90.9 WBUR - Boston's NPR news station
Top Stories:
PLEDGE NOW
A Trade Show For Hackers

With Wade Goodwyn in for Tom Ashbrook.

How to hack into any hotel room in the world – and more. We’ll go to the “black hat” cyber-security conference in Las Vegas.

The "black hat" cyber-security conference is going on this week in Las Vegas. (AP)

The “black hat” cyber-security conference is going on this week in Las Vegas. (AP)

Imagine the world’s best  jewel thieves and the world’s best detectives meeting in Las Vegas to discuss the newest ways to steal high priced jewelry. That’s exactly what’s happening only it’s the world’s best hackers and security men at what is called The Black Hat Conference.

Would you like to learn how to hack into the utilities new smart meters, maybe make a minor adjustment? We have your hacker although the utility companies tried to shut down his presentation.

This hour, On Point, Hackers and the security companies who recruit them.

-Wade Goodwyn

Guests

Jordan Robertson, a reporter who covers tech issues for Bloomberg.

Michael Gregg, computer security expert and “ethical hacker” he is the founder and COO of Superior Solutions, Inc.

Fred Cate, director at the Center for Applied Cybersecurity Research at Indiana University, where he is also a professor at the Maurer School of Law.

Don Weber, security expert at “InGuardians” security consultancy. He presented yesterday at Black Hat, on his research into security weaknesses in smart electrical meters

From The Reading List

Bloomberg “While many major technology vendors have overcome their reluctance to making a public showing at the conference, Apple, now the world’s most valuable company, has had no problem snubbing a community whose aim is to unearth its vulnerabilities.”

E-Week “For millions of travelers and road warriors, the ubiquitous hotel key card is the primary, and essentially the only, way to access their rooms at the end of day. However, security researcher Cody Brocious believes the current systems used to secure hotel doors throughout the United States and elsewhere are severely flawed.”

Red Orbit “The former is the up and up event with sponsors that include Amazon.com, Cisco, Hewlett Packard, IBM, Looking Glass, Microsoft and Qualys. The conference is expected to draw somewhere between 6,500 and 7,500 attendees – most invite only – and feature 82 sessions. The event will also include the release of 36 new security tools, 49 on-stage demonstrations and 17 zero-day disclosures.”

Please follow our community rules when engaging in comment discussion on this site.
  • Pingback: A Trade Show For Hackers – WBUR | emperor dave

  • Bigleyjoshua

    Hotels could use the key-card as well as traditional keys–that way even you hack into it you still need the turn-key.  if you are in-room, there is also a lock on the inside of the door.

    Hotels could also provide a system where a pass word number is keyed into the card on registering or at the door so only the guest knows the password–and the card.  When entering the room, key in the password as the card is being scanned, or after.  If you forget your password, you can go to the desk show your ID and re-boot the card. 

    • Farstrider_2

      And who deals with the drunks who forgot their wife’s maiden name?  Do Not Call IT!  We do not do drunks (well, most drunks . . . )

      • DrewInGeorgia

        He thinks we are going to be happy about additional effort required on our part. Misguided is an understatement. It’s been repeatedly proven that most Americans will choose Convenience over Security every time.

  • MadMarkTheCodeWarrior

    Flawed systems pshaw! In the race to win market share, security took a back seat, despite many warnings by experts  and the steady increase and cost of breaches.

    I worked on a system declared ‘unhackable’ at DEFCON… I just say that as an indicator of how much more secure it was than its competition. Nonetheless, cheaper more vulnerable systems won the market over demonstrably more secure and reliable systems, even with customers for whom one would think security would be the deciding factor.

    Thank you Windows and UNIX accolytes, enthusiasts and and consumers for invariably choosing quick and cheap over safe and sound!  And kudos to all those marketeers for consistently
    lying about their features and vaporware. Now every network device is vulnerable to commandeering and the potential level of exploitation is frightening when one considers where the hardware for these devices is being manufactured.

     

    The security patches will keep on coming – bailing wire over
    band-aids over bubblegum – and the hackers keep exploiting the flaws.  Welcome the the world of cyber insecurity – we
    got what we paid for.

    • Don_B1

      It really comes down to the consumer and the human reluctance to inconvenience themselves. Remember the case where a view of passwords showed that 12345678 was the favorite of maybe thousands?

      I think it was Farhud Manja (sp?) at Slate who put out an easy way to generate a rememberable password that was reasonably secure: use the first (or second, etc.) letter of consecutive (or other) words in a rememberable sentence that has meaning only to the user.

