Tuesday, August 12, 2008

Pwned! When Hackers Get Hacked

They had no idea it was happening.
In the end, it was hackers at DefCon that got hacked.

After three days of software cracking duels and hacking seminars, self-described computer ninjas at the infamous gathering in Las Vegas found out Sunday that their online activities were hijacked without them catching on.

A standing-room crowd cheered admiringly as Tony Kapela and Alex Pilosov showed them how they were "pwned" by a simple technique that could be used to "steal the Internet."

"Pwned" is popular computer and video game culture slang playing off the word "owned" and is used to describe someone being totally dominated or humiliated online or in-game.

"It's a nearly invisible exploitation," Kapela said while revealing a hack that exploits fundamental Internet routing procedure to hijack online traffic unnoticed. "A level of invisibility that is unparalled."
The beauty of the technique presented by Alex Pilosov and Kapela is that hackers don't need to break into websites or plant malicious computer code to control and tamper with data travelling the Internet, the presentation showed.

Instead, the Internet is duped into sending people's data to hackers.

"Someone can passively intercept traffic," Kapela explained. "We can store, drop, filter, mutilate, grope, or modify data heading to you."

The tens of thousands of networks handling traffic on the Internet are programmed to trust each other for the best routes for data.

The choice of optimal routes is made instantly; decided by a network claiming the longest numerical Internet addresses for data destination.

A hacker can hijack traffic to and from websites of choice by adding enough numbers to computer addresses to have his or her network automatically deemed the best path for the data.

"We construct the man-in-the-middle attack on the Internet," Kapela said, referring to a classic hack in which someone gets between a computer user and their online destination.

"Internet routing is inherently trust based. We told the route that we know the best way to an address. A hacker could blast a lot of spam or launch a lot of phishing attacks."

No comments: