bingbong writes "The FAA's NextGen Air Traffic Control (ATC) modernization plan is at risk of serious security breaches, according to Brad Haines (aka RenderMan). Haines outlined his concerns during a presentation (PDF) he gave at the recent DefCon 20 hacker conference in Las Vegas, explaining that ADS-B signals are unauthenticated and unencrypted, and 'spoofing' (video) or inserting a fake aircraft into the ADS-B system is easy. The FAA isn't worried because the system has been certified and accredited."

owenferguson writes "Valerie Aurora, Linux kernel file systems expert, takes DEFCON to task for poor sexual harassment policing. A nice followup piece to the recent Readercon fiasco."

sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors." Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'

New submitter bupbin writes "We are providing a detailed report and analysis of eleven different popular gun safes produced by Stack-On, GunVault, and Bulldog to warn the public of the dangers inherent in some of these products because the manufacturers nor their major retailers will do so. In that report you can view eight different Stack-On models, one produced by Bulldog, and one manufactured by GunVault. A similar design defect is demonstrated in an inexpensive safe for storing valuables that is sold by AMSEC, a very reputable safe manufacturer in the United States. Unfortunately, their digital safe with their claim of a 'state-of-the-art electronic lock' can also be opened (literally) by a three-year-old because of a common mechanism used in the industry that is subject to circumvention."

Sparrowvsrevolution writes "At the Defcon security conference later this week, two security researchers will release a tool that aims to expose a little-seen list of hidden private aircraft flight plans–the so-called Block Aircraft Registration Request or BARR list, a collection of aircraft whose owners have tried to keep their whereabouts secret. Any private jet owner can request to be taken out of the FAA's public database of flight plans. But Dustin Hoffman and Semon Rezchikov found that private flyers' whereabouts are still broadcast in air-traffic control communications. So they developed a speech-to-text system that pulls out planes' tail numbers from those communications almost in real time, often fast enough to post a plane's destination before it lands. In its proof-of-concept version, the site is focusing on Las Vegas airports, but plans to expand to other cities soon."

wiredmikey writes "Later this week, the NSA's organizational leader and head of the U.S. Cyber Command – General Keith Alexander — will address an audience of hackers at DEF CON. News of General Alexander's talk at Def Con broke on Friday. Up until that point, the 12:00 Track 1 slot was kept secret, leaving attendees to the world's largest hacker conference to speculate. The buzz was that it would be something interesting – if only because this year is Def Con's 20th anniversary. General Alexander will be giving a talk titled 'Shared Values, Shared Responsibility,' which is outlined as a presentation that will focus on the shared core values between the hacker community and the government's cyber community. Namely, the vision of the Internet as a positive force, the fact that information increases value by sharing, the respect and protection of privacy and civil liberties, and the opposition to malicious and criminal behavior."

nonprofiteer writes "Researchers presenting at Defcon next week have developed a psychopathy prediction model for Twitter. It analyzes linguistic tells to rate users' levels of narcissism, machiavellianism and other similarities to Patrick Bateman. 'The FBI could use this to flag potential wrongdoers, but I think it's much more compelling for psychologists to use to understand large communities of people,' says Chris Sumner of the Online Privacy Foundation. Some of the Twitter clues: Curse words. Angry responses to other people, including swearing and use of the word "hate." Using the word "we." Using periods. Using filler words such as 'blah' and 'I mean' and 'um.' So, um, yeah."

yahoi writes "AT&T has teamed up with an 11-year-old hacker and DefCon Kids to host a hacking contest during the second annual conference that runs in conjunction with the adult Def Con hacker show later this month in Las Vegas. The kid who finds the most zero-day bugs in mobile apps wins $1,000 and an IPad, courtesy of DefCon Kids. The contest was inspired by the mini-hacker's discovery last year of a whole new class of mobile app vulnerabilities."

benrothke writes "While Julius Caesar likely never said 'Et tu, Brute?' the saying associated with his final minutes has come to symbolize the ultimate insider betrayal. In The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes, authors Dawn Cappelli, Andrew Moore and Randall Trzeciak of the CERT Insider Threat Center provide incontrovertible data and an abundance of empirical evidence, which creates an important resource on the topic of insider threats. There are thousands of companies that have uttered modern day versions of Et tu, Brute due to insidious insider attacks and the book documents many of them." Read on for the rest of Ben's review.