      • TFRX

        “That’s amazing! I’ve got the same combination on my luggage!”

        • DrewInGeorgia

          Anyone with an eight digit access code on their luggage either has more money than common sense or they are up to no good.

      • MadMarkTheCodeWarrior

        Vulnerabilities go way beyond simply passwords.

    • Steve

      Cheap, fast, convenient – you can only have two.

      • DrewInGeorgia

        I see security didn’t make the big three.

        • Steve

          Security was sacrificed at the altar of cheap, fast and convenient (now the question becomes…convenient for whom?)

          • DrewInGeorgia

            Convenient in the short term is always painful in the long run.

            Convenient for no one, we never seem to grasp that concept though.

  • AC

    can you discuss a little about how certain criminals and terrorist groups are building their own networks and operations centers? Are those hack-able?
    (I watched the Marc Goodman TED talk on crimes of the future and i’m a little weary….)

    • Don_B1

      The more secure the system, the more difficult it is to implement. The “ultimate” system is one where the code, used only one time, is as long as the message and consists of a random string of characters. This can be approached by a system that generates a string of pseudorandom characters from an initial (and the longer the better) word through a non-linear recursion routine.

      The current methods typically use a form of the RSA algorithm. The initial approach was to form a number which was the product of two large prime numbers to form the initial encryption “word” and which required the factoring of that number to obtain the two prime numbers to decrypt the message. if the numbers are big enough it takes hours to weeks on the biggest supercomputers to achieve this factoring, so the message is “secure” to all but the biggest governments who are the only entities able to afford that type of computation.

    • DrewInGeorgia

      “Is there anything that CAN’T be hacked?”

      The short answer is that if there’s a way out (exposure to ANY outside network), there’s a way in. The only truly secure system is one that is completely isolated.

  • nj_v2

    What none of us are secure from:

    http://current.com/shows/viewpoint/videos/nsa-whistle-blowers-warn-that-the-us-government-can-use-surveillance-to-see-into-your-life/


    NSA whistle-blowers warn that the US government can use surveillance to ‘see into your life’

    National Security Agency whistle-blowers Thomas Drake, former senior official, Kirk Wiebe, former senior analyst, and William Binney, former technical director, return to “Viewpoint” to talk about their allegations that the NSA has conducted illegal domestic surveillance. All three men are providing evidence in a lawsuit by the Electronic Frontier Foundation against the NSA.Drake says the spying affects “the entire country,” citing a “key decision made shortly after 9/11 which began to rapidly turn the United States of America into the equivalent of a foreign nation for dragnet blanket electronic surveillance.”“It’s hard to believe that your government’s gonna actually do it,” Wiebe says. “That was the shocker.”Binney mentions an NSA facility currently under construction in Bluffdale, Utah: “That facility alone can probably hold somewhere close to a hundred years’ worth of the communications of the world.” Binney continues, “Once you accumulate that kind of data — they’re accumulating against everybody — [it's] resident in programs that can pull it together in timelines and things like that and let them see into your life.”

    • AC

      i mentioned this on the show yesterday on gun control because of the CO shooter; what confuses me is how they missed the purchase of the multiple weapons and 6k bullets if there are tech measures like this going on???
      argh!!  i’m so confused!!
      is this enough or should we be spied on MORE???

      • TFRX

        That’s what they say about turning “data” into “information”. The data is stored, but what can be done with it?

        Any combination of human and machine (which in movies is always faster than in real life) is still trying to digest stored data, like the proverbial firehose aimed at a teacup.

        And storing more and more data doesn’t any one search or recognition task necessarily any easier or faster.

        • DrewInGeorgia

          Good ol’ bottleneck, the never ending battle.

  • ButTheyMEANWell
    • Farstrider_2

      Actually, that would be an excellent example of cracking.  Or vampirism. 

  • http://www.facebook.com/profile.php?id=1408098372 Mari McAvenia

    An “ethical hacker”? Isn’t that like a vegetarian butcher?

    • nj_v2

      I dunno … i’m vegetarian (mostly) and i used to work in a restaurant where i had to prepare some meat.

    • http://twitter.com/rouzbehf Rouzbeh 3.1

      I have tried all of my adult life to become a hacker, and a great deal of it has been ethics. Being a hacker is  ethical by definition. 

      http://en.wikipedia.org/wiki/Hacker_ethic#The_hacker_ethics

      The problem is that media has hijacked the definition and totally misrepresent it to the point that the real definition is completely obscured by “cracking”… yes cracking into systems is part of it but not all. Now even cracking is not a bad thing, it fights for transparency. Governments and institutions do not like hackers and treat them as “Robin Hoods”! Hackers are the true custodians of democracy and freedom. Hackers are the true innovators.In short, World is better place because of all hackers like Steve Wozniak, John Walker, Julian Assange,…etc.

      btw. true hackers do not go 2 these events. It’s a honey pot.

    • Farstrider_2

      You might want to learn something about a subject before firing off a smartaleck comment. 

  • AC

    somebody brought up a good point the other day; the more tech secure we make ourselves, the more diff it will be to prove our case if/when you DO get hacked for ill…..
    what do you think of this?

  • Yar

    Hacker is a vague term,  there is a big difference in a vandal  and a carpenter.  Both my use a screwdriver. the vandal doesn’t necessary know how to build or repair something.  The same is true for many hackers.  I would like to see more packet analysis at the router level.  I think many vulnerabilities could be solved at the network level.

  • Ian

    Conspiracy Theory:

    That week+ power outage a little while ago = cyber attack.
    When has the power grid ever been so broken down for such a long period of time?

  • BHA in Vermont

    If customers can opt out of smart meters without paying a monthly fee, those that get the smart meters should receive a CREDIT. There is no need for anyone to visually read the smart meter (in some places every other month, “guessing” the alternate month). This  dollar saving to the utility is in addition to the value to the utility of being able to better understand their load. People with smart meters should directly benefit from having them.

    • DrewInGeorgia

      And the reduction in required man hours should translate back as reduced cost to the consumer and increased compensation to the employees that are fortunate enough to keep their jobs. Of course that’s not what will happen though, profit gets the gain every time.

      • J__o__h__n

        Didn’t ATMs and electronic payments result in lower bank fees?

        • DrewInGeorgia

          Lower fees are great, especially when they’re offset by a sufficient increase in the number of transactions.

          ;’)

  • DMC

    Tried to change my pin for a bank account yesterday…found my ex’s email as the contact…spoke to the bank…they said it was changed 2 years after our final decree…Oh, did I mention he was NEVER on any of my accounts! Geeze! How’d this happen?? Creepy…

  • AC

    on a tangent – does having a smart meter mean the meter man is no longer employable?? what % of lost meterperson jobs contribute to the overall unemployment rate?? ;)

    • Farstrider_2

      Very few will lose their jobs.  Most utilities are privately held, and the meter readers are contract employees.  Public utilities have been under hiring freezes nation-wide for the past few years, so combined with attrition and retirement, again, there will be few are no jobs lost.

      • AC

        that’s good news!

  • Lastcallerknowsnothing

    Ever hear of HIPAA?

  • Che’ Riviera

    Technology has undeniably left me behind.

    • DrewInGeorgia

      As well as the rest of us, we just refuse to admit it to ourselves. Ray Kurzweil had it right, unfortunately we’ve outpaced his optimism.

  • Dan

    Geithner aids in hacking US Economy, by preventing the prosecution of fraud that is necessary for our markets to function.

    http://www.capitalismwithoutfailure.com/2012/07/reinventing-crony-capitalism-context-of.html

  • Dan
  • harverd

    Here’s a quarter……

    • DrewInGeorgia

      It costs Fifty Cents these days…

  • Pingback: Black Hat: Credit Card Payment Terminals at Risk – eWeek | News

  • mac

    I would like to
    encourage the use of electronic communication of knowledge, money matters and
    entertainment because it is a good use of resources.

     

    I just read some books
    about cyber security: ‘Cyber War’ and ‘America the Vulnerable’ and
    ‘Constitution 2.0.’ In the past, I read ‘iWoz’ which was good.

     

    Exploring computer
    systems is a good way to gain computer skills. Technology changes so fast and
    the documentation is not always available so the best way to learn is to try
    different things. I can be more attractive in the job market with the computer
    skills.

  • Farstrider_2

    Navigate to grc.com.  Mr. Gibson has excellent advice on how to create a strong, easily remembered password; also, see http://xkcd.com/936/ and http://xkcd.com/538/!   

  • Farstrider_2

    Regarding the statement that the industry can’t do anything about weak passwords: yes, actually they can, and password strength meters should be far more prevelant.  Also, it is possible to prevent users from attempting to use the most common wewak passwords, by having a file of dis-allowed passwords, or by only allowing passwords of specified minimum depth, bit-strength, etc.  And a link to grc.com, on the page where  you are asked to create your password, for those who have learned how to create a strong password.

    • DrewInGeorgia

      NICE! I never hear mention of Steve Gibson anymore these days. Bravo!

