BBC Home
Explore the BBC
BBC News
Launch consoleBBC NEWS CHANNEL
Last Updated: Thursday, 20 September 2007, 12:53 GMT 13:53 UK
Hackers reveal day-to-day dangers
By Jonathan Kent
BBC News, Kuala Lumpur

Kuala Lumpur skyline, AP
Kuala Lumpur was host to the gathering of ethical hackers

The BBC's Jonathan Kent attends the Hack In The Box conference in Malaysia to hear about the dangers ethical hackers are starting to uncover.

These days meetings of computer hackers are no longer gatherings of pale young men sitting in rooms knee deep in pizza boxes.

Instead they're a magnet for security experts from banks and corporations eager to hear the latest in computer security research.

The annual Hack in the Box conference is first and foremost a gathering of "white hat" hackers. If the term seems opaque just think of old Westerns in which the bad guys wore black hats.

Test case

The white hats carry out independent testing of computer security systems by trying to find loopholes in them - and then usually taking their research to the companies in whose products they have discovered problems.

And what the assembled white hats were saying is that the security of a lot of the stuff we use or rely on just isn't good enough.

Take Bluetooth.

Most modern phones use this short range radio system to transfer data be it speech, images or text.

Hackers have known for years that it is vulnerable but Dino Covotsos, the Managing Director of a South African company, Telspace Systems says some phone manufacturers still seem to be complacent about it.

Receive a picture from another phone and he says that with many phones you could be offering the sender an opportunity to access all the data you have stored on the device.

CCTV camera, SPL
Many CCTV systems can be accessed via the web
"Surely we should only capture the image and send the image that we are actually looking for, rather than giving access to the entire phone," said Mr Covotsos.

As phones, media players and hand held computers converge our Bluetooth enabled devices hold more and more sensitive data.

In-car navigation systems that rely on GPS are another increasingly popular device that's vulnerable to those with malice in mind.

According to Andrea Barisani of the British security company Inverse Path the main weakness in satnav comes from its use of FM radio to get travel information.

"The problem is that that data is not secured at all, there's no sort of authentication whatsoever" said Mr Barisani. "Which means bad guys can tamper with the data and send you fake messages like fake accidents and fake closed roads and security messages like terrorist incidents."

Papers please

In an age of identity theft the passport remains one of those documents that institutions rely on for proof of identity.

The latest biomentric passports, such as those used in Malaysia, carry data such as fingerprint records on embedded RFID microchips.

But researcher Jan Krissler, who goes by the name of Starbug, says it is easy to destroy the chips, without which the passports are still valid, or plant false data on them.

"You can weed out the biometric fingerprint data from the passport and make some dummy fingerprints so you can use to cross the border with a stolen passport," he said.

Another growing problem is the security of systems that have switched to the internet from a closed point to point cabling system.

Camera phone, BBC
Many people swap snaps using Bluetooth
Take Closed Circuit TV (CCTV) systems. The rise of the net has meant that they are no longer "closed circuit".

"Different police forces need to be able to access the systems and because of that they need to be open," says Sarb Sembhi of the hi-tech watchdog ISACA. "And if they need to be open how can you control who accesses them?"

Mr Sembhi is concerned that anyone with the "know how"; criminals, terrorists or stalkers, could use CCTV systems for their own ends.

Securing systems

According to Alessio Pennasilico, an Italian security evangelist much of our essential infrastructure is vulnerable in the same way.

To save money many companies now route data for their SCADA (Supervisory Control and Data Acquisition Systems) over the net.

Mr Pennasilico said that when they did that they neglected to upgrade their security to meet the new threats being on the net exposes them to. The result, says Mr Pennasilico, is that nuclear plants, electricity networks, water companies and others are vulnerable.

"Once you are inside their network you can do whatever you want," he says.

"For example you can shut down all the system or modify data inside the system for example to make a plane fall down because the airport has the wrong information about it and inside hospitals you can kill people by changing the information about the drugs needed for different patients."

This is the stuff of novels and nightmares. But the white hats want the world to take note. Roberto Preatoni, a security expert who has just set up the online marketplace WabiSabiLabi, says the problem is that companies often don't listen to what the hackers are telling them. And when they do their responses can be unpredictable.

British passport, BBC
Many identity documents are starting to sport RFID tags
"If they're lucky the company will send them a sandwich. If they're not the security researcher will get a letter from their lawyers."

WabiSabiLabi aims to change the rules of that game. It is a virtual auction room where they can put their research up for sale.

Mr Preatoni hopes it will encourage more research by helping hackers to make a better living.

Some, such as Microsoft, are starting to see the white hats as allies - after all they helped the company find holes in Vista while it was still being tested. The Microsoft guys were at Hack in the Box this year and they were buying the beers. Literally.

Another surprise was the attendance of the US Army at the HITB conference to take part in a "live hacking" competition with teams from around the world.

They didn't win. A Vietnamese team came out top while the US Army placed fifth.

But the army guys are primarily trained to defend military networks rather than attack others, and in the defensive portion of the contest they wiped the floor with all comers.

With some analysts predicting that the Chinese military would try to hack and damage US defence computers in the event of hostilities the team's success may provide some comfort.

Scientists warn of 'vocal terror'
14 Sep 07 |  Science/Nature
Hi-tech crime 'is big business'
17 Sep 07 |  Technology
Imaging tools to aid surveillance
11 Sep 07 |  Science/Nature
Bloggers battered by viral storm
31 Aug 07 |  Technology
Cyber crime tool kits go on sale
04 Sep 07 |  Technology
Net criminals shun virus attacks
20 Jul 07 |  Technology

The BBC is not responsible for the content of external internet sites

Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit


Americas Africa Europe Middle East South Asia Asia Pacific