Concerns over the latest hi-tech security vulnerabilities have been highlighted at a conference in Kuala Lumpur, Malaysia. There seems to be an unspoken understanding among hackers that dressing in black is cool. Hack in the Box, Asia’s leading hacking and security gathering, is full of geeks in black. And their cloak and dagger looks add a certain frisson to the occasion.
However though some may dress in black they are not ‘black hats’ as malicious hackers are known. Most put their hacking skills at the service of industry closing down security loopholes.
There are presentations about weaknesses in Vista, Microsoft’s new operating system due out early next year; ‘blue pill’ attacks that can create a virtual computer within your own without you knowing anything about it.
There are talks on the use of technology to track our every move and record our every written or even spoken thought and there are lectures about technical issues so dense just reading their titles makes my brain ache.
However if there’s a discernable thread running though many of this year’s presentations in Kuala Lumpur it’s the vulnerability of communications software and technology.
The term ‘phishing’ has entered the English lexicon, defined as an attempt to gain access to an individual’s bank or other sensitive personal details by using fraudulent e-mails or by diverting him or her to bogus websites.
Check your inbox and if it is like mine you’ll find dozens of security alerts purporting to be from banks.
This morning I had e-mails purporting to be from Barclays and Volksbanken Raiffeisenbanken. Both contained Trojans designed to phish for information.
You might think that your phone was secure but if you or the institution you are ringing uses Voip (internet telephony) you might have to think again.
Telecoms security specialists like “The Grugq”, who kept his school nickname as a cover for his hacking activities, are highly sceptical.
“Basically Voip is going to make telephony as secure as the internet,” he says. That’s about as damning as a hacker can be.
“What I expect we’re going to be seeing in a few months, and what’s already technically possible, is for an attacker to gain access to a call centre.”
The Grugq outlines a scenario in which “the customer does everything right,” rings his bank’s legitimate number, is put through to a call centre whether in the US, UK or even India and has their call hijacked.
“An attacker would be able to [hack] into the call centre. He could then set up a server that would monitor all of the traffic and during the hold music it would be possible for an attacker to inject content such as ‘In order for us to better serve you please enter your account number and PIN code’.”
If that were to happen, you have just handed over your bank details to someone who wants to empty out your accounts. And the Grugq has bad news for companies looking to save money through Voip.
“They need to make sure that everyone who has a Voip system that’s connected to the internet is secure otherwise the entire system falls apart. It’s basically a house of cards.”
And if internet usage and mobile Voip telephony takes off with the next generation of mobile phones (3.5 / 4G), experts say its coding, known as IPv6, will be open to the same sort of “man in the middle attacks” that The Grugq describes.
“The vulnerabilities that we have in our current internet protocol they still have similar vulnerabilities in the upcoming IP version 6,” says Van Hauser, a member of The Hacker’s Choice, a group of international network and system security experts.
“There are ways to secure it if implemented correctly, set up correctly, administered correctly which will be a big challenge but at least there is a chance and a hope.”
Triple Play, the term used for bundled internet telephony, data and TV services, is also open to hacking, says Yen-Ming Chen, who works for the Foundstone division of the McAfee security software company.
“Right now we see vulnerabilities in different components in this whole architecture so we categorise them into home networks, delivery and management network and also the back end and content source.
“What that could mean in practice is that rather than storming the local TV station political hackers could take control from the comfort of their own bedrooms.
“In this case the goal of the attackers would be taking control of a lot of home users set top boxes or just computers,” says Chen, “and then to broadcast whatever content they want to. That’s the worst scenario, for whatever political motivation or anything like that.”
But perhaps the most intriguing possibility is that of hackers hijacking satellites.
Jim Geovedi, a Jakarta based information security consultant with Bellua Asia Pacific doesn’t look like a Bond villain. But he possesses secrets that some of them might kill for.
“There’s a theory that if somebody can control one satellite they can cross to the next satellite and create a chain of destruction because everything is around the equator. If everything is destroyed so you don’t have any communication, any TV any data transfer’.”
It is just a theory, but can someone actually do it?
“Hacking satellites is not as easy as hacking kids’ toys,” he says.
“It’s very difficult. Every manufacturer has their own kind of technology. You have to understand everything.
“But, hacking a commercial satellite that’s been up there more than 10 years is very easy for some people, if you have the right equipment.”
“In my experience telecoms companies and lots of other companies only do what is absolutely necessary and hope that the rest will not fall apart,” says Van Hauser.
It is a view echoed by The Grugq: “When they [banks] really start losing money on it they’ll have the motivation to come up with some way of fixing it.”
Security fears raised at conference
Leave reply