Fear and Coding in Las Vegas Click


Fear and Coding in Las Vegas

Click is at the hacker conventions in Las Vegas looking into cyber security and how best to protect ourselves.


Similar Content

Browse content similar to Fear and Coding in Las Vegas. Check below for episodes and series from the same categories and more!

Transcript


LineFromTo

help at Wimbledon this year." Her baby is due in January. That's all

:00:00.:00:00.

the sport for now. More in the next hour but now it is time for Click.

:00:00.:00:12.

This week, the team are in Vegas, making faces for cash.

:00:13.:00:15.

And this week, the largest hack-fest on the planet.

:00:16.:00:57.

If there's one week of stuff in Vegas that isn't staying

:00:58.:01:00.

in Vegas, it's this week's BSides, Black Hat and notorious

:01:01.:01:05.

This is the week where hackers rub up against law enforcers

:01:06.:01:11.

and everyone peeks over each other's shoulders and networks.

:01:12.:01:15.

So, let's get straight into the action.

:01:16.:01:23.

Daniel here has got an extra piece of software running allowing him

:01:24.:01:27.

to hear what's being typed on the other end of a Skype call.

:01:28.:01:31.

The software during a Skype call learns how your keyboard sounds

:01:32.:01:37.

like and if you later during the call type

:01:38.:01:40.

something sensitive, like a password or e-mail,

:01:41.:01:41.

we can understand what you've typed using machine learning algorithms.

:01:42.:01:48.

This is because each key has a unique fingerprint based

:01:49.:01:50.

on the position of the key on the keyboard.

:01:51.:01:55.

The suggested results from what our victim might be typing

:01:56.:01:58.

As you can see, it's spotted every word except one but when asked

:01:59.:02:03.

to choose the words to make the most likely sentence, it's

:02:04.:02:06.

He is not just our victim, he's also a security researcher

:02:07.:02:13.

who is here to keep Click on track with a hacker's view

:02:14.:02:16.

of the conferences for the next couple of episodes.

:02:17.:02:20.

So, the technology is still quite young.

:02:21.:02:29.

It took a bit of setup to make this work but technology advances quite

:02:30.:02:32.

quickly and things that are difficult today will

:02:33.:02:34.

We have seen some things like this before as well.

:02:35.:02:38.

I looked at a hack recently where they could measure

:02:39.:02:40.

the vibrations in a crisp packet to record my voice.

:02:41.:02:43.

So I think in the future, things and technologies like this

:02:44.:02:45.

could be quite bad because it's going to allow people

:02:46.:02:48.

to extract a lot more information from our devices.

:02:49.:02:50.

It seems like the hackers are always going to find new and interesting

:02:51.:02:55.

ways to get inside our computers and of course the weapon

:02:56.:02:58.

of choice so far this year has been ransomware.

:02:59.:03:04.

In part because it is so easy to setup.

:03:05.:03:06.

I'd kind of assumed that getting hold of a piece of ransomware

:03:07.:03:10.

wouldn't be as easy as searching for it on Google and then

:03:11.:03:13.

This man has just informed me that I was wrong.

:03:14.:03:20.

So, here is one which is very popular.

:03:21.:03:22.

Then we can just download it straightaway.

:03:23.:03:29.

That's it, you don't have to go on to the dark net

:03:30.:03:34.

So, the code is actually really tiny, it's less

:03:35.:03:42.

than 200 lines of code, and that's for a full

:03:43.:03:44.

I could then change some of that code to specify how much money be

:03:45.:03:49.

malware asks for and the Bitcoin address it needs to be delivered to.

:03:50.:03:54.

And sure enough, the programme turns all of our sample documents

:03:55.:03:56.

into illegible garbage, which can only be retrieved

:03:57.:04:00.

if the creators, in this case us, provide the unlock code.

:04:01.:04:08.

OK, I'm slightly depressed at how easy it was to find some ransomware

:04:09.:04:11.

It's going to get easier in a minute.

:04:12.:04:15.

Next we hop onto a site that will connect me to people

:04:16.:04:20.

who will set up and run when somewhere for me.

:04:21.:04:25.

So, this guy here will charge you $125.

:04:26.:04:28.

These guys, they'll give you lots of customer support.

