Other highlights for me today included Karl Chaffey talking about many bluetooth sniffing things and detailing how much data he picked up from discoverable bluetooth devices he sniffed just walking past several sites in Auckland. Karl has a degree in physics and psychology and looks like someone I should probably have some shared interests in and should get in touch with. He also put us on to various bluetooth sniffing techniques, such as: Bluesnarfing, Bluebugging, Bluesmack, Bluestab, Bluespoof, Carwhisperer, HidAttack, Remote root over BT, iBug, Blueprinting and BTCrack. Worth chasing up for experimental purposes I think.

The highlight of the day for me, just before fatigue tuned me out was Paul Craig talking about how much data he was able to find just using Google that botnets had harvested from internet users daily activity, including webmail, credit card details, usernames, passwords, and all sorts of other private data. It was hair-raising stuff. Fortunately, Google seem to be on to it, but the amount of data that has been harvested via botnets is truly frightening. As Paul quoted, people underestimate the value of their information thinking that there is no reason for people to target them. There is, and they are. If I learned anything over the last few days it is how I need to understand VMware and to set myself up a couple of VMmachines. i will also perhaps start to take a bit more interest in the IP addresses that visit my blog and understand a bit more about what they are trying to do and what they know about me. Paul also unveiled a new trojan that reveals a previously undocumented Windows XP and Vista vulnerability. I won’t say much about it here, as I’m sure it will hit the media soon. Moth trojan is what you need to google.

What with getting up early after the kicking-in of daylight savings time here in NZ, I was pretty tired at the end of the day. Toby’s offer of a free ticket to go and see Wellington Phoenix play couldn’t tempt me from a bath and my bed.

Back to work – Monday morning and snacky time is over.

Cartel gave voice to a more ideological expression of hacker orientation and activity, or hacktivism, than the other more technical looking sessions. He talked about the proposed bill to look at rights pertaining to stop and search – which purports to give powers  to police to pry into computers seized in search.

He questioned some of the  wording in the draft bill, asking whether this gives authorities the potential opportunity to make unauthorised changes to your laptop. What iI think follows this is the question around how is this governed or forensically controlled? I’m not sure whether the draft legislation attempts to address this, or even wants to.

Cartel continued and talked about how customs agents at Auckland airport had demanded the authentication passphrase for his notebook user account and removed the laptop from his sight for 45 minutes.

When he got home and scanned his notebook for the activity that took place h found out that they looked at his attachments of emails while it was out of sight. He enquired after the fact and after something of a runaround he was told they were allowed to do this but would not say what law gave them the power to do this.

As a result of his experience, he told the conference that he has set up a script for duress authentication with a layer that is triggered after putting in duress password and also encodes what is done to your notebook when it is out of sight and has unauthorised access. A class example of hacktivism.
Lots more highlights of the day until it got a little over my head. Eon and Oddy talking about how they portscanned the whole of the .jp domain and found unprotected conference cameras and pwned them and showed us the results and gave some tools to try and play with (that’ll take me a while). Another big highlight for me was Peter Guttman talking about how easy it is to scan and clone RFIDs in passports and credit cards (the litte gold chip), and the type I and type II error tensions inherent in establishing and implementing biosecurity systems. They just don’t work and in no way live up to their manufacturer’s claim. In fact, most RFIDs that claim to be encrypted are nothing of the sort. Scary, and well-worth knowing, though I have been something of a skeptic of RFID chips for a while. In fact, I deliberately applied for my renewed UK passport on the last day possible in New Zealand to ensure it was issued WITHOUT an RFID chip in it, even though my passport still had 6 months to run.

Chips and tinfoil hats aside, it was a great day, though it got a bit techy for ignorant me towards the end of the day. Looking forward to seeing what tomorrow will bring – my first ever hacktivism conference continues …