Notes From Crazytown, Day Three: Black Hat Breakdown

So far this week, at Black Hat, I have learned to deeply mistrust: passwords, chip-and-PIN cards, all USB devices, HTTPS connections, more than two billion phones, governments worldwide, all human societies, and my sense of the ridiculous. You should mistrust all those too! Sorry.

What follows is a summary of the most eyebrow-raising talks I attended:

HTTPS: A European team demonstrated a whole panoply of successful attacks against HTTPS, which is supposed to secure your web browsing. Most notable are a “Cookie Cutter” attack which steals users’ cookies, letting the attacker hijack sessions on any supposedly-secure site, and a way to impersonate–again, over HTTPS–any site hosted by the Akamai content delivery network, which includes e.g. CNN, LinkedIn, and, er, the NSA. The “summary for non-experts” (PDF) is very worth reading. (update: wrong tense — Akamai informs me that, working with these researchers, they patched this vulnerability earlier this year. Three cheers for responsible disclosure.)

Passwords: Everyone knows passwords are bad and broken — the B-Sides “unconference” which precedes Black Hat devoted a whole room to talks on that subject — but here’s yet another nail in their coffin: “My Google Glass Sees Your Passwords!“, by an American/Chinese research team, about algorithmically extrapolating passwords from camera footage of finger movement. (The camera can be a webcam, an iPhone, Google Glass, whatever.) But as Tim Bray points out in Time, despite that coffin, passwords are the undead zombie that just won’t die, at least not for some years yet.

Chip-and-PIN cards: Cambridge University’s Ross Anderson gave a historical overview of the various successful attacks on the chip-and-PIN infrastructure ubiquitous in Europe and Canada, and coming soon to America. One team of attackers stole millions of pounds and got away with it because the banks decided it would have been too embarrassing/damaging to give evidence against them. Then the banks tried to censor a Cambridge student’s thesis which described an exploit — but, four years later, only one major British bank has bothered to protect against that attack. The fundamental problem, Anderson argues, is that EMV, the protocol (or, really, toolkit for building protocols) behind chip-and-PIN, is a kludgy and massively overcomplicated mess … but nobody seems to have sufficient incentive to fix it.

More than two billion phones: Matthew Solnik and Marc Blanchou described weaknesses in the little-known protocol that carriers use to communicate with and control phones without user intervention, and how those can be exploited to run code on a target phone … meaning, in essence, hijacking it over the air.

All USB devices: Karsten Nohl and Jakob Lell revealed that USB firmware–again, completely invisible to users–can be rewritten so that any USB device (eg a thumb drive) can be made to seem like a different kind of device, eg a keyboard. The device in question can then send keystrokes to your computer which cause it to download and run any other software. Granted, this requires physical access to your computer, and as a friend of mine put it, “Something plugged in to an input port on your computer can control your computer; film at 11!” Don’t trust unknown devices, folks.

Governments worldwide: Mikko Hypponen gave an overview of malware written by governments. There’s quite a lot! From governments everywhere! Especially the USA:

And, of course, governments who can’t write their own malware hire companies to provide it for them. I give you this surreal Hacking Team ad as an example. And, during Black Hat, another company infamous for providing malware to authoritarian governments–Gamma Group, creator of FinFisher–was hacked itself, and many of its internal documents made available on GitHub. See Violet Blue’s excellent writeup.

All human societies: At a B-sides talk by Meredith Patterson on social iterated game theory, I learned that a game strategy of “100% uncompromising absolutism” quickly totally dominates simulated societies. This is a abstract massively simplified mathematical model of society, of course, not the real thing; but still, disconcerting.

My sense of the ridiculous: I heard on Tuesday night that John McAfee would be speaking. Yes, that John McAfee, noted onetime international fugitive and creator of the infamous (and very NSFW) “How To Uninstall McAfee Antivirus” video, which I’m just going to link to here because I think even TechCrunch’s editors might look askance at an embed. Nonsense, I thought, pull the other one. Joke’s on me: he gave the closing address at B-Sides and, word is, will speak at Def Con today.

Now even the FTC is getting in on the surreality here:

To think I worried that labeling this series “Notes From Crazytown” would seem an overstatement. Thanks, FTC and John McAfee! I rest easy.