:04:29.:04:30.

They also offer you some advice on how to deliver it to people.

:04:31.:04:33.

Yeah, yeah, and by your phone you can talk to this guy over

:04:34.:04:39.

And if you're too lazy to send this to people,

:04:40.:04:46.

there is another guy who, for a cut, will then e-mail this

:04:47.:04:49.

"Are you a criminal but too lazy to do any work?

:04:50.:04:53.

There are some video adverts like that as well.

:04:54.:04:57.

Surely you can engage this person in chat and go

:04:58.:05:01.

They use software to make sure you can't find where

:05:02.:05:08.

Actually, before you do, Spen, there is hope.

:05:09.:05:20.

There are professionals looking out for us and Lara has been to meet

:05:21.:05:24.

the good guys who are at the top of their game.

:05:25.:05:30.

One report suggests that one in six businesses in Europe

:05:31.:05:34.

Some of them, of course, providing critical care.

:05:35.:05:44.

I'm in Newport, Wales, at Airbus CyberSecurity.

:05:45.:05:47.

This is probably not the first thing you would associate

:05:48.:05:49.

with the company name but here, some top tier network

:05:50.:05:52.

Their clients include the Ministry of Defence as well as large airports

:05:53.:06:00.

and power companies, plus many others who can't be named.

:06:01.:06:08.

WannaCry was quite unique by way of ransomware in that once it

:06:09.:06:11.

infected a single host it actually wanted to go out and look for other

:06:12.:06:15.

hosts that are similar to it within its own network.

:06:16.:06:20.

That's why it spread not just within the NHS but globally

:06:21.:06:23.

across many other companies and many other individuals as well.

:06:24.:06:28.

But how about an attack that exploits a vulnerability we've

:06:29.:06:30.

Typically, the scramble around that is actually obtaining some code

:06:31.:06:41.

and then almost putting it in a sandbox.

:06:42.:06:43.

A sandbox being a place to isolate the issue so it can be played with,

:06:44.:06:47.

Large organisations may employ companies like Airbus to keep

:06:48.:06:55.

the water flowing and the lights on, but what advice would they give

:06:56.:06:58.

Well, we use cyber threat indicators on our network and this is something

:06:59.:07:07.

that is freely available to the general user.

:07:08.:07:10.

So if you are more tech savvy, you can utilise this threat

:07:11.:07:12.

intelligence to explain more about current malware threats

:07:13.:07:14.

and trends and understand if you are susceptible to this

:07:15.:07:17.

malware and particularly vulnerable or running a vulnerable version

:07:18.:07:22.

So that information is out there and I would encourage

:07:23.:07:28.

But what does all this mean for the future?

:07:29.:07:35.

Does cyber security get better at the rate hackers do?

:07:36.:07:40.

We get better and then they will follow.

:07:41.:07:45.

And it just moves further and further into complex areas

:07:46.:07:47.

but rest assure that we're working very hard to keep on top of those.

:07:48.:07:57.

So, the advice on how to avoid a cyber attack may not have changed

:07:58.:08:00.

in years: make sure you always do your software update,

:08:01.:08:03.

back everything up and generally be sensible online, but WannaCry may

:08:04.:08:05.

have just frightened more of us into taking action.

:08:06.:08:11.

Lara Lewington battling the bad guys, which is exactly

:08:12.:08:13.

what this conference, Black Hat, is all about.

:08:14.:08:20.

The corporate side of this cyber security conference

:08:21.:08:22.

But what happens when you've caught a cybercriminal?

:08:23.:08:27.

What it is a first-time hacker who probably didn't even realise

:08:28.:08:29.

Well, Dan has been to the UK's first ever rehab for hackers.

:08:30.:08:39.

It was me and two other friends, just a bit of fun.

:08:40.:08:45.

I manipulate people's feelings, thoughts.

:08:46.:08:47.

We tried to break into our school's network.

:08:48.:08:58.

We could control people's screens, change passwords.

:08:59.:09:02.

I got arrested for Misuse of Computer Act, 1990, section three.

:09:03.:09:07.

I can't name the company but they lost a lot of money.

:09:08.:09:13.

This is definitely a way to get ahead of the curve and to stop

:09:14.:09:17.

anyone from possibly taking a misinformed choice

:09:18.:09:19.

This is the UK's first reboot camp for hackers.

:09:20.:09:35.

The first seven through the doors, aged 16-20, all intend

:09:36.:09:38.

to change their ways, so we've agreed to keep

:09:39.:09:40.

Rehab includes spotting moments when they might be tempted to cross

:09:41.:09:47.

the line of what's legal and what's not.

:09:48.:09:51.

That looks like I could get everyone's details.

:09:52.:09:56.

Your parents will not have any idea how you do what you do.

:09:57.:09:59.

Solomon Gilbert was caught as a teenage offender.

:10:00.:10:05.

Now he's the one giving the lecture is, in between tackling

:10:06.:10:08.

I was getting drawn into making my own malicious code,

:10:09.:10:17.

making my own exploits, stealing things like credit card

:10:18.:10:20.

I wouldn't do anything with them but it ended up with me getting

:10:21.:10:25.

kicked out of school and arrested and looked into by the

:10:26.:10:28.

What were the key moments that changed your path?

:10:29.:10:37.

Everyone in the cyber security industry has one person that

:10:38.:10:40.

they've met that's gone, well, you're very talented at this,

:10:41.:10:44.

Cyber Security Challenge UK has set up a capture the flag competition

:10:45.:10:51.

so that teenagers can show off their skills.

:10:52.:10:55.

Several large companies are here to talk future job opportunities.

:10:56.:11:02.

The UK hasn't got enough people to protect itself.

:11:03.:11:05.

Businesses, the nation, individual accounts,

:11:06.:11:07.

we all need protecting and that's why we exist.

:11:08.:11:11.

We know they're there, we need to find them.

:11:12.:11:16.

These offenders know this is a second chance,

:11:17.:11:18.

one they didn't realise they were so well qualified for.

:11:19.:11:24.

I was more interested in the dark side, back when I was young.

:11:25.:11:27.

I wasn't really looking at the good side.

:11:28.:11:29.

The dark side was mainly just attacks, attacks, attacks,

:11:30.:11:32.

Well, now I know that it exists, it sounds like something that I'd

:11:33.:11:37.

really, really like to go into because you get the same, like,

:11:38.:11:40.

rush, the same excitement, but you're doing it for fun,

:11:41.:11:45.

still, but it's legal and you get paid.

:11:46.:11:47.

Did you know you can get money out of an ATM even if you don't

:11:48.:12:03.

What you'll need instead is a drill, a USB keyboard, some malware

:12:04.:12:15.

on a USB stick and an intention to break the law.

:12:16.:12:23.

So, in this specific example that we've got set up here,

:12:24.:12:25.

an attacker has come to the front of the ATM, they've drilled

:12:26.:12:30.

What we can do now, you can see we can access this USB cable.

:12:31.:12:39.

Right, so, inside here something that has a USB port.

:12:40.:12:41.

According to Positive Technologies Research,

:12:42.:12:48.

more than half of ATMs still run Windows XP.

:12:49.:12:53.

And although the USB port will rarely be this easy

:12:54.:12:55.

to access inside the ATM, recent cash machine hacks

:12:56.:12:58.

in Taiwan and Thailand showed that it can be done.

:12:59.:13:04.

I'm sure not many people would expect this to just be

:13:05.:13:07.

Perhaps not but it's just a safe with a computer on top.

:13:08.:13:13.

Which means that with a keyboard plugged in, it's pretty simple

:13:14.:13:16.

to download and run the malware to, well, show me the money.

:13:17.:13:19.

Your malicious software basically says, dispense cash.

:13:20.:13:35.

Shouldn't the ATMs be slightly more protected and locked down?

:13:36.:13:45.

You would think that but it's how you would configure those computers.

:13:46.:13:48.

But we found they are not particularly secure,

:13:49.:13:50.

so you could put malware on a system that could collect data

:13:51.:13:53.

That would be information that is held on our cards.

:13:54.:13:59.

So I, as a consumer, if I'm using this machine,

:14:00.:14:01.

And that could spread around a whole network of ATMs.

:14:02.:14:07.

So, you could use one ATM to infect a whole network?

:14:08.:14:09.

One way to protect yourself is to use ATMs inside bank branches

:14:10.:14:15.

or which are watched over by security cameras.

:14:16.:14:22.

We spoke to NCR, one of the leading manufacturers and the maker

:14:23.:14:25.

They agree that security threats are becoming more complex

:14:26.:14:32.

and sophisticated and told us, "NCR provides its customers

:14:33.:14:34.

with comprehensive recommendations and security defences to address

:14:35.:14:36.

these challenges and help them to assess and improve

:14:37.:14:38.

It was the week that Google unveiled its SOS Alerts feature,

:14:39.:14:54.

which will show where a crisis is taking place.

:14:55.:14:58.

Adobe announced plans to kill off Flash Player from 2020.

:14:59.:15:00.

And a company in Wisconsin are microchip being their employees.

:15:01.:15:05.

And the Boring Company is firmly going against its name,

:15:06.:15:07.

as Elon Musk posted a video to Instagram of a car

:15:08.:15:10.

going underground on an elevator in Los Angeles.

:15:11.:15:14.

The Tesla CEO's side project proposes building a network

:15:15.:15:17.

of tunnels under the city, which will drag cars,

:15:18.:15:20.

passengers and cargo in super fast moving sleds.

:15:21.:15:25.

And it was a busy week for Musk, as he clashed with Mark Zuckerberg

:15:26.:15:28.

During an informal Facebook Live, Mark Zuckerberg said Musk's claims

:15:29.:15:33.

that AI poses a fundamental risk to human civilisation

:15:34.:15:36.

But Musk took to Twitter to respond, writing Zuckerberg's knowledge

:15:37.:15:43.

First it was gone and then it wasn't, as Microsoft puts to bed

:15:44.:15:51.

reports that it was getting rid of its graphic programme, Paint.

:15:52.:15:54.

People rushed to social media to show their love for the programme,

:15:55.:15:57.

which won't remain on Microsoft 10 by default in the future

:15:58.:16:00.

but will be available on the Windows Store for free.

:16:01.:16:04.

And now you can live out your pop dreams in AR.

:16:05.:16:10.

Not shying away, a Chicago-based studio have recreated the classic

:16:11.:16:13.

A-ha Take On Me video using the iOS 11 AR kit.

:16:14.:16:27.

Recently, there seems to have been an increase in the number of brute

:16:28.:16:30.

This is where the hacker uses a programme to constantly

:16:31.:16:34.

trying new passwords until they hit the jackpot.

:16:35.:16:39.

In the past, security services have recommended creating as long

:16:40.:16:42.

and complex passwords as possible, never writing them down

:16:43.:16:44.

However, we're only human and we don't have the time

:16:45.:16:50.

or patience to remember multiple strings of letters and digits.

:16:51.:16:55.

To combat this, the National Cyber Security Centre has

:16:56.:16:58.

Firstly, don't change your password constantly because this encourages

:16:59.:17:04.

us to use simpler passwords and maybe just add a different

:17:05.:17:07.

And besides, it only protects you from someone

:17:08.:17:12.

who steals your password and then waits three months to use it.

:17:13.:17:16.

You should, however, update your password if you have any

:17:17.:17:19.

Keep your passwords complex, but not too complex.

:17:20.:17:26.

For example, three random words stuck together.

:17:27.:17:31.

This means instead of trying every one of the 200,000 or so words

:17:32.:17:34.

in the English dictionary, hackers have to try every

:17:35.:17:36.

combination of every word, and that is a massively harder task.

:17:37.:17:45.

Set up two step authentication for any accounts that

:17:46.:17:47.

This means the hacker needs to not only have your password

:17:48.:17:53.

but also your phone, to break in.

:17:54.:17:55.

And store your passwords, either on a piece of paper in a safe place

:17:56.:17:59.

Now, this is either hardware software that generates and stores

:18:00.:18:05.

long, complex passwords for your different accounts.

:18:06.:18:09.

How can you remember 20 or 30 passwords that we frequently use

:18:10.:18:12.

With a solution like Lastpass, it will create 100 character

:18:13.:18:17.

passwords for every site, that is really, really hard to hack

:18:18.:18:20.

While security is a really daunting subject and the stakes are high,

:18:21.:18:29.

it can appear quite onerous, but these solutions

:18:30.:18:31.

All you have to remember is one master password

:18:32.:18:35.

Just make sure THAT password is really hard!

:18:36.:18:56.

Humans have been using handprints to identify themselves

:18:57.:18:58.

These ones here, the Hands Across Time just outside Las Vegas,

:18:59.:19:05.

in Red Rock, are hundreds of years old.

:19:06.:19:08.

They're some of the earliest examples of native Americans

:19:09.:19:10.

In recent years we've started to use our hands to identify us

:19:11.:19:19.

again and Dan's been finding out how secure they might be.

:19:20.:19:26.

At Bristol Robotics Lab, they're taking an interest in every detail.

:19:27.:19:33.

Now, if you're sensitive to flashing lights, look away now.

:19:34.:19:44.

Is that more secure, then, than just using your fingerprint?

:19:45.:19:50.

With a fingerprint, it's a small region of the hand.

:19:51.:19:53.

Obviously with this system we're getting the whole surface and that,

:19:54.:19:56.

combined with the vein structure, just add an extra layer of security.

:19:57.:19:59.

Research recently showed the ability to extract fingerprints

:20:00.:20:04.

or handprints off celebrities from a distance.

:20:05.:20:10.

So, you could use that to generate a 3-D surface but you still wouldn't

:20:11.:20:15.

have the vein structure on the back of the hand.

:20:16.:20:17.

That would be very difficult to hack.

:20:18.:20:20.

In Chicago, some people are already using their palm

:20:21.:20:22.

PalmSecure's touchless readers only use infrared lights to take

:20:23.:20:33.

Iris scanners are also about to emerge from the lab and be

:20:34.:20:41.

From September, TSB will be the first bank in Europe to adopt

:20:42.:20:45.

retina scan technology as a way of accessing online bank accounts,

:20:46.:20:51.

although initially customers will need a Samsung Galaxy S8

:20:52.:20:53.

In May, the Chaos Computer Club in Germany posted this video,

:20:54.:21:02.

fooling the S8's iris scanner using a photograph

:21:03.:21:04.

TSB and Samsung are hoping that others won't go

:21:05.:21:12.

At the CyLab Biometrics Center in Pittsburgh, they've developed

:21:13.:21:18.

a system that can identify the irises of people moving in

:21:19.:21:21.

But if the eyes don't have it, the face just might.

:21:22.:21:33.

Back at Bristol Robotics Lab, this 3-D face scanner

:21:34.:21:36.

is using a technique they've developed called Photometric stereo.

:21:37.:21:40.

Two invisible lights flash at high speed,

:21:41.:21:43.

allowing the camera to capture the orientation, shape

:21:44.:21:45.

So far, it has a 95% accuracy rate but that's good enough to attract

:21:46.:21:55.

They are working with Cubic which develops the Oyster card

:21:56.:22:02.

contactless payment system used in London's trains and buses.

:22:03.:22:04.

It's being part funded by the British government

:22:05.:22:08.

to innovate gateless technologies, allowing passengers to simply walk

:22:09.:22:10.

You can imagine, if you can get rid of the gate line in a place

:22:11.:22:21.

like Victoria Station, there's a massive potential

:22:22.:22:23.

So we ran quite an interesting project for them, which they are now

:22:24.:22:27.

installing at their laboratory in Salford and the aim is to move it

:22:28.:22:32.

on to the Underground so that the system will recognise

:22:33.:22:35.

people and you get rid of the gates and it will allow people to go

:22:36.:22:39.

Now, this is a phototype but we have been told

:22:40.:22:51.

that the system will recognise even a pair of glasses.

:22:52.:22:53.

So, let's see if it knows who I am now.

:22:54.:22:56.

Look at that, you can see my name come up right there.

:22:57.:23:00.

Just walk around, the face is the key to doing everything

:23:01.:23:04.

And just to double-check, I've tried to fool it with this guy.

:23:05.:23:12.

It recognises me but this is very clearly an impostor.

:23:13.:23:25.

This face clearly isn't going to get me anywhere.

:23:26.:23:43.

Of course we'll be back with more next week from Vegas including

:23:44.:23:55.

Download Subtitles

SRT

ASS