net.wars: White rabbits
by Wendy M Grossman | posted on 02 September 2011
I feel like I am watching magicians holding black top hats. They do…you're not sure what…to a mess of hexagonal output on the projection screen so comprehensible words appear…and people laugh. And then some command line screens flash in and out before your eyes and something absurd and out-of-place appears, like the Windows calculator, and everyone applauds. I am at 44con, a less-crazed London offshoot of the Defcon-style mix of security and hacking. Although, this being Britain, they're pushing the sponsored beer.
In this way we move through exploits: iOS, Windows Phone 7, and SAP, whose protocols are pulled apart by Sensepost's Ian de Villiers. And after that Trusteer Rapport, which seems to be favored by banks and other financial services, and disliked by everyone else. All these talks leave a slightly bruised feeling, not so much like you'd do better to eschew all electronics and move to a hut on a deserted beach without a phone as that even if you did that you'd be vulnerable to other people's decisions. While exploring the inner workings of USB flash drives (PDF), for example, Phil Polstra noted in passing that the Windows Registry logs every single time you insert one. I knew my computer tracked me, but I didn't quite realize the full extent.
The bit of magic that most clearly makes this point is Maltego. This demonstration displays neither hexagonal code nor the Windows calculator, but rolls everything privacy advocates have warned about for years into one juice tool that all the journalists present immediately start begging for. (This is not a phone hacking joke; this stuff could save acres of investigative time.) It's a form of search that turns a person or event into a colorful display of whirling dots (hits) that resolve into clusters. Its keeper, Roelof Temmingh, uses a mix of domain names, IP addresses, and geolocation to discover the Web sites White House users like to visit and tweets from the NSA parking lot. Version 4 - the first version of the software dates to 2007 - moves into real-time data mining.
Later, I ask a lawyers with a full, licensed copy to show me an ego search. We lack the time to finish, but our slower pace and diminished slickness make it plain that this software takes time and study to learn to drive. This is partly comforting: it means that the only people who can use it to do the full spy caper are professionals, rather than amateurs. Of course, those are the people who will also have - or be able to command - access to private databases that are closed to the rest of us, such as the utility companies' electronic customer records, which, when plugged in can link cyberworld and real world identities. "A one-click stalking machine," Temmingh calls it.
As if your mobile phone - camera, microphone, geolocation, email, and Web browsing history - weren't enough. One attendee tells me seriously that he would indeed go to jail for two years rather than give up his phone's password, even if compelled under the Regulation of Investigatory Powers Act. Even if your parents are sick and need you to take care of them? I ask. He seems to feel I'm unfairly moving the bar.
Earlier the current mantra that every Web site should offer secure HTTP came under fire. IOActive's Vincent Berg showed off how to figure out which grid tile of Google Maps and which Wikipedia pages someone has been looking at despite the connection's being carred over SSL. The basis of this is our old friend traffic analysis. It's not a great investigative tool because, as Berg himself points out, there would be many false positives, but side-channel leaks in Web pages are still a coming challenge (PDF). SSL has its well-documented problems, but "At some point the industry will get it right." We can but hope.
It was left to Alex Conran, whose TV program The Real Hustle starts its tenth season on BBC Three on Monday, to wind things up by reminding us that the most enduring hacks are the human ones. Conran says that after perpetrating more than 500 scams on an unsuspecting public (and debunking them afterwards), he has concluded that just as Western music relies on endless permutations of the same seven notes, scams rely on variations on the same five elements. They will sound familiar to anyone who's read The Skeptic over the last 24 years.
The five: misdirection, social compliance, the love of a special deal, time pressure, social proof (or reenforcement). "Con men are the hackers of human nature", Conran said, but noted that part of the point of his show is that if you educate people what the risks are they will take the necessary steps to protect themselves. And then dispensed this piece of advice: if you want to control the world, buy a hi-vis jacket. They're cheap, and when you're wearing one, apparently anyone you meet will do anything you tell them without question. No magic necessary.
Wendy M. Grossman’s Web site has an extensive archive of her books, articles, and music, and an archive of all the earlier columns in this series. Readers are welcome to post here, at net.wars home, follow on Twitter or send email to netwars(at) skeptic.demon.co.uk (but please turn off HTML).