/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsBy Elinor Mills Abreu
LAS VEGAS: Computer vandals toting nothing more than a Sega game device, handheld computer, or even a compact disc can slip into offices and launch "phone home" attacks via remote computers under their control, speakers at a U.S. hackers convention said on Friday. Lonely office printers aren't any safer, and can be hacked into through an Internet connection via a corporate network, one speaker said as the annual Defcon conference of computer security enthusiasts and mischievous network tinkerers.
More than 5,000 people are expected for the three-day meeting, which started on Friday and is held in an out-of-the-way Las Vegas hotel at the edge of the Nevada desert. The decade-old event has become the biggest annual gathering of the computer counterculture. Basically, any device that sits on a network "can run malicious code, can be made to do attacks and can do anything you want them to do," said Chris Davis, a security consultant at RedSiren, a computer security firm in Reston, Virginia. "The idea is any computer can pose a potential threat," he said.
"More and more things are embedded in computers. We could put the same code on a TiVo if we wanted to," Aaron Higbee, a security consultant at Foundstone of Mission Viejo, California. TiVo allows people to record TV programs while away or while watching other programs at the same time. Firewalls -- the computer security barriers that organizations depend on to defend against outside intrusions -- are worthless against such attacks, Higbee said. While they are configured to block suspicious traffic from getting into the network, they also permit any type of traffic to get out, he said.
To create a tunnel to a remote computer, an attacker must first get physical access to devices or network connections in the building.
Five minutes to create havoc
Sometimes they can rely on unsuspecting souls inside the company to do their dirty work for them by sending them an innocent-looking compact disc that contains tunneling software. A disc containing a special program to activate itself can find the network and reach the Internet on its own, creating the opening for a hacker to wreak havoc inside the company's network, Davis said.
Another method of unlocking the network door and opening the tunnel is for the hacker to gain physical access to an office building and plug simple devices onto the network. "Five minutes on the inside is all you need," said Davis, who does penetration testing for companies to see how easy it is to compromise their systems. The speakers demonstrated for the crowd how an attacker can slip a tunneling CD into a CD-ROM drive, a Sega Dreamcast gaming console, or a Compaq iPaq, and connect to the network.
Once a connection is established, devices such as the Sega game player can analyze the network for routes data can travel to the Internet and establish a secret tunnel to an outside computer controlled by the hacker. Stop worrying so much about viruses in desktop computers. It's midnight, and do you know what your networked office printer is up to? With printers, attackers don't even have to enter the building, said Dennis Mattison, a computer scientist at Science Applications International Corp., a top military contractor in the communications research arena based in San Diego.
Printers are increasingly becoming more complex, with more sophisticated software and functions, making them easy and unsuspecting targets, he said. Still, there is little evidence such attacks have become widespread the experts said. But with more and more devices every day being connected to computer networks, the exposure to such threats makes such attacks inevitable one day.
"These are theoretical attacks," he said. "There are not many known attacks out there."
© Reuters