Thursday, March 31, 2005 (original story...)
AMSTERDAM -- Hackers heard a call on Thursday to challenge governments and corporations about the collection, use, and protection of private information.
Simon Davies, a professor at the London School of Economics and director of Privacy International, told security researchers they would have to demand more transparency from organizations that deal in private information.
"Governments and businesses are saying ‘surrender your privacy and we’ll give you benefits and make a safer society.’ We have to push for greater accountability. We’re giving up this ancient right and the government’s not prepared to budge," said Mr. Davies.
Recent scandals at Choicepoint, Reed Elsevier, Bank of America, and the University of California, Berkeley, have compromised the private information of millions of people. This data can be used to steal identities, apply for credit cards, and ruin debt records (see "SEC probes Checkpoint").
Mr. Davies called on the community of security experts gathered at the annual Black Hat Europe conference to scrutinize corporate precautions against data theft. "If we can’t beat the privacy intrusions that are happening across the world today, there will be far more vicious attacks in the future," he said.
The conference has drawn more than 300 people from 20 countries to the Grand Hotel Krasnapolsk in Amsterdam, according to organizer Jeff Moss. It concludes Friday evening.
Privacy International, which Mr. Davies runs, will meet in Seattle on April 14 to announce its annual "Big Brother Awards." The dubious honor recognizes people and organizations that have done the most to eliminate personal privacy.
"Frankly, it’s to the point now where Choicepoint’s gotten out of control. If I were a betting man, I’d put money on it to win the lifetime menace award," said Mr. Davies. Previous winners include Osama Bin Laden, Trans Union, and the FBI.
Vulnerable computers
But privacy policy wasn’t the only topic covered at the conference. Techies talked about problems with software and hardware that could potentially be used to cause damage to computer systems.
Joe Grand, for example, gave a talk on vulnerabilities in common computer hardware. He said it was possible to break into a certain type of Dell wireless access point because nobody ever thought hackers would pull the appliance apart and test the software inside. "So many people in the computer industry trust hardware to be secure just because its hardware. It’s a total false sense of security," he said.
Hardware problems are harder to fix than software holes. Mr. Grand, the author of Hardware Hacking: Have Fun While Voiding Your Warranty, said companies can’t just send out a piece of programming code each time a security researcher finds a problem.
Imagine the problem Texas Instruments faced when experts found a way to tamper with an RFID system it sold to gas stations. "There are over 150 million of these tags deployed in the U.S. alone. This is a problem where TI obviously knows of the issue, but how do they manage this problem? It would be very expensive," said Mr. Grand.
Broken systems
A common theme for the presenters has been that problems that are expensive to fix stay broken longer. Dan Kaminsky understands this better than most. He will be speaking about problems in the Domain Name System, or DNS. The Internet has used DNS since 1983 to translate domain names into IP addresses. It is like a white page directory for your web browser.
DNS has not evolved since its inception. It has become the horseshoe crab of the Internet because it would be amazingly expensive to change. Mr. Kaminsky, a researcher at Avaya, has found ways to anonymously post and store information using DNS. More applications, such as eavesdropping on Internet traffic, may be on the way.
Antivirus strategies
Black Hat attendees can expect to hear from Alex Wheeler and Neel Mehta from Internet Security Systems (ISS). The two will be talking about ways to hack into computers through antivirus programs.
This is particularly relevant because Symantec patched a flaw in its antivirus product on Monday. Japanese researchers found Symantec’s program was susceptible to a "denial of service" attack, where the computer is blitzed with too many requests for information at the same time.
ISS has been on the warpath for problems in other security company’s software. In February, Symantec patched a hole researchers at ISS discovered that left most of its product line vulnerable to hacker takeover attacks. On March 17, ISS warned McAfee antivirus users of a flaw in the company’s scanning software (see "CA plans patch").
