Best of show from Black Hat, Def Con

Smartphones, cars and industrial systems were targets at this year's Def Con and Black Hat conferences.

---

Def Con and Black Hat are two signature information security events of the year, held back-to-back, in Las Vegas. Every year, researchers and hackers demonstrate new techniques and attacks. There were dozens this year, but here are eight of the top topics which stood out above the rest.

Not a hack, but a development: Def Con attendees have had an amicable relationship with the authorities for years, poking fun with the "Spot the fed" competition, which both sides traditionally take in good sport.

But this year, in the wake of the Edward Snowden saga and others, the hackers have had enough. Organiser Jeff "Dark Tangent" Moss requested the authorities to consider staying away from the conference, to avoid ill feelings from spoiling the event.

"Recent revelations have made many in the community uncomfortable about this relationship," he wrote on the event homepage. "Therefore, I think it would be best for everyone involved if the feds call a 'time-out' and not attend Def Con this year."

NSA director-general Keith Alexander addressed the Black Hat audience and called for calm, amid heckling and catcalls from the audience.

Self-driving cars are en vogue right now, with Google's high-profile efforts stealing the limelight from many other manufacturers - in fact, there are several brands on the market investigating vehicle autonomy, from self-parking, to lane correction, automatic braking and more. That's the pointy end of a move towards increased intelligence in vehicles, and to a hacker, increased intelligence means "surface area".

Back-to-back talks at Def Con saw Charlie Miller, Christopher Valasek and Australian hacker "Zoz" discuss, and demonstrate, early attacks against vehicles' onboard electronics, from messing with navigation to full control of the vehicle.

These attacks are primitive for now, but as in-car electronics advance, so will the attacks.

Among the many attacks against smartphones at this year's events was a clever iPhone hack - iPhones can be compromised in a matter of seconds using electronics disguised as a regular phone charger.

Researchers Billy Lau, Yeongjin Jang and Chengyu Song demonstrated the attack, gathering data directly from the phone and replacing apps with malicious Trojans. Apple says it has since fixed that particular bug, but it does raise concerns about helpful public charging stations.

Network extenders, also known as femtocells, are small transmitters used by cellular companies to extend coverage on demand. iSec Partners, a security consulting firm, showed several attacks against the units, including man-in-the-middle interception and device cloning.

Internet-connected TVs are the Next Big Thing, now that the 3D hype is dying down, and the hackers are as excited about them as Netflix. Aaron Grattafiori and Josh Yavor, researchers at iSec, took to the stage at Black Hat to show how a Samsung Smart TV could be remotely compromised, stealing account credentials and spying on victims through a TV's built-in webcam.

SCADA ("supervisory control and data acquisition") systems control industrial facilities, from power stations to water supplies, and have been the subject of security concerns at the highest levels - Stuxnet and its attack against Iranian uranium centrifuges is an example, but there have been others, and now there are more.

At Black Hat, Brian Meixell and Erick Forner demonstrated an attack against oil pumping stations, while Carlos Penagos and Lucas Apa showed a wireless attack against industrial control systems.

Attacks against encrypted HTTPS traffic continue. The "BEAST" attack in 2011 then evolved into "CRIME" in 2012, and now we have "BREACH", which tampers with compressed HTTPS communications in order to measure changes in the size of data exchanged, and thereby deduce the original plaintext. CERT ominously notes "We are currently unaware of a practical solution to this problem" and advocates disabling HTTPS compression entirely.

Paul Stone, meanwhile, demonstrated sophisticated new clickjacking techniques to steal information from Web pages.

What do you get if you combine Amazon Web Services and nine Terabytes of precomputed password hashes? An on-demand, high-performance password cracking service, PWAudit, which was unveiled at Black Hat.