hat

LAS VEGAS--Google touts the Chrome OS as being free from traditional security concerns like malware, but it's still vulnerable to entirely different kinds of attacks, two researchers from the firm WhiteHat Security told Black Hat attendees here today.

The Chrome OS is unlike any other desktop system currently available, said Matt Johansen, WhiteHat Security's team lead. "It's more similar to mobile devices and apps, where to get more out of the device you're going to need to install extensions," he said. "Mobile bugs are being sold for 20 to 30 percent more than … Read more

LAS VEGAS--A researcher said today that he has discovered a number of vulnerabilities in programmable logic controllers (PLCs) from Siemens that are used to automate mechanical devices in utilities, power plants, and other industrial control environments and which could be remotely controlled to cause damage if connected to the Internet.

Dillon Beresford, a security researcher at NSS Labs, conducted demos of some attacks on the various Siemens Simatic Step 7 systems during his presentation at the Black Hat security conference here.

Beresford's work shows that it's possible to read and write data to a PLC memory even when … Read more

LAS VEGAS--Microsoft today announced that it will give out $250,000 in BlueHat Prize rewards for innovative research on computer security defense.

Winners will be announced at next year's Black Hat security conference, with the grand prize being $200,000 and second prize being $50,000, Katie Moussouris, head of Microsoft's Security Community Outreach and Strategy team, said in a conference call from the conference being held here.

Researchers will own the intellectual property from their inventions and Microsoft will be able to use the technology under a royalty-free license, she said.

"This is a new program … Read more

LAS VEGAS--Not only are SCADA systems used to run power plants and other critical infrastructure lacking many security precautions to keep hackers out, operators sometimes practically advertise their wares on Google search, according to a demo today during a Black Hat conference workshop.

Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status&… Read more

LAS VEGAS--Hackers of all types will be making their annual pilgrimage to the Black Hat and DefCon security conferences this week, including children who will learn how to write ciphers, hack circuit boards, and pick locks.

This marks the first year for DefCon Kids, which targets children aged 8 to 16. The event will run alongside all of the regular DefCon security and hacking sessions and the fun events for the adults like Hacker Karaoke, Hacker Jeopardy, Mohawk-Con, and an alcoholic ice cream contest.

"DefCon is a very adult orientated conference, more of a party then your typical conference. … Read more

LAS VEGAS--Dutch journalist Brenno de Winter has covered Black Hat and Defcon for years, but he won't be at the security conferences here this week and is hindered in his work after being targeted by Dutch transportation companies for publicizing weaknesses in the new transit chip card.

De Winter, a freelancer who covers security for IDG affiliate WebWereld and other Dutch media outlets, has written articles about the problems with the OV transit chip card and appeared on numerous TV and radio stations in January demonstrating how the OV transit payment system could be defrauded by using software tools available on the Internet. Introduction of the card was temporarily postponed, and the Dutch Parliament skipped a debate on the war in Afghanistan to discuss the matter, he told CNET in a call today.

Trans Link Systems--formed by the five largest Dutch public transportation companies to create a single payment system, dubbed the OV chip card--filed a criminal complaint against de Winter with the public prosecutor's office and in June police questioned him for four hours, he said. No official charges have been filed, but de Winter said he has learned that he potentially faces charges of manipulating a debit card, having the tools to do so, and hacking a system, which could bring a six-year prison sentence.

A Trans Link spokesman said de Winter was questioned as part of an investigation into fraud. "Trans Link Systems filed a criminal complaint with the public prosecutor's office against fraud with OV-chipcards. Not against de Winter," spokeswoman Anita Hilhorst said in an e-mail statement. "The public prosecutor has investigated this fraud and because of this investigation the police questioned de Winter."… Read more

An emphasis on speed and a lack of security makes automated trading in financial markets ripe for exploitation and fraud, a security researcher warned today.

Most stock trades in the U.S. and many around the world in general are now made by data-crunching computers that buy and sell stocks in microseconds--something that used to take human traders minutes to do. With these algorithm-based, high-frequency trades a fraction of second can be worth millions of dollars for an investor. (See CBS 60 Minutes report on this.)

In the push for greater speed and thus higher profits, security is sacrificed, James … Read more

Researcher Don A. Bailey will be showing at the Black Hat security conference next week how easy it is to open and even start a car remotely by hacking the cellular network-based security system. Even more disturbing is the message that demonstration brings, that cars aren't the only things at risk.

"We are seeing more GSM [Global System for Mobile Communications]-enabled systems popping up in consumer culture and industrial control systems. They're not just in Zoombak [Global Positioning System] location devices and personal security control systems, but also in sensors deployed for waste treatment facilities, SCADA [… Read more

Google may see its Chrome operating system as more secure than traditional alternatives, but one security researcher believes the cloud-based OS is vulnerable, according to a Reuters story published yesterday.

WhiteHat Security researcher Matt Johansen said he found a flaw in a Chrome OS application that he was able to exploit to gain control of a Google e-mail account. Though Google fixed the flaw after it was reported, Johansen claims to have discovered other applications with the same flaw, Reuters said.

In citing the security holes in Chrome OS, Johansen specifically pointed to the ability of hackers who can steal … Read more