honoluluadvertiser.com

Sponsored by:

Comment, blog & share photos

Log in | Become a member
The Honolulu Advertiser
Posted on: Monday, August 11, 2008

More than one way to hack into your computer system

By Jordan Robertson
Associated Press

Hawaii news photo - The Honolulu Advertiser

Eric Schmiedl, a lock-picking expert and college undergrad, was one of the speakers Friday at the DefCon hackers' convention in Las Vegas that airs computer security issues.

JAE C. HONG | Associated Press

spacer spacer

LAS VEGAS — Want to break into the computer network in an ultra-secure building? Ship a hacked iPhone there to a nonexistent employee and hope the device sits in the mailroom, scanning for nearby wireless connections.

How about stealing someone's computer passwords? Forget trying to fool the person into downloading a malicious program that logs keystrokes. A tiny microphone hidden near the keyboard could do the same thing, since each keystroke emits a slightly different sound that can be used to reconstruct the words being typed.

Hackers at the DefCon conference here were demonstrating these and other novel techniques for infiltrating facilities last week.

Their talks were a reminder of the danger of such physical invasions breaching otherwise hard-to-crack computer networks. It's an area once defined by Dumpster diving and crude ruses, like phony phone calls.

As technology gets cheaper and more powerful, from cell phones that act as personal computers to minuscule digital bugging devices, it's enabling a new wave of clever attacks that can be as effective and less risky for thieves than traditional computer-intrusion tactics.

MAILROOM GAP

Consider Apple Inc.'s iPhone, a gadget whose processing power and cellular and wireless Internet connections make it an ideal double agent.

Robert Graham and David Maynor, co-founders of Atlanta-based Errata Security, showed off an experiment in which they modified an iPhone and sent it to a client company that wanted to test the security of its internal wireless network.

Graham and Maynor programmed the phone to check in with their computers over the cellular network.

Once inside the target company and connected, a program they had written scanned the wireless network for security holes.

They didn't find any, but the exercise demonstrated an inexpensive way to do penetration testing and the danger of unexpected devices being used in tech attacks.

If they had found an unsecured router in their canvassing, they likely would have been able to waltz inside the corporate network to steal data.

To keep the phone running, the researchers latched on an extended-life battery that lasts days on end.

But they only really need a few minutes inside a building to test the network's security.

"It's like saying, once you get into Willy Wonka's Chocolate Factory, and you're in the garden where everything's edible, you have it all," Graham said in an interview.

The attack won't work, of course, if a company's wireless network is properly secured.

In that case, Graham and Maynor said, there's likely no big loss: the package that had been sitting in the mailroom would probably be mailed back to them, so they could try it again elsewhere.

SPY GEAR EVERYWHERE

Another talk focused on new twists to Cold War-era espionage tactics that could allow criminals to sidestep the locks on computer networks.

Eric Schmiedl, a lock-picking expert and undergraduate at the Massachusetts Institute of Technology, outlined several surveillance methods long used by government intelligence agents that have become more accessible to garden-variety criminals because of the falling price of the technologies.

For example, Schmiedl said, even low-budget criminals now have a way to eavesdrop on conversations through a window. It involves bouncing a beam from a laser pointer off the glass and through a light sensor and audio amplifier.

If the people inside the room are close enough to the window, their conversation creates vibrations that the equipment can translate into a crude reconstruction of the conversation, Schmiedl said.

"We're burning the candle at both ends," he said. "The technology is becoming easier and cheaper and anybody can do it. And at the same time there's more incentive now to do it. These are two trains on a collision course.

"The question is when they're going to collide."