:00:00. > :00:00.help at Wimbledon this year." Her baby is due in January. That's all
:00:00. > :00:12.the sport for now. More in the next hour but now it is time for Click.
:00:13. > :00:15.This week, the team are in Vegas, making faces for cash.
:00:16. > :00:57.And this week, the largest hack-fest on the planet.
:00:58. > :01:00.If there's one week of stuff in Vegas that isn't staying
:01:01. > :01:05.in Vegas, it's this week's BSides, Black Hat and notorious
:01:06. > :01:11.This is the week where hackers rub up against law enforcers
:01:12. > :01:15.and everyone peeks over each other's shoulders and networks.
:01:16. > :01:23.So, let's get straight into the action.
:01:24. > :01:27.Daniel here has got an extra piece of software running allowing him
:01:28. > :01:31.to hear what's being typed on the other end of a Skype call.
:01:32. > :01:37.The software during a Skype call learns how your keyboard sounds
:01:38. > :01:40.like and if you later during the call type
:01:41. > :01:41.something sensitive, like a password or e-mail,
:01:42. > :01:48.we can understand what you've typed using machine learning algorithms.
:01:49. > :01:50.This is because each key has a unique fingerprint based
:01:51. > :01:55.on the position of the key on the keyboard.
:01:56. > :01:58.The suggested results from what our victim might be typing
:01:59. > :02:03.As you can see, it's spotted every word except one but when asked
:02:04. > :02:06.to choose the words to make the most likely sentence, it's
:02:07. > :02:13.He is not just our victim, he's also a security researcher
:02:14. > :02:16.who is here to keep Click on track with a hacker's view
:02:17. > :02:20.of the conferences for the next couple of episodes.
:02:21. > :02:29.So, the technology is still quite young.
:02:30. > :02:32.It took a bit of setup to make this work but technology advances quite
:02:33. > :02:34.quickly and things that are difficult today will
:02:35. > :02:38.We have seen some things like this before as well.
:02:39. > :02:40.I looked at a hack recently where they could measure
:02:41. > :02:43.the vibrations in a crisp packet to record my voice.
:02:44. > :02:45.So I think in the future, things and technologies like this
:02:46. > :02:48.could be quite bad because it's going to allow people
:02:49. > :02:50.to extract a lot more information from our devices.
:02:51. > :02:55.It seems like the hackers are always going to find new and interesting
:02:56. > :02:58.ways to get inside our computers and of course the weapon
:02:59. > :03:04.of choice so far this year has been ransomware.
:03:05. > :03:06.In part because it is so easy to setup.
:03:07. > :03:10.I'd kind of assumed that getting hold of a piece of ransomware
:03:11. > :03:13.wouldn't be as easy as searching for it on Google and then
:03:14. > :03:20.This man has just informed me that I was wrong.
:03:21. > :03:22.So, here is one which is very popular.
:03:23. > :03:29.Then we can just download it straightaway.
:03:30. > :03:34.That's it, you don't have to go on to the dark net
:03:35. > :03:42.So, the code is actually really tiny, it's less
:03:43. > :03:44.than 200 lines of code, and that's for a full
:03:45. > :03:49.I could then change some of that code to specify how much money be
:03:50. > :03:54.malware asks for and the Bitcoin address it needs to be delivered to.
:03:55. > :03:56.And sure enough, the programme turns all of our sample documents
:03:57. > :04:00.into illegible garbage, which can only be retrieved
:04:01. > :04:08.if the creators, in this case us, provide the unlock code.
:04:09. > :04:11.OK, I'm slightly depressed at how easy it was to find some ransomware
:04:12. > :04:15.It's going to get easier in a minute.
:04:16. > :04:20.Next we hop onto a site that will connect me to people
:04:21. > :04:25.who will set up and run when somewhere for me.
:04:26. > :04:28.So, this guy here will charge you $125.
:04:29. > :04:30.These guys, they'll give you lots of customer support.
:04:31. > :04:33.They also offer you some advice on how to deliver it to people.
