Aug 03 2009
When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take. Phone wireless off:check. Phone bluetooth off: check. Laptop wireless and bluetooth off: check. Use an ATM that’s no where near either Caesar’s or the Riviera: check. Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money. And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived. Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well. The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.
It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world. Attendees take the safety of their computers into their own hands when they connect to either network. The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event. These aren’t the only steps you should have taken over the last week, but it’s a good start.
Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events. I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas. I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio. I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers. So far it looks like my luck has held.
It’s no joke that ATM’s are not secure. Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity. Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year. The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level. And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.
It’ll be interesting to see how this plays out. The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine. The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor. The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.