10 devious new ways that computer hackers can control your machines (or fix them)

In late December I attended Berlin's Chaos Communication Congress, an annual hacker conference where speakers reveal the latest in high-tech deviousness. Straight from CCC, here are ten ways hackers will subvert your computer, phone, bank card, and life in 2011.

Photo by v2px

I've broken these hacks down into two sections. The first focuses on breaking your tech, and the second on fixing things using tech. Of course, there is a lot of overlap between the two. This is hacking after all - breaking things makes us stronger. Remember, as the slogan for CCC says: We come in peace.

Also, these are just a handful of the awesome talks at CCC. I recommend that you look through the CCC site and check out others - all are on video, and in most cases slides and notes are available too.

A final warning: Most of these talks are fairly technical, so don't expect polished soundbites in the videos. Do expect lines of code. These are hackers, not PR types, so they keep it real.

BREAKING THINGS

Are you reading my PDF? Then I control your computer.
Julia Wolf entertained and boggled the audience with her vicious takedown of the PDF file format - you know, the format you use pretty much every day to read documents? She revealed that the PDF format is so insecure that evil hackers could embed a program inside one that you would never see - and which would send its tentacles into your computer and reveal all its secrets to anyone who wanted them. And that's just the beginning. The widely-used PDF format is over a decade old and its spec is nearly 1,000 pages long - by the end of Wolf's talk, we were all ready to see it retired for the sake of everybody's security and privacy.

The Baseband Apocalypse
The baseband is the part of your phone that sends and receives broadcast signals. And it turns out that if your phone is on the GSM network, it's pretty damn easy to manipulate the baseband with all kinds of terrible tricks, from setting up fake base stations that will snoop on your conversations or text messages, to secretly sending nasty programs to your phone that could do everything from steal your data to turn your phone into a bug. When you make a call on the GSM network, who is really listening? Possibly everyone but the person you're hoping to talk to.

Your bank card is mine now
Cambridge University security researcher Steven Murdoch gleefully revealed how easy it is to break the security on the UK's smart credit card and ATM card system. Though British banks claim the security on these cards is unbreakable, in fact it's been compromised repeatedly and many customers have lost money. Murdoch is an engaging speaker, and it's worth watching the video because he walks you through three ways that fraudsters can steal your money using the "chip and pin" system in smartcards. Murdoch's analysis was so devastating that UK banks tried to get him to take down his paper on the subject and censor his research. Luckily, they didn't succeed in silencing him.

I am listening to your phone conversations with my computer
In case the baseband apocalypse didn't freak you out enough, another researcher revealed more ways that GSM phones can be snooped on. Researchers have already shown that the encryption used to shield your private conversations on these smart phones can easily be defeated with consumer-grade hardware. But phone companies claimed that didn't matter, because GSM communication flips between multiple channels. A hacker might be able to grab a tiny chunk of a call, but when it flips to another channel their spy game would be over. However, this talk showcases research that reveals how easy it is to follow data across a broad spectrum of channels, easily defeating this "secure" aspect of GSM, using nothing but cheap mobile phones. Are you convinced yet that your GSM phone is a tool of mass mischief?

Click to view

Your infrastructure will kill you
Eleanor Saitta works doing "threat modeling," predicting ways that systems can fail - from computer networks, to national infrastructure. Here she walks you through all the ways that our supposedly dependable infrastructures, including energy grids, can be destroyed by malicious enemies or simple neglect. What can we do about it?

FIXING THINGS

PS3 Jailbreak!
Your PS3 console is great for playing games, but what if you want to use it like the computer it is? Why shouldn't you be able to install another operating system on it, and play homebrew games that aren't officially authorized by Sony? An international team of researchers called fail0verflow revealed just how easy it is to retrieve the codes required to unlock the PS3 and make it do your bidding. The long strings of numbers used to unlock the device and make it programmable are actually hidden on the consoles themselves, if you know where to look. After the talk went public, Sony sued members of fail0verflow along with dozens of other people, allegedly for distributing tools that would allow piracy.

27C3 - Console Hacking 2010 from Yifan Lu on Vimeo.

The greatest DOS attack of all time, and how to stop it forever
Among hackers, University of Chicago computer scientist and crypto expert Dan Bernstein (often known by his handle DJB) is a legend. He's written some of the most secure code known to humanity (just try to fuck with qmail - you can't), and has lobbied ceaselessly - and snarkily - for the eradication of broken security systems online. He gave a mad genius presentation where he revealed that the oft-touted network security system DNSSEC is actually so badly-designed that it would make the perfect denial-of-service attack tool. And then he proposed a mindblowing, futuristic system of sending data over the Web that would make it nearly impossible to launch a DOS attack - and would prevent bad guys from sending your secure data to mobsters instead of your bank. The cool part about DJB's new system, based on encryption tools he calls DNSCurve and CurveCP, is that it could be implemented now, on top of the Web as we know it. And the best part? It's lightning fast. Listening to DJB's talk gave me hope for the future of the Web - and his devastating takedown of DNSSEC was the best example of smartypants trolling you'll hear this year.

Note - to watch the video, just skip past the first several minutes, where the organizers were setting up the talk and getting everybody seated.

27C3 Talk by Dan Bernstein: High-speed high-security cryptography: encrypting and authenticating the whole Internet. from nig nog on Vimeo.

Hacking the ocean
There are a number of open mapping projects out there, including Open Street Map, where hackers and ordinary people have added data to make it easier for you to navigate terrain all over the world. But what about navigating on the oceans? Often sea maps are very expensive, or are simply not available at all. A group called Open Sea Chart is aiming to change all that. They've already started work on one of the biggest world-improving projects you can imagine: Creating a free, open map that you can use to navigate the world's oceans. In this intriguing presentation, one of the Open Sea Maps developers talks about the difficulty of presenting data whose accuracy could mean the difference between life and death for people on ships. In addition, you'll learn a lot about just how weird it is to map the surface of a planet that is bumpy and uneven.

OpenLeaks
Former Wikileaks staffer Daniel Domscheit-Berg, who is writing a tell-all book about his time at Wikileaks, presented a new project aimed at fixing some of the problems he encountered working at Wikileaks. OpenLeaks will be a "distributed" project that doesn't suffer from some of the top-down management problems of Wikileaks. He promises that the project will be aimed entirely at getting leaks, and won't put a political spin on the leaks.

Three Jobs Journalists Will Be Doing in 50 Years
I gave a presentation on the future of new media - yes, that's me in the suit and tie. Though the media love to mourn their own death, in this presentation I argue that journalism of the future will be as powerful and subversive as ever. Find out how hacker journalists of the future will be using technology to report the facts, data miners will offer conscientious commentary, and crowd engineers will help people make informed decisions about events in their communities. The so-called new media are part of a long journalistic tradition that runs no risk of disappearing. Here's why.