:04:34. > :04:39.Yeah, yeah, and by your phone you can talk to this guy over
:04:40. > :04:46.And if you're too lazy to send this to people,
:04:47. > :04:49.there is another guy who, for a cut, will then e-mail this
:04:50. > :04:53."Are you a criminal but too lazy to do any work?
:04:54. > :04:57.There are some video adverts like that as well.
:04:58. > :05:01.Surely you can engage this person in chat and go
:05:02. > :05:08.They use software to make sure you can't find where
:05:09. > :05:20.Actually, before you do, Spen, there is hope.
:05:21. > :05:24.There are professionals looking out for us and Lara has been to meet
:05:25. > :05:30.the good guys who are at the top of their game.
:05:31. > :05:34.One report suggests that one in six businesses in Europe
:05:35. > :05:44.Some of them, of course, providing critical care.
:05:45. > :05:47.I'm in Newport, Wales, at Airbus CyberSecurity.
:05:48. > :05:49.This is probably not the first thing you would associate
:05:50. > :05:52.with the company name but here, some top tier network
:05:53. > :06:00.Their clients include the Ministry of Defence as well as large airports
:06:01. > :06:08.and power companies, plus many others who can't be named.
:06:09. > :06:11.WannaCry was quite unique by way of ransomware in that once it
:06:12. > :06:15.infected a single host it actually wanted to go out and look for other
:06:16. > :06:20.hosts that are similar to it within its own network.
:06:21. > :06:23.That's why it spread not just within the NHS but globally
:06:24. > :06:28.across many other companies and many other individuals as well.
:06:29. > :06:30.But how about an attack that exploits a vulnerability we've
:06:31. > :06:41.Typically, the scramble around that is actually obtaining some code
:06:42. > :06:43.and then almost putting it in a sandbox.
:06:44. > :06:47.A sandbox being a place to isolate the issue so it can be played with,
:06:48. > :06:55.Large organisations may employ companies like Airbus to keep
:06:56. > :06:58.the water flowing and the lights on, but what advice would they give
:06:59. > :07:07.Well, we use cyber threat indicators on our network and this is something
:07:08. > :07:10.that is freely available to the general user.
:07:11. > :07:12.So if you are more tech savvy, you can utilise this threat
:07:13. > :07:14.intelligence to explain more about current malware threats
:07:15. > :07:17.and trends and understand if you are susceptible to this
:07:18. > :07:22.malware and particularly vulnerable or running a vulnerable version
:07:23. > :07:28.So that information is out there and I would encourage
:07:29. > :07:35.But what does all this mean for the future?
:07:36. > :07:40.Does cyber security get better at the rate hackers do?
:07:41. > :07:45.We get better and then they will follow.
:07:46. > :07:47.And it just moves further and further into complex areas
:07:48. > :07:57.but rest assure that we're working very hard to keep on top of those.
:07:58. > :08:00.So, the advice on how to avoid a cyber attack may not have changed
:08:01. > :08:03.in years: make sure you always do your software update,
:08:04. > :08:05.back everything up and generally be sensible online, but WannaCry may
:08:06. > :08:11.have just frightened more of us into taking action.
:08:12. > :08:13.Lara Lewington battling the bad guys, which is exactly
:08:14. > :08:20.what this conference, Black Hat, is all about.
:08:21. > :08:22.The corporate side of this cyber security conference
:08:23. > :08:27.But what happens when you've caught a cybercriminal?
:08:28. > :08:29.What it is a first-time hacker who probably didn't even realise
:08:30. > :08:39.Well, Dan has been to the UK's first ever rehab for hackers.
:08:40. > :08:45.It was me and two other friends, just a bit of fun.
:08:46. > :08:47.I manipulate people's feelings, thoughts.
:08:48. > :08:58.We tried to break into our school's network.
:08:59. > :09:02.We could control people's screens, change passwords.
:09:03. > :09:07.I got arrested for Misuse of Computer Act, 1990, section three.
:09:08. > :09:13.I can't name the company but they lost a lot of money.
:09:14. > :09:17.This is definitely a way to get ahead of the curve and to stop
:09:18. > :09:19.anyone from possibly taking a misinformed choice
:09:20. > :09:35.This is the UK's first reboot camp for hackers.
:09:36. > :09:38.The first seven through the doors, aged 16-20, all intend
:09:39. > :09:40.to change their ways, so we've agreed to keep
:09:41. > :09:47.Rehab includes spotting moments when they might be tempted to cross
:09:48. > :09:51.the line of what's legal and what's not.
:09:52. > :09:56.That looks like I could get everyone's details.
:09:57. > :09:59.Your parents will not have any idea how you do what you do.
:10:00. > :10:05.Solomon Gilbert was caught as a teenage offender.
:10:06. > :10:08.Now he's the one giving the lecture is, in between tackling
:10:09. > :10:17.I was getting drawn into making my own malicious code,
:10:18. > :10:20.making my own exploits, stealing things like credit card
:10:21. > :10:25.I wouldn't do anything with them but it ended up with me getting
:10:26. > :10:28.kicked out of school and arrested and looked into by the
:10:29. > :10:37.What were the key moments that changed your path?
:10:38. > :10:40.Everyone in the cyber security industry has one person that
:10:41. > :10:44.they've met that's gone, well, you're very talented at this,
:10:45. > :10:51.Cyber Security Challenge UK has set up a capture the flag competition
:10:52. > :10:55.so that teenagers can show off their skills.
:10:56. > :11:02.Several large companies are here to talk future job opportunities.
:11:03. > :11:05.The UK hasn't got enough people to protect itself.
:11:06. > :11:07.Businesses, the nation, individual accounts,
:11:08. > :11:11.we all need protecting and that's why we exist.
:11:12. > :11:16.We know they're there, we need to find them.
:11:17. > :11:18.These offenders know this is a second chance,
:11:19. > :11:24.one they didn't realise they were so well qualified for.
:11:25. > :11:27.I was more interested in the dark side, back when I was young.
:11:28. > :11:29.I wasn't really looking at the good side.
:11:30. > :11:32.The dark side was mainly just attacks, attacks, attacks,
:11:33. > :11:37.Well, now I know that it exists, it sounds like something that I'd
:11:38. > :11:40.really, really like to go into because you get the same, like,
:11:41. > :11:45.rush, the same excitement, but you're doing it for fun,
:11:46. > :11:47.still, but it's legal and you get paid.
:11:48. > :12:03.Did you know you can get money out of an ATM even if you don't
:12:04. > :12:15.What you'll need instead is a drill, a USB keyboard, some malware
:12:16. > :12:23.on a USB stick and an intention to break the law.
:12:24. > :12:25.So, in this specific example that we've got set up here,
:12:26. > :12:30.an attacker has come to the front of the ATM, they've drilled
:12:31. > :12:39.What we can do now, you can see we can access this USB cable.
:12:40. > :12:41.Right, so, inside here something that has a USB port.
:12:42. > :12:48.According to Positive Technologies Research,
:12:49. > :12:53.more than half of ATMs still run Windows XP.
:12:54. > :12:55.And although the USB port will rarely be this easy
:12:56. > :12:58.to access inside the ATM, recent cash machine hacks
:12:59. > :13:04.in Taiwan and Thailand showed that it can be done.
:13:05. > :13:07.I'm sure not many people would expect this to just be
:13:08. > :13:13.Perhaps not but it's just a safe with a computer on top.
:13:14. > :13:16.Which means that with a keyboard plugged in, it's pretty simple
:13:17. > :13:19.to download and run the malware to, well, show me the money.
:13:20. > :13:35.Your malicious software basically says, dispense cash.
:13:36. > :13:45.Shouldn't the ATMs be slightly more protected and locked down?
:13:46. > :13:48.You would think that but it's how you would configure those computers.
:13:49. > :13:50.But we found they are not particularly secure,
:13:51. > :13:53.so you could put malware on a system that could collect data
:13:54. > :13:59.That would be information that is held on our cards.
:14:00. > :14:01.So I, as a consumer, if I'm using this machine,
:14:02. > :14:07.And that could spread around a whole network of ATMs.
:14:08. > :14:09.So, you could use one ATM to infect a whole network?
:14:10. > :14:15.One way to protect yourself is to use ATMs inside bank branches
:14:16. > :14:22.or which are watched over by security cameras.
:14:23. > :14:25.We spoke to NCR, one of the leading manufacturers and the maker
:14:26. > :14:32.They agree that security threats are becoming more complex
:14:33. > :14:34.and sophisticated and told us, "NCR provides its customers
:14:35. > :14:36.with comprehensive recommendations and security defences to address
:14:37. > :14:38.these challenges and help them to assess and improve
:14:39. > :14:54.It was the week that Google unveiled its SOS Alerts feature,
:14:55. > :14:58.which will show where a crisis is taking place.
:14:59. > :15:00.Adobe announced plans to kill off Flash Player from 2020.
:15:01. > :15:05.And a company in Wisconsin are microchip being their employees.
:15:06. > :15:07.And the Boring Company is firmly going against its name,
:15:08. > :15:10.as Elon Musk posted a video to Instagram of a car
:15:11. > :15:14.going underground on an elevator in Los Angeles.
:15:15. > :15:17.The Tesla CEO's side project proposes building a network
:15:18. > :15:20.of tunnels under the city, which will drag cars,
:15:21. > :15:25.passengers and cargo in super fast moving sleds.
:15:26. > :15:28.And it was a busy week for Musk, as he clashed with Mark Zuckerberg
:15:29. > :15:33.During an informal Facebook Live, Mark Zuckerberg said Musk's claims
:15:34. > :15:36.that AI poses a fundamental risk to human civilisation
:15:37. > :15:43.But Musk took to Twitter to respond, writing Zuckerberg's knowledge
:15:44. > :15:51.First it was gone and then it wasn't, as Microsoft puts to bed
:15:52. > :15:54.reports that it was getting rid of its graphic programme, Paint.
:15:55. > :15:57.People rushed to social media to show their love for the programme,
:15:58. > :16:00.which won't remain on Microsoft 10 by default in the future
:16:01. > :16:04.but will be available on the Windows Store for free.
:16:05. > :16:10.And now you can live out your pop dreams in AR.
:16:11. > :16:13.Not shying away, a Chicago-based studio have recreated the classic
:16:14. > :16:27.A-ha Take On Me video using the iOS 11 AR kit.
:16:28. > :16:30.Recently, there seems to have been an increase in the number of brute
:16:31. > :16:34.This is where the hacker uses a programme to constantly
:16:35. > :16:39.trying new passwords until they hit the jackpot.
:16:40. > :16:42.In the past, security services have recommended creating as long
:16:43. > :16:44.and complex passwords as possible, never writing them down
:16:45. > :16:50.However, we're only human and we don't have the time
:16:51. > :16:55.or patience to remember multiple strings of letters and digits.
:16:56. > :16:58.To combat this, the National Cyber Security Centre has
:16:59. > :17:04.Firstly, don't change your password constantly because this encourages
:17:05. > :17:07.us to use simpler passwords and maybe just add a different
:17:08. > :17:12.And besides, it only protects you from someone
:17:13. > :17:16.who steals your password and then waits three months to use it.
:17:17. > :17:19.You should, however, update your password if you have any
:17:20. > :17:26.Keep your passwords complex, but not too complex.
:17:27. > :17:31.For example, three random words stuck together.
:17:32. > :17:34.This means instead of trying every one of the 200,000 or so words
:17:35. > :17:36.in the English dictionary, hackers have to try every
:17:37. > :17:45.combination of every word, and that is a massively harder task.
:17:46. > :17:47.Set up two step authentication for any accounts that
:17:48. > :17:53.This means the hacker needs to not only have your password
:17:54. > :17:55.but also your phone, to break in.
:17:56. > :17:59.And store your passwords, either on a piece of paper in a safe place
:18:00. > :18:05.Now, this is either hardware software that generates and stores
:18:06. > :18:09.long, complex passwords for your different accounts.
:18:10. > :18:12.How can you remember 20 or 30 passwords that we frequently use
:18:13. > :18:17.With a solution like Lastpass, it will create 100 character
:18:18. > :18:20.passwords for every site, that is really, really hard to hack
:18:21. > :18:29.While security is a really daunting subject and the stakes are high,
:18:30. > :18:31.it can appear quite onerous, but these solutions
:18:32. > :18:35.All you have to remember is one master password
:18:36. > :18:56.Just make sure THAT password is really hard!
:18:57. > :18:58.Humans have been using handprints to identify themselves
:18:59. > :19:05.These ones here, the Hands Across Time just outside Las Vegas,
:19:06. > :19:08.in Red Rock, are hundreds of years old.
:19:09. > :19:10.They're some of the earliest examples of native Americans
:19:11. > :19:19.In recent years we've started to use our hands to identify us
:19:20. > :19:26.again and Dan's been finding out how secure they might be.
:19:27. > :19:33.At Bristol Robotics Lab, they're taking an interest in every detail.
:19:34. > :19:44.Now, if you're sensitive to flashing lights, look away now.
:19:45. > :19:50.Is that more secure, then, than just using your fingerprint?
:19:51. > :19:53.With a fingerprint, it's a small region of the hand.
:19:54. > :19:56.Obviously with this system we're getting the whole surface and that,
:19:57. > :19:59.combined with the vein structure, just add an extra layer of security.
:20:00. > :20:04.Research recently showed the ability to extract fingerprints
:20:05. > :20:10.or handprints off celebrities from a distance.
:20:11. > :20:15.So, you could use that to generate a 3-D surface but you still wouldn't
:20:16. > :20:17.have the vein structure on the back of the hand.
:20:18. > :20:20.That would be very difficult to hack.
:20:21. > :20:22.In Chicago, some people are already using their palm
:20:23. > :20:33.PalmSecure's touchless readers only use infrared lights to take
:20:34. > :20:41.Iris scanners are also about to emerge from the lab and be
:20:42. > :20:45.From September, TSB will be the first bank in Europe to adopt
:20:46. > :20:51.retina scan technology as a way of accessing online bank accounts,
:20:52. > :20:53.although initially customers will need a Samsung Galaxy S8
:20:54. > :21:02.In May, the Chaos Computer Club in Germany posted this video,
:21:03. > :21:04.fooling the S8's iris scanner using a photograph
:21:05. > :21:12.TSB and Samsung are hoping that others won't go
:21:13. > :21:18.At the CyLab Biometrics Center in Pittsburgh, they've developed
:21:19. > :21:21.a system that can identify the irises of people moving in
:21:22. > :21:33.But if the eyes don't have it, the face just might.
:21:34. > :21:36.Back at Bristol Robotics Lab, this 3-D face scanner
:21:37. > :21:40.is using a technique they've developed called Photometric stereo.
:21:41. > :21:43.Two invisible lights flash at high speed,
:21:44. > :21:45.allowing the camera to capture the orientation, shape
:21:46. > :21:55.So far, it has a 95% accuracy rate but that's good enough to attract
:21:56. > :22:02.They are working with Cubic which develops the Oyster card
:22:03. > :22:04.contactless payment system used in London's trains and buses.
:22:05. > :22:08.It's being part funded by the British government
:22:09. > :22:10.to innovate gateless technologies, allowing passengers to simply walk
:22:11. > :22:21.You can imagine, if you can get rid of the gate line in a place
:22:22. > :22:23.like Victoria Station, there's a massive potential
:22:24. > :22:27.So we ran quite an interesting project for them, which they are now
:22:28. > :22:32.installing at their laboratory in Salford and the aim is to move it
:22:33. > :22:35.on to the Underground so that the system will recognise
:22:36. > :22:39.people and you get rid of the gates and it will allow people to go
:22:40. > :22:51.Now, this is a phototype but we have been told
:22:52. > :22:53.that the system will recognise even a pair of glasses.
:22:54. > :22:56.So, let's see if it knows who I am now.
:22:57. > :23:00.Look at that, you can see my name come up right there.
:23:01. > :23:04.Just walk around, the face is the key to doing everything
:23:05. > :23:12.And just to double-check, I've tried to fool it with this guy.
:23:13. > :23:25.It recognises me but this is very clearly an impostor.
:23:26. > :23:43.This face clearly isn't going to get me anywhere.
:23:44. > :23:55.Of course we'll be back with more next week from Vegas including