Aug 03 2009

What happens in Vegas can cost you a lot

Published by at 6:28 am under Hacking,Malware,Security Advisories

When heading to Las Vegas for Black Hat and Defcon, there are a number of basic security measures many of us take.  Phone wireless off:check.  Phone bluetooth off: check.  Laptop wireless and bluetooth off: check.  Use an ATM that’s no where near either Caesar’s or the Riviera: check.  Which turned out to be a very good decision as a fake ATM showed up at the Riviera and the machines at the Rio Hotel were debiting accounts but not dispensing money.  And people were wondering why the ATM’s on the conference floor at the Riviera were all unplugged from power when we arrived.  Of course the network cables for the ATM’s were still in place, but I hope the hotel was proactive enough to disable those ports on the switch as well.  The fact that I saw one hotel information machine with an error message about network connectivity tends to support that possibility.

It’s not a joke when the networks at Black Hat and Defcon are called some of the most dangerous networks in the world.  Attendees take the safety of their computers into their own hands when they connect to either network.  The best answer is to not connect to the network at all if you can avoid it, but if you have to connect, encrypt every packet and every connection and use a computer with a new, patched image that you wipe as soon as you get back from the event.  These aren’t the only steps you should have taken over the last week, but it’s a good start.

Along the same lines, it was a good idea to take out the money you thought you’d need before you ever got to Las Vegas for last week’s events.  I have to admit I didn’t take this precaution myself, I was busy and forgot to hit an ATM before boarding the plane for Vegas.  I had to take my chance with an ATM in my hotel, which luckily was not Caesar’s, the Riviera or Rio.  I chose a machine that was in a heavily monitored and travelled area, looked for anything suspicious and crossed my fingers.  So far it looks like my luck has held.

It’s no joke that ATM’s are not secure.  Many of them run on a Windows OS and have all the vulnerabilities associated with Windows, especially since I highly doubt many ATM’s are configured to patch themselves with any regularity.  Plus there are little things like the software my coworkers at SpiderLabs found on ATM machines in Europe earlier this year.  The fact is, the entire ATM infrastructure is under attack on both a physical and virtual level.  And if someone like Chris Paget, a professional who specializes in credit card and hardware security can’t recognize a compromised machine on sight, the rest of us don’t have much of a chance.

It’ll be interesting to see how this plays out.  The fake ATM that was placed in the Riviera lobby will likely have a fair amount of interesting forensics evidence, not the least of which will be potential for fingerprints inside the machine.  The attackers might have thought it was a fairly harmless joke to show how stupid other security professionals can be, but I doubt the FBI will show much of a sense of humor.  The Riviera staff likely took the most prudent route in disabling their ATM’s in the conference center, but this sort of antic has to be trying the patience of a hotel who needs the business that Defcon brings.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

4 responses so far

4 Responses to “What happens in Vegas can cost you a lot”

  1. Eric Thompsonon 03 Aug 2009 at 12:28 pm

    Great info here.

    I think a lot of people forget that it is not only the trustworthy security professionals that frequent these events but the nefarious types as well.

  2. Simple Nomadon 03 Aug 2009 at 1:34 pm

    Why in the world would you single out Black Hat and DefCon as having the world’s most dangerous networks? While I know people have been attacked on those networks, I understand there is this other network where evildoers try to steal CC numbers and other personal pieces of information called the Internet. Way more dangerous. And some of your precautions of turning off bluetooth etc before BH/DC, well I would never turn them on in the first place. They aren’t secure.

    Having attended numerous conferences as an attendee and as a vendor employee, I would apply those same standards to any conference — especially the big ones. I saw as much monkey business at RSA (especially in the nearby hotels to the conference) than any hacker con. It is (or should be, I and others have lectured on it) well known that attackers already have all of the major hotel networks’ public IP ranges mapped out, and can attack without even being at a conference. Many hotels give the vendor booth networks a public IP address, and more than once as a vendor employee I have had to go over to another vendor (!) and tell them to stop trying to attack us.

    Sure, BH/DC have hostile networks, but it is naive to assume other networks are less dangerous.

  3. […] the original post: Network Security Blog » What happens in Vegas can cost you a lot Share and […]

  4. Simonon 25 Oct 2009 at 10:24 am

    Nice Post. It is so informative an I enjoyed visiting your blog…

%d bloggers like this: