Security threats to Bluetooth wireless technology, credit
card hacking and tricks to bypass Windows Active Directory were
revealed at the Defcon conference in Las Vegas earlier this
month.
Experts from the CIA and FBI rubbed shoulders with hardcore
computer hackers at the conference. Once the sole preserve of
hackers, Defcon has now become a recognised fixture in the IT
industry's calendar.
One presentation showed delegates how hackers can bypass the
controls restricting user access in the Windows Active Directory
due to poor configuration of the software.
Phil Cracknell, security consultant at NetSecurity, said this kind
of threat has been largely overlooked by companies, partly because
computer viruses and worms are more visible and easier to
detect.
Users expect there to be greater security in a Windows Active
Directory environment as it allows administrators to overlay
network-based group policies onto the security permissions of
users' PCs, said Cracknell.
But Cracknell said he had come across set-ups where desktop
security had been weakened because of badly implemented Active
Directory environments.
He said he had seen examples of organisations using Active
Directory where a reboot and removal of the network cable left a PC
operating with just the desktop security policies. Restrictions on
user access that were written into Active Directory no longer
applied, said Cracknell.
"Plug in the cable and you effectively have a rogue PC on a
corporate network," he said.
Stuart Okin, chief security officer at Microsoft, said, "Users
cannot rely on security policies alone. There needs to be [system]
lockdown, end-user education and constant review."
In a warning to banks and companies that do business over the
internet, security analyst Robert Imhoff-Dousharm demonstrated
credit card hacking. Delegates were given laptops and shown how a
hacker could tap into a private network and download credit card
details, which could then be decrypted.
Richard Brain, technical director at security consultancy
Procheckup, said hacking credit cards details was relatively
straightforward.
"Certain payment systems use particular ports. You can scan this
port, capture all packets and grab credit card details," he
said.
Credit card data is secured, but only by 56-bit encryption, which
Brain said could be broken relatively easily to reveal the credit
card number, expiry date and the cardholder's name. Secure banking
transactions are usually protected by 128-bit or 256-bit
encryption.
Another presentation explained how law enforcement agencies were
using facilities on Microsoft's development tools to track down
hackers.
Businesses have long made use of the ability of Microsoft software
to track changes made to documents, but Microsoft's development
tools can also track the author and computer used to create the
program.
"If you use a Microsoft tool to create a [security exploit], the
FBI can find out who you are," said Brain. This happens because
most users generally type in the correct information when
registering new software.
|