SharkLaser writes "The latest Humble Bundle comes with four great indie games from Introversion. Included in the pack are Uplink, Darwinia, DEFCON and Multiwinia. Bonus games include Aquaria, Crayon Physics Deluxe and the recently added Dungeons of Dredmor. Introversion also showcases some of their prototypes, like Subversion City Generator which demonstrates procedural generation of complex city environments, and Voxel Tech Demo for showing destroyable environments using voxel technology. Hackers and open source programmers around the world should also celebrate — Introversion will release source code for their games Darwinia, Multiwinia, DEFCON, and most importantly, Uplink, the legendary hacking simulation that is one of a kind."

brothke writes:"The book Digital Assassination: Protecting Your Reputation, Brand, or Business Against Online Attacks says businesses that take days to respond to social media issues are way behind the curve. Social media operates in real-time, and responses need to be almost as quick. In a valuable new book on the topic, Securing the Clicks Network Security in the Age of Social Media, Gary Bahadur, Jason Inasi and Alex de Carvalho provide the reader with a comprehensive overview on how not to be a victim of social media based security problems." Read on for the rest of Ben's review.

Last week, you asked Kevin Mitnick questions about his past, his thoughts on ethics and disclosure, and his computer set-up. He's graciously responded; read on for his answers. (No dice on the computer set-up, though.) Thanks, Kevin.

Trailrunner7 writes "In the wake of this weekend's revelations of the seriousness of the attack on certificate authority DigiNotar, security experts have renewed criticism of the Internet's digital certificate infrastructure, with some wondering if larger certificate authorities (CAs) might be too big to fail. Would Mozilla and Microsoft and Google have revoked trust in root certificates from VeriSign or Thawte had they been compromised? Unlikely. 'It's not a simple matter of removing certificates from a database, because they're not in any databases,' says researcher Moxie Marlinspike, who presented an alternative approach to the current SSL infrastructure last month at DEFCON. 'We may never track them all down.'"

alphadogg writes "MIT researchers have devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels. Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas."

mask.of.sanity writes "Data can be stolen from Windows, Android and Apple devices by unassuming power charging towers. In an attack demonstrated at the Defcon hacking conference, mobile phone charging units were rigged to pull data from phones plugged into them. Researchers found many jailbroken and modified devices activated USB functions when they were plugged in, or simply rebooted."

Em Adespoton writes "At DEFCON this year, Moxie Marlinspike gave an excellent presentation showing how broken the current SSL certification model is and proposing a replacement. Naked Security adds to the issue, asking: does it even matter if you can trust your certificate notaries?"

Trailrunner7 writes "Finding Aaron Barr at this year's DEFCON hacker conference in Las Vegas was like a giant game of 'Where's Waldo.' Given the events of the past year, you can hardly blame him for keeping a low profile. First there was the attack on him and his then-employer, HBGary Federal, his decision to part ways with HBGary, his work to rehabilitate his image and turn his personal misfortunes into a 'teaching moment' for the industry, and then the legal wrangling in recent weeks that threw cold water on his plans to take part in a panel discussion about Anonymous at DEFCON. Barr was courted by numerous news outlets at the show, including the mainstream media. But he preferred, for the most part, to keep his own counsel. But he offered his thoughts to Threatpost on the experience of being at the conference, what the attack by Anonymous has done to him and whether it's possible for the group to turn its attentions to more constructive pursuits."

An anonymous reader writes "At the DEFCON 19 hacking conference it seems that a full man-in-the-middle (MITM) attack was successfully launched against all 4G and CDMA transmissions in and around the venue, the Rio Hotel in Las Vegas. This MITM attack enabled hackers to gain permanent kernel-level root access in some Android and PC devices using a rootkit, and non-persistent user space access in others. In both cases, whoever launched this attack on CDMA and 4G devices was able to steal data and monitor conversations. For now the only evidence that such an attack occurred is a Full Disclosure mailing list post, but in the next few hours and days, depending on the response from cellular carriers, we should know whether it's real or not."

An anonymous reader writes "A hacktivism panel at the DefCon hacker convention was conspicuously missing its star member Aaron Barr, who dropped out under legal pressure from his former company HBGary Federal, debated how Anonymous could channel its efforts for the greater good. Members of Anon attending the discussion chimed in, too."

mask.of.sanity writes "An Aussie network engineer has published a guide to building a serial cable connector that allows access to a secret kernel debugger hidden within Apple iOS. The debugger was a dormant iOS feature carried over from Apple OS, and seems to serves no function other than to allow hackers to build better exploits. The cable needs an external power source and a jailbroken device to access the debugger." We've mentioned Pollock's serial adapter kit before, modulo the kernel debugging abilities.