IT securityHackers hacked at DefCon gathering

Published 12 August 2008

The tens of thousands of networks handling traffic on the Internet are programmed to trust each other for the best routes for data; a bad idea — since a hacker can hijack traffic to and from Web sites of choice by adding enough numbers to computer addresses to have his or her network automatically deemed the best path for the data

Iron Mike Ditka (“Da Coach” of the Chicago Bears from 1982 to 1992) used to say: “When you’re going to get, make sure you don’t get got.” Well, getting got is what happened to the hackers who gathered last weekend for the DefCon event in Las Vegas. The hackers got hacked. After three days of software cracking duels and hacking seminars, self-described computer ninjas at the infamous gathering in Las Vegas found out Sunday that their online activities were hijacked without them catching on.

A standing-room crowd cheered admiringly as Tony Kapela and Alex Pilosov showed them how they were “pwned” by a simple technique that could be used to “steal the Internet.” “Pwned” is popular computer and video game culture slang playing off the word “owned” and is used to describe someone being totally dominated or humiliated online or in-game. “It’s a nearly invisible exploitation,” Kapela said while revealing a hack that exploits fundamental Internet routing procedure to hijack online traffic unnoticed. “A level of invisibility that is unparalled.”

The beauty of the technique presented by Alex Pilosov and Kapela is that hackers do not need to break into websites or plant malicious computer code to control and tamper with data travelling the Internet, the presentation showed. Instead, the Internet is duped into sending people’s data to hackers. “Someone can passively intercept traffic,” Kapela explained. “We can store, drop, filter, mutilate, grope, or modify data heading to you.”

The tens of thousands of networks handling traffic on the Internet are programmed to trust each other for the best routes for data. The choice of optimal routes is made instantly; decided by a network claiming the longest numerical Internet addresses for data destination. A hacker can hijack traffic to and from Web sites of choice by adding enough numbers to computer addresses to have his or her network automatically deemed the best path for the data. “We construct the man-in-the-middle attack on the Internet,” Kapela said, referring to a classic hack in which someone gets between a computer user and their online destination. “Internet routing is inherently trust based. We told the route that we know the best way to an address. A hacker could blast a lot of spam or launch a lot of phishing attacks.”

Kapela and Pilosov proved their point by displaying for the rapt audience email, online searches and other online activity conducted that afternoon on the Internet connection used by DefCon attendees. Hackers could use the attack to block access to websites or send traffic to bogus Web pages crafted to look like legitimate websites such as Twitter or Google, according to Kapela. “Imagine all the wonderful stuff you could insert,” Kapela said. “You can hijack stuff from China or the opposite. It may already be happening. Who could tell?”

The presentation capped a DefCon gathering attended by more than 8,000 people. Hackers shared ways to crack everything from mobile telephones, computer games and social networking websites to electronic hospital records and high security locks used at the White House. One seminar included a way to remotely turn off pacemakers regulating people’s heartbeats. A cavernous room was devoted to a non-stop “capture the flag” contest in which players hunched over laptop computers battled to seize and keep control of a network set up for the game. Nightly “Hacker Jeopardy” drinking games required teams of players to correctly answer geeky computer questions with those giving wrong responses punished by having to guzzle beer. Another contest challenged hackers to slip malicious software code past increasingly sophisticated anti-virus programs. Hackers also faced off in lock picking contests; Guitar Hero video game competitions, and computer simulated shooting used by police for firearms training. Hackers also competed in making spy balloons that floated above the casinos.