Fear and Coding in Las Vegas Click

help at Wimbledon this year." Her baby is due in January. That's all

the sport for now. More in the next hour but now it is time for Click.

This week, the team are in Vegas, making faces for cash.

And this week, the largest hack-fest on the planet.

If there's one week of stuff in Vegas that isn't staying

in Vegas, it's this week's BSides, Black Hat and notorious

This is the week where hackers rub up against law enforcers

and everyone peeks over each other's shoulders and networks.

So, let's get straight into the action.

Daniel here has got an extra piece of software running allowing him

to hear what's being typed on the other end of a Skype call.

The software during a Skype call learns how your keyboard sounds

like and if you later during the call type

something sensitive, like a password or e-mail,

we can understand what you've typed using machine learning algorithms.

This is because each key has a unique fingerprint based

on the position of the key on the keyboard.

The suggested results from what our victim might be typing

As you can see, it's spotted every word except one but when asked

to choose the words to make the most likely sentence, it's

He is not just our victim, he's also a security researcher

who is here to keep Click on track with a hacker's view

of the conferences for the next couple of episodes.

So, the technology is still quite young.

It took a bit of setup to make this work but technology advances quite

quickly and things that are difficult today will

We have seen some things like this before as well.

I looked at a hack recently where they could measure

the vibrations in a crisp packet to record my voice.

So I think in the future, things and technologies like this

could be quite bad because it's going to allow people

to extract a lot more information from our devices.

It seems like the hackers are always going to find new and interesting

ways to get inside our computers and of course the weapon

of choice so far this year has been ransomware.

In part because it is so easy to setup.

I'd kind of assumed that getting hold of a piece of ransomware

wouldn't be as easy as searching for it on Google and then

This man has just informed me that I was wrong.

So, here is one which is very popular.

Then we can just download it straightaway.

That's it, you don't have to go on to the dark net

So, the code is actually really tiny, it's less

than 200 lines of code, and that's for a full

I could then change some of that code to specify how much money be

malware asks for and the Bitcoin address it needs to be delivered to.

And sure enough, the programme turns all of our sample documents

into illegible garbage, which can only be retrieved

if the creators, in this case us, provide the unlock code.

OK, I'm slightly depressed at how easy it was to find some ransomware

It's going to get easier in a minute.

Next we hop onto a site that will connect me to people

who will set up and run when somewhere for me.

So, this guy here will charge you $125.

These guys, they'll give you lots of customer support.

They also offer you some advice on how to deliver it to people.

Yeah, yeah, and by your phone you can talk to this guy over

And if you're too lazy to send this to people,

there is another guy who, for a cut, will then e-mail this

"Are you a criminal but too lazy to do any work?

There are some video adverts like that as well.

Surely you can engage this person in chat and go

They use software to make sure you can't find where

Actually, before you do, Spen, there is hope.

There are professionals looking out for us and Lara has been to meet

the good guys who are at the top of their game.

One report suggests that one in six businesses in Europe

Some of them, of course, providing critical care.

I'm in Newport, Wales, at Airbus CyberSecurity.

This is probably not the first thing you would associate

with the company name but here, some top tier network

Their clients include the Ministry of Defence as well as large airports

and power companies, plus many others who can't be named.

WannaCry was quite unique by way of ransomware in that once it

infected a single host it actually wanted to go out and look for other

hosts that are similar to it within its own network.

That's why it spread not just within the NHS but globally

across many other companies and many other individuals as well.

But how about an attack that exploits a vulnerability we've

Typically, the scramble around that is actually obtaining some code

and then almost putting it in a sandbox.

A sandbox being a place to isolate the issue so it can be played with,

Large organisations may employ companies like Airbus to keep

the water flowing and the lights on, but what advice would they give

Well, we use cyber threat indicators on our network and this is something

that is freely available to the general user.

So if you are more tech savvy, you can utilise this threat

intelligence to explain more about current malware threats

and trends and understand if you are susceptible to this

malware and particularly vulnerable or running a vulnerable version

So that information is out there and I would encourage

But what does all this mean for the future?

Does cyber security get better at the rate hackers do?

We get better and then they will follow.

And it just moves further and further into complex areas

but rest assure that we're working very hard to keep on top of those.

