‘Honeynets’ and car hacking: DEF CON highlights

Think your car and route to work are safe? Your baby monitor? Is your text messaging private? Think again.

A host of research unveiled at the DEF CON hacking conference in Las Vegas over the last few days reveals the wide variety of technologies that could potentially be attacked. The good news is that experts are also finding new ways to protect the average Joe.

Here are just a few eye-openers:

Catching criminals with honeypots

A talk by AA10 Networks’ Principal Research Scientist Terrence Gareau took a very serious look at tackling criminal activity. Entitled “Oh Bother, Cruising The Internet With Your Honeys, Creating Honeynets For Tracking Criminal Organizations,” he explained how advances in bandwidth, computing power and software have enabled hackers to quickly locate and exploit services across the Internet.  But by leveraging this same trend, he showed researchers strategically placed ‘honeypots’ to lure and trap criminals.

You’ve been car hacked

Vulnerabilities in cars mean that a malevolent attacker could do anything from eavesdropping on conversations to slamming on someone’s brakes in the middle of the highway or swerving the car into a wall.

“A Survey of Remote Automotive Attack Surfaces“ presented by Charlie Miller, security engineer at Twitter and Chris Valasek, director of threat intelligence at IOActive, was one of the most popular briefings at DEF CON.

Hacking legend Charlie Miller wrote the first public remote exploit for both the iPhone and the G1 Android phone. He is also a four-time winner of the CanSecWest Pwn2Own competition

Valasek is a trailblazer in offensive hacking research and the chairman of SummerCon, the nation's oldest hacker conference.

Last year, this team made waves by successfully hacking into two cars - this year they undertook a security review of a range of carmakers.

The researchers are using this data to work out which cars are secure and can’t be compromised and which cars are easy to hack. They are also figuring how vehicles could be better protected from attacks.

Traffic control systems

Cesar Cerrudo, CTO at IOActive Labs, discussed his critical research on vulnerabilities in traffic control systems that are commonly in the U.S., U.K., Australia, France and beyond.

In the movie "Live Free or Die Hard," terrorists hack and manipulate traffic signals. Cerrudo was inspired to investigate whether this is possible.

He has proved that devices used in Washington DC, Seattle, New York, San Francisco and Los Angeles, to name a few – could indeed be hacked.

This is just one of Cerrudo’s latest breakthroughs. He is also credited with discovering and helping to eliminate dozens of vulnerabilities in Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows and Yahoo! Messenger.

Hacking 20 devices in 45 minutes

A team comprising Security Consultant CJ Heres, Accuvant Senior Researcher Amir Etemadieh, Openwrt co-founder Mike Baker and Hans Nielsen, senior security consultant at Matasano, discussed more than 20 everyday devices that could be hacked.

From baby monitors through to TVs, they went through vulnerabilities that they have found.

Wonder if someone is spying on you?

Dr. Phil Polstra, associate professor in digital forensics at Bloomsburg University of Pennsylvania, gave a briefing entitled “Am I Being Spied On? Low-tech Ways Of Detecting High-tech Surveillance.”

He recommended easy ways to figure out if someone is spying on you and showed how several low-tech options to detect even high-tech surveillance.

For example, Polstra showed how to detect surveillance cameras with a cell phone and how low-cost devices can detect active and passive bugs. He also gave tips on how to detect devices implanted inside computers, tablets, and cell phones.

This message will self-destruct

A panel on ephemeral communications dove into why keeping your communications private is important.

Wickr, Silent Circle and Glimpse are three options to communicate online. These apps promise to delete information quickly or to maintain anonymity. For example, Wickr gives you the option to have your messages self-destruct “Mission Impossible” style.