29 July 2013

Famed hacker Barnaby Jack dies


Hacker Barnaby Jack has died in San Francisco.

BARNABY JACK, 1977-2013

Barnaby Jack, who has died aged 35, was a "white hat" hacker and computer security expert who sought to preserve the integrity of information systems. In 2010 he came to widespread notice when he demonstrated live on a conference stage how he could drain an ATM (automated teller machine) of its entire reservoir of cash.

In 2008 Jack bought two ATMs, of the kind seen in bars and shops, over the internet for $US2000 each, and had them delivered to his apartment in San Jose, California. The New Zealand-born computer engineer later recalled: "So the guy, he wheels in this ATM, and he's like, 'Why on earth do you need an ATM in your house?' And I'm like, 'Oh, I just don't like the transaction fees, mate.'"
For the next two years he analysed their software codes, believing that there were inherent weaknesses that would allow the machines to be controlled through the internet.
Eventually Jack succeeded in bypassing the demands for passwords and serial numbers, and was able to access his ATMs remotely. He could then withdraw all their cash - a process that became known as "Jackpotting". He could also access information about bank accounts from the magnetic strips on bank and credit cards, and steal ATM users' passwords.

At the Black Hat computer security conference in Las Vegas in July 2010, Jack demonstrated all this live on stage, showing how he could connect to an ATM via a telephone modem and, without using a password, withdraw all the machine's cash.

As director of security testing at the Seattle-based computer security consultants IOActive, Jack's purpose was to alert the manufacturers to potential failures in their systems. In an interview with CNN after the conference he said: "We were really careful when we gave this demonstration to make sure that the vendors had mitigation remediation in place before we went up and did it. I mean, the goal at Black Hat was certainly not to give a cookbook recipe for everyone out there to be able to go and loot ATMs. So we made sure the vendors had fixes in place.

"I demonstrated two different attacks. One was a walk-up attack, where I would literally walk up to an ATM, [and] within about two minutes it would just start spitting out its entire dispenser. Of course you had to be at the ATM for that one to work. The other attack was completely remote, so I could do it from a laptop in a hotel room or your bedroom... But I also had it harvesting people's credit cards and PIN numbers, which I could then retrieve remotely as well. It was 100 per cent anonymous, and bypassing all authentication."

Jack was concerned that, when it came to ATMs, too much emphasis was placed on the "physical" defences, such as whether the machine was bolted down, or whether there was CCTV. "This is the first time anyone had actually looked at the underlying software," he claimed. "And once I sort of dug in, ripped the software apart, I was really surprised at the amount of flaws that are hiding underneath there." He added: "I am not naive enough to think I am the only one who can do it."

Barnaby Michael Douglas Jack was born in Auckland, New Zealand, on November 22 1977, the son of Michael and Sammi Jack, and was fascinated by computers from boyhood.

Jack made his career in the United States, and from the age of 21 worked as a research engineer in the computer security software business, at Network Associates, Foundstone and eEye Digital Security. In 2006 he moved to Juniper Networks, and in June 2010 joined IOActive as director of research. At the time of his death he was director of embedded device security.

He died only a week before he was due to demonstrate at a conference how an assassin might kill his victim by disabling an implanted pacemaker or defibrillator from 30 feet away - an idea used in the television series Homeland, starring Damian Lewis and Claire Danes.

In June this year Jack said: "Malware will often slow down a computer, and when you slow down a medical device it no longer gives the integrity needed to perform as it should." He considered the Homeland scenario "fairly realistic" - although "they required a serial number, my demonstration does not".

At a recent conference in Melbourne, Jack had delivered an 830-volt jolt to a pacemaker by logging into it remotely. Many medical devices use wireless technology, and authorisation that requires only a user name and password that can be remotely extracted from them. Jack said these were designed to be easy to crack by a doctor needing to give treatment in an emergency.

Jack even suggested that it would be possible to write a "worm" for a particular brand of pacemaker or defibrillator, then spread it to other devices within range, from one person to another.

Barnaby Jack was found dead at his apartment in San Francisco; the cause of death is unknown.

He is survived by his mother, his sister, Amberleigh, and by his girlfriend, Layne Cross.

smh.com.au 29 July 2013

When you mess with the 'authorities' a so called heart attack / cancer, or whatever else can be easily fabricated.

Let the conspiracy begin.

No comments:

Post a Comment