretty alpha, and you will need to use IE to install it. This tool compares software in memory against known signatures, allowing you to confirm what's running on the system is really what you think it is. It works with HyperV and VMWare.
It's free. Thanks IO Active!
HTTP server on non-standard port with (probably) proprietary freeware that requires IE to work. Sounds genuine to me!
Oh, and make sure you have .NET 4.5 installed. The installer choked on me the first time because I didn't have it. You install it on your host system, and it connects to VMs of your choosing to analyze them.
Fair point, but it's not like getting something from port 80 or 443 really assures safety.
Like I said it's really alpha. I would not run it on any important VMs anyway.
The NSA is not a law enforcement agency. They're an intelligence agency: they have little jurisdiction to charge US citizens for domestic crimes, or authority to arrest foreign nationsals for crimes overseas. That would be the task of the FBI for various federal crimes, the Secret Service for certain types of fiscal crimes including wire fraud, or local police for state or local crimes. And I'm afraid the NSA doesn't like to share responsibility for such arrests, because monitoring US communications is actually against their charter. They do it anyway with various very poor excuses, but they'd hardly pursue arrests on that basis.
Also, a lot of the activity is below any reasonable threshold of when a prosecutor would be bothered to file charges.
You go out of your way to make a Distinction without a Difference.
Who puts the cuffs on you hardly matters.
If you believe the nonsense about their charter you deserve the delusions under which you so evidently labor.
Sig Battery depleted. Reverting to safe mode.
At this point, it's just branding. There was a time when Black Hat was correctly titled, but that train has long since left the station.
The NSA doesn't (can't) arrest people.
Now as to why the FBI doesn't arrest the attendees, it's because none of them have outstanding arrest warrants. (Well, presumably not. At DEFCON, you don't give them your name or your credit card and it's so crowded, you couldn't find anyone anyway.) Turns out calling yourself a hacker isn't grounds for arrest.
Then understand that that they do not arrest people for the same rason they do not sign US treaties or sign bills into law. It's not their job to arrest people, even if they cooperate with and provide intelligence for the people who do and are in some ways responsible for such arrests or for what treaties get signed or what laws get passed informing the people who'd do such tasks.
I was careful to answer the question from aNonnyMouseCowered, not to say the NSA is innocent of wrongdoing or of providing leads for the FBI or or the US State department and US Customs to harass attendees at BlackHat or to block the visas of international attendees. It's vital to answer the people that people actually asked.
[offtopic]
Nice sig. What keywords do you put in your E-Mails to make sure they back them up?
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
It all goes there, the hard part is getting it back with an FOIA request can sometimes be delayed.........
"First they came for the slanderers and i said nothing."
That sounds like tripwire to me.
Plus, that link doesn't lead to information about blockwatch, but instead immediately tries to download a file. Not very friendly.
"Once we've identified and embraced our sickness, we'll have strength...and that's when we get dangerous." - John Waters
I love to play Blackhat Bingo.
Will the presenter die, commit suicide, leave the country, or just appear on a no-fly-list?
Ahh, hacking was so much more fun before they were all terrorists..
</sarcasm>
There are hundreds of free-for-download Access Control software packages which will read the serial number from a RFID card. You don't need to go through the trouble of building a new package. The hard part is that most good AC systems don't use the serial from a smart card, they use one of the sectors on the chip. This is usually locked with a PKI method of encryption and thus much harder to break. He mentioned HID, which uses their own proprietary PKI (such as Legic does), but there are many standards such as DESFire which are open and manage access to the chip sectors. What the article is really talking about is normal 125MHz prox cards which are not secure and yes, widely used in the USA but not in Europe. The real way to crack even the HID encryption is to get behind the reader and capture the Wigand (text) output from the reader which does the encryption handshake for you. Watch out for tampers, but its not hard in any interior space, just look in the false ceiling for the controller and tap in where the cables enter it. Much easier then all this non-sense.
http://breachattack.com/
When the head of the NSA--an agency absolutely notorious for lying to the American people, subverting the U.S. Constitution, and generally screwing over every freedom we the people have--can address the conference and not be immediately and universally booed the fuck offstage, you know you're not dealing with the same crowd that used to be there.
The cow says "Moo." The dog says "Woof." The Timothy says "Thanks, valued customer. We appreciate your input."