So, the advice on how to avoid a cyber attack may not have changed

in years: make sure you always do your software update,

back everything up and generally be sensible online, but WannaCry may

have just frightened more of us into taking action.

Lara Lewington battling the bad guys, which is exactly

what this conference, Black Hat, is all about.

The corporate side of this cyber security conference

But what happens when you've caught a cybercriminal?

What it is a first-time hacker who probably didn't even realise

Well, Dan has been to the UK's first ever rehab for hackers.

It was me and two other friends, just a bit of fun.

I manipulate people's feelings, thoughts.

We tried to break into our school's network.

We could control people's screens, change passwords.

I got arrested for Misuse of Computer Act, 1990, section three.

I can't name the company but they lost a lot of money.

This is definitely a way to get ahead of the curve and to stop

anyone from possibly taking a misinformed choice

This is the UK's first reboot camp for hackers.

The first seven through the doors, aged 16-20, all intend

to change their ways, so we've agreed to keep

Rehab includes spotting moments when they might be tempted to cross

the line of what's legal and what's not.

That looks like I could get everyone's details.

Your parents will not have any idea how you do what you do.

Solomon Gilbert was caught as a teenage offender.

Now he's the one giving the lecture is, in between tackling

I was getting drawn into making my own malicious code,

making my own exploits, stealing things like credit card

I wouldn't do anything with them but it ended up with me getting

kicked out of school and arrested and looked into by the

What were the key moments that changed your path?

Everyone in the cyber security industry has one person that

they've met that's gone, well, you're very talented at this,

Cyber Security Challenge UK has set up a capture the flag competition

so that teenagers can show off their skills.

Several large companies are here to talk future job opportunities.

The UK hasn't got enough people to protect itself.

Businesses, the nation, individual accounts,

we all need protecting and that's why we exist.

We know they're there, we need to find them.

These offenders know this is a second chance,

one they didn't realise they were so well qualified for.

I was more interested in the dark side, back when I was young.

I wasn't really looking at the good side.

The dark side was mainly just attacks, attacks, attacks,

Well, now I know that it exists, it sounds like something that I'd

really, really like to go into because you get the same, like,

rush, the same excitement, but you're doing it for fun,

still, but it's legal and you get paid.

Did you know you can get money out of an ATM even if you don't

What you'll need instead is a drill, a USB keyboard, some malware

on a USB stick and an intention to break the law.

So, in this specific example that we've got set up here,

an attacker has come to the front of the ATM, they've drilled

What we can do now, you can see we can access this USB cable.

Right, so, inside here something that has a USB port.

According to Positive Technologies Research,

more than half of ATMs still run Windows XP.

And although the USB port will rarely be this easy

to access inside the ATM, recent cash machine hacks

in Taiwan and Thailand showed that it can be done.

I'm sure not many people would expect this to just be

Perhaps not but it's just a safe with a computer on top.

Which means that with a keyboard plugged in, it's pretty simple

to download and run the malware to, well, show me the money.

Your malicious software basically says, dispense cash.

Shouldn't the ATMs be slightly more protected and locked down?

You would think that but it's how you would configure those computers.

But we found they are not particularly secure,

so you could put malware on a system that could collect data

That would be information that is held on our cards.

So I, as a consumer, if I'm using this machine,

And that could spread around a whole network of ATMs.

So, you could use one ATM to infect a whole network?

One way to protect yourself is to use ATMs inside bank branches

or which are watched over by security cameras.

We spoke to NCR, one of the leading manufacturers and the maker

They agree that security threats are becoming more complex

and sophisticated and told us, "NCR provides its customers

with comprehensive recommendations and security defences to address

these challenges and help them to assess and improve

It was the week that Google unveiled its SOS Alerts feature,

which will show where a crisis is taking place.

Adobe announced plans to kill off Flash Player from 2020.

And a company in Wisconsin are microchip being their employees.

And the Boring Company is firmly going against its name,

as Elon Musk posted a video to Instagram of a car

going underground on an elevator in Los Angeles.

The Tesla CEO's side project proposes building a network

of tunnels under the city, which will drag cars,

passengers and cargo in super fast moving sleds.

And it was a busy week for Musk, as he clashed with Mark Zuckerberg

During an informal Facebook Live, Mark Zuckerberg said Musk's claims

that AI poses a fundamental risk to human civilisation

But Musk took to Twitter to respond, writing Zuckerberg's knowledge

First it was gone and then it wasn't, as Microsoft puts to bed

reports that it was getting rid of its graphic programme, Paint.

People rushed to social media to show their love for the programme,

which won't remain on Microsoft 10 by default in the future

but will be available on the Windows Store for free.

And now you can live out your pop dreams in AR.

Not shying away, a Chicago-based studio have recreated the classic

A-ha Take On Me video using the iOS 11 AR kit.

Recently, there seems to have been an increase in the number of brute

This is where the hacker uses a programme to constantly

trying new passwords until they hit the jackpot.

In the past, security services have recommended creating as long

and complex passwords as possible, never writing them down

However, we're only human and we don't have the time

or patience to remember multiple strings of letters and digits.

To combat this, the National Cyber Security Centre has

Firstly, don't change your password constantly because this encourages

us to use simpler passwords and maybe just add a different

And besides, it only protects you from someone

who steals your password and then waits three months to use it.

You should, however, update your password if you have any

Keep your passwords complex, but not too complex.

For example, three random words stuck together.

This means instead of trying every one of the 200,000 or so words

in the English dictionary, hackers have to try every

combination of every word, and that is a massively harder task.

Set up two step authentication for any accounts that

This means the hacker needs to not only have your password

but also your phone, to break in.

And store your passwords, either on a piece of paper in a safe place

Now, this is either hardware software that generates and stores

long, complex passwords for your different accounts.

How can you remember 20 or 30 passwords that we frequently use

With a solution like Lastpass, it will create 100 character

passwords for every site, that is really, really hard to hack

While security is a really daunting subject and the stakes are high,

it can appear quite onerous, but these solutions

All you have to remember is one master password

Just make sure THAT password is really hard!

Humans have been using handprints to identify themselves

These ones here, the Hands Across Time just outside Las Vegas,

in Red Rock, are hundreds of years old.

They're some of the earliest examples of native Americans

In recent years we've started to use our hands to identify us

again and Dan's been finding out how secure they might be.

At Bristol Robotics Lab, they're taking an interest in every detail.

Now, if you're sensitive to flashing lights, look away now.

Is that more secure, then, than just using your fingerprint?

With a fingerprint, it's a small region of the hand.

Obviously with this system we're getting the whole surface and that,

combined with the vein structure, just add an extra layer of security.

Research recently showed the ability to extract fingerprints

or handprints off celebrities from a distance.

So, you could use that to generate a 3-D surface but you still wouldn't

have the vein structure on the back of the hand.

That would be very difficult to hack.

In Chicago, some people are already using their palm

PalmSecure's touchless readers only use infrared lights to take

Iris scanners are also about to emerge from the lab and be

From September, TSB will be the first bank in Europe to adopt

retina scan technology as a way of accessing online bank accounts,

although initially customers will need a Samsung Galaxy S8

In May, the Chaos Computer Club in Germany posted this video,

fooling the S8's iris scanner using a photograph

TSB and Samsung are hoping that others won't go

At the CyLab Biometrics Center in Pittsburgh, they've developed

a system that can identify the irises of people moving in

But if the eyes don't have it, the face just might.

Back at Bristol Robotics Lab, this 3-D face scanner

is using a technique they've developed called Photometric stereo.

Two invisible lights flash at high speed,

allowing the camera to capture the orientation, shape

So far, it has a 95% accuracy rate but that's good enough to attract

They are working with Cubic which develops the Oyster card

contactless payment system used in London's trains and buses.

It's being part funded by the British government

to innovate gateless technologies, allowing passengers to simply walk

You can imagine, if you can get rid of the gate line in a place

like Victoria Station, there's a massive potential

So we ran quite an interesting project for them, which they are now

installing at their laboratory in Salford and the aim is to move it

on to the Underground so that the system will recognise

people and you get rid of the gates and it will allow people to go

Now, this is a phototype but we have been told

that the system will recognise even a pair of glasses.

So, let's see if it knows who I am now.

Look at that, you can see my name come up right there.

Just walk around, the face is the key to doing everything

And just to double-check, I've tried to fool it with this guy.

It recognises me but this is very clearly an impostor.

This face clearly isn't going to get me anywhere.

Of course we'll be back with more next week from Vegas including