  • TLArnow

    The word “hacker,” means many things and has become overused, in large part due to television. The first time I heard it, long ago, was from an artificial intelligence instructor. He meant somebody sitting long hours at a computer writing code in a hit or miss fashion.

    Later, when I worked at a small company, the owner’s husband accused me of “hacking,” meaning that I wrote programs without enough planning in advance, no illegality intended. (A word of advice, when working at a small company stay on good terms with the owner’s spouse.)

    So when discussing hackers, make sure that all parties agree on the meaning intended.

    I did not hear the whole program and hope that somebody discussed the Stuxnet worm. It makes attacking smart meters or hotel rooms look like a Cessna next to the Stealth Fighter.
    Thomas L. Arnow, PhD

    • DrewInGeorgia

      Nope, no discussion on Stuxnet, Flame or Olympic Games. It didn’t delve into anything critical, it was still worth a listen in my humble opinion though. Be prepared for the expected and constant misuse of the term hacker, if you can let that slide it was a decent show.

      I still don’t get the whole Black Hat, Grey Hat, White Hat fascination. It’s always seemed pretty simple to me, either you’re a Hacker (benevolent) or a Cracker (malicious). Apparently that would be too straight forward and boring for most.

  • Pingback: Black Hat: Credit Card Payment Terminals at Risk – eWeek | pguides.net

  • Gaiuscassius

    Wanted to say that Wade Goodwyn has done a great job filling in for Tom. A real pleasure to listen to him host On Point.

  • Gordon

    For the Vermont caller, the systems being installed in Vermont are not first generation meters. A lot has already been incorporated to address your concerns. If you are really concerned then ask questions of your utility before reacting out of fear. Of course the people involved in selling security services are going to present the information in a why that heightens your emotional response. Let’s not go back to the 50′s and ignore the potentials that technology can provide. I would be more concerned about the technology being used to put off the need to generate more and cleaner power.

  • Pingback: » Hackere bliver fysiske - Tech tjek – teknologi til folket

ONPOINT
TODAY
Apr 24, 2014
Senate President Pro Tem Darrell Steinberg, D-Sacramento, left, talks with Sen. Ed Hernandez, D-Covina at the Capitol in Sacramento, Calif., Monday, April 21, 2014. Hernandez proposed a constitutional amendment that would ask voters to again allow public colleges to use race and ethnicity when considering college applicants. The proposal stalled this year after backlash from Asian Americans. (AP)

California as Exhibit A for what happens when a state bans affirmative action in college admissions. We’ll look at race, college and California.

Apr 24, 2014
A Buddhist monk lights the funeral pyre of Nepalese mountaineer Ang Kaji Sherpa, killed in an avalanche on Mount Everest, during his funeral ceremony in Katmandu, Nepal, Monday, April 21, 2014.  (AP)

A Sherpa boycott on Everest after a deadly avalanche. We’ll look at climbing, culture, life, death and money at the top of the world.

RECENT
SHOWS
Apr 23, 2014
Attendees of the 2013 Argentina International Coaching Federation meet for networking and coaching training. (ICF)

The booming business of life coaches. Everybody seems to have one these days. Therapists are feeling the pinch. We look at the life coach craze.

 
Apr 23, 2014
In this Thursday, Dec. 20, 2012, file photo, Chet Kanojia, founder and CEO of Aereo, Inc., shows a tablet displaying his company's technology, in New York. Aereo is one of several startups created to deliver traditional media over the Internet without licensing agreements. (AP)

The Supreme Court looks at Aereo, the little startup that could cut your cable cord and up-end TV as we’ve known it. We look at the battle. Plus: a state ban on affirmative action in college admissions is upheld. We’ll examine the implications.

On Point Blog
On Point Blog
Up At Everest Base Camp, ‘People Still Don’t Know The Ramifications’
Thursday, Apr 24, 2014

With a satellite phone call from Mount Everest’s Base Camp, climber and filmmaker David Breashears informs us that the Everest climbing season “is over.”

More »
Comment
 
The Week In Seven Soundbites: April 18, 2014
Friday, Apr 18, 2014

Holy week with an unholy shooter. South Koreans scramble to save hundreds. Putin plays to the crowd in questioning. Seven days gave us seven sounds.

More »
Comment
 
Our Week In The Web: April 18, 2014
Friday, Apr 18, 2014

Space moon oceans, Gabriel García Márquez and the problems with depressing weeks in the news. Also: important / unnecessary infographics that help explain everyone’s favorite 1980′s power ballad.

More »
Comment