What to watch at Black Hat and Defcon

Trying to predict the big news at Black Hat and Defcon isn't easy

1 2 Page 2
Page 2 of 2

What Kraken doesn't do is pull the calls out of the air. But there is another GSM-sniffing project -- called AirProbe -- that's looking to make that a reality. The researchers working on these tools say that they want to show regular users what spies and security geeks have known for a long time: that the A5/1 encryption algorithm used by carriers such as T-Mobile and AT&T is weak, and can be easily broken.

But why break GSM encryption when you can simply trick phones into connecting with a fake basestation and then drop encryption? That's just what Chris Paget plans to demo in Las Vegas this week, where he says he'll invite conference attendees to have their calls intercepted. Should be a fun demo, if it's legal. Paget thinks it is. He has also developed what he calls the "world record" for reading RFID tags at a distance -- hundreds of meters -- which he'll be discussing at a Black Hat talk.

Another researcher, known only as The Grugq, will talk about building malicious GSM network base stations and components on mobile devices. "Trust us, you'll *want* to turn off your phone for the duration of this talk," the talk's description reads.

And on a week that was kicked off with Citibank's admission that it had messed up security on its iPhone app, another talk to watch will be Lookout Security's "App Atttack," which will shed light on insecurities in mobile applications.

4: Industrial nightmare

Siemens got a taste this month of what it's like to respond to a real-world SCADA (supervisory control and data acquisition) attack, when someone unleashed a sophisticated worm attacking its Windows-based management systems. But SCADA experts say that Siemens was just unlucky, and that this type of attack could easily have taken down any of the company's competitors too. In fact, there are plenty of security issues plaguing industrial control systems -- so many that they're getting their own track at Black hat this year.

Over the past 10 years, Jonathan Pollet, the founder of Red Tiger Security, has run security assessments on over 120 SCADA systems, and he'll talk about where security vulnerabilities are most likely to crop up. Pollet says that many networks have developed a kind of no man's land between IT and industrial systems -- computers that are often at risk because nobody really seems to take complete ownership of them.

Pollet will talk about where these bugs show up in the infrastructure -- his company has collected data on 38,000 vulnerabilities -- and the types of exploits that have been written for them. "You don't have to wait for zero-day vulnerabilities, " he said. "There are already a lot of exploits out there."

5: Wildcard!

Will the Zero for Owned group, who hacked Dan Kaminsky and others on the eve of last week's show return? Will the feds or AT&T stop Paget from messing with GSM? Will an irate ATM vendor launch a last-minute legal challenge to Barnaby Jack's talk? Will Defcon's Social Engineering contest cause someone in the financial services industry to blow a gasket? Will a swarm of bees infest the pool at the Riviera? Who knows, but in Vegas, expect the unexpected.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon