NSA Chief Asks For Hackers Help
National Security Agency " NSA " Chief Asks For Hackers Help
Forget Olympic gymnastics, weight-lifting and water polo. The truly epic events of the last weekend were reverse engineering, lockpicking and codebreaking.
/div>
The annual five-day, back-to-back Las Vegas security conferences Black Hat and Defcon provide the main stage for the information security community’s biggest stunts and revelations–more than any one reporter can cover. So here are a few of the highlights from this year’s hacker bonanza that I haven’t already written about.
In a bizarre meeting of worlds, National Security Agency chief and U.S. Army Cyber Command general Keith Alexander addressed Defcon for the first time ever, calling on the hackers present to help secure America’s infrastructure. Alexander flattered the audience as “the world’s best cybersecurity community” and even referred them to a job recruitment site set up specifically for the conference. When an audience member asked if the NSA compiles profiles on every American, Alexander called the claim “absolutely false.” But an ex-NSA analyst and others on a panel the following day took issue with Alexander’s remarks, accusing him of hiding the full story on domestic surveillance.
Crypto hackers Moxie Marlinspike and David Hulton announced the release of tools for a cracking the cryptography of common wireless networks and VPNs by attacking a Microsoft authentication scheme known as MS-CHAPv2. Hulton and Marlinspike found a weak link in the authentication scheme’s security in its implementation of the Data Encryption Standard, an encryption scheme known to be insecure. The pair has added a $200 service for breaking the scheme to Marlinspike’s CloudCracker.com, a site for password cracking and penetration testing launched in February. Researcher Thomas Cannon showed that Android encryption can be easily cracked due its weak passwords–the device uses the same short PIN or unlock pattern to encrypt and decrypt data as to unlock the handset after a short period of idleness. That means a lost or stolen phone could have its data compromised by a brute-force password-guessing attack.
The group of hackers that calls itself Ninja Networks, known for throwing an elaborate annual party at Defcon, outdid themselves by building a private GSM network called “Ninja Tel” and distributing 650 phones with a custom operating system to invitees. The phones featured an app that spit sodas out of nearby vending machines as well as a conference call party line, but its privacy policy left something to be desired: “You hereby grant Ninja Tel permission to listen to, read, view and/or record any and all communications sent via the network to which you are a party,” it read in part. “Before you get all upset about this, you already know full well that AT&T does this for the NSA.”
**Apple broke its usual silence on security issues,**sending its manager of platform security Dallas De Atley to give Black Hat’s audience a primer on iOS architecture. But the talk was criticized as little more than a well-rehearsed reading of a whitepaper, and De Atley refused to take questions before escaping out a service exit rather than mingle with members of the audience. “Steve Jobs he is not,” wrote the New York Times.