Black Hat And The Jedi Force

Reporter’s Notebook: LAS VEGAS — Sometimes you don’t need high tech to circumvent high tech.

At
this year’s Black Hat security conference here, the usual array of high-tech
methods were discussed to attack systems. There was also discussion of what
I would consider to be a lot of low-tech ways to attack systems and security.


Johnny Long, the author of numerous security books and self described ninja,
hacker and descendant of the pirate Captain Morgan (yeah the Rum pirate), is
perhaps the epitome of the low-tech hacker. In an overflow capacity crowd
presentation, he delivered what had to be the highlight of the conference
with a raucous presentation on no-tech hacking.


Long, who also goes by the name Johnny I Hack Stuff, walked the audience
through a series of techniques to do things such as look at pictures of cars in a parking lot to determine things about the
vehicles’ owners. Long also got a few laughs when he described how he went
dumpster diving to find things. The not so funny part is the fact that he
found Social Security numbers and personal health information.


Perhaps most surprisingly, Long was able to demonstrate that not only was he
a hacker, but also a Jedi. The Jedi wave, that is the scene from the original
Star Wars film in which Obi-Wan Kenobi waves his hand in front of an
Imperial Stormtrooper and gets them to let him by. (These aren’t the droids
you’re looking for. You can go about your business. Move along. Move along).


In Long’s case he duplicated an AT&T name badge and simply waved it in front
of people at various locations to get access to buildings.


Now that’s low-tech hacking.


Though Long certainly got the most laughs for his no-tech hacking approach,
other seemingly low-tech approaches to hacking got a lot of mention this
year. The simple act of timing, or measuring the time it takes for an
action to occur, is perhaps one of the simplest forms of hacking.

Several
presenters demonstrated that, by timing actions, they could determine whether users or accounts were valid. Timing attacks also plays a role in
injection-type attacks: By simply noticing a time delay a hacker may well
find something that is exploitable.


Fuzzing got its time, too, with an entire track dedicated to it and multiple vendors announcing fuzzing tools.

Fuzzing is just an automated script throwing what can
accurately be referred to as garbage input against an application to see
what happens. It’s not terribly
elaborate, but the results that fuzzing yields, according to many at Black
Hat, are incredibly valuable. The much-hyped iPhone vulnerability was
discovered, according to the researcher that reported it, by fuzzing.


There is a good reason why low tech approaches work. Brad Hill a researcher
with iSecpartners, noted in his presentation on XML security that complexity is the enemy of security.
It’s a lesson that applies both to those that are looking at securing things,
as well as those that are looking at bypassing security.


Fundamentally for hackers it’s all about being aware of what is in front of
you and noticing things that others don’t. By noticing what is obvious if
you’re looking for it, you can get around seemingly secure items with
relative ease.

That was the lesson that Johnny Long tried to impart with his
humor and that other presenters touched on with their more technical
approaches. It’s a lesson that should be taken very seriously.

Sean Michael Kerner is a senior editor for internetnews.com.

News Around the Web