IEEE – Irrelevant Electronic & Electrical Engineers

Posted on May 9th, 2006 in IT Security by Rodney

Last night I had the extreme pleasure of attending a seminar on “Top Cyber Security Trends”, sponsored by the IEEE of Western Australia. This was a joint organised event on behalf of both the IEEE (Institute of Electrical & Electronic Engineers) WA Chapter and ACS (Australian Computer Society). The event was organised by a Kevin Wong, a lecturer from the prestigious Murdoch University and the guest speaker was the highly qualified Mr. Prinya Hom-anek, President and Founder of ACIS Professional Centre, Bangkok, Thailand.

Now I’m done with being sarcastic, I need to find words to describe this event. Just now I can’t think of any, so we’ll see what comes up as I type. Things started badly. Firstly, the event was being held at Murdoch Uni, which is, speaking from personal experience – a dump. Secondly, it was held in the Brian Hill Lecture Theatre, which is in pretty much the worst part of the afore mentioned dump. I decided to go with a friend, anyway, in the hope that something useful would come out of it.

We arrived and found a bunch of rather shabby looking students standing in the dark, eating pizza. My last shreds of hope that this may be a seminar containing useful information were quickly fading.

I think my personal favourite part of the evening happened next. Out of the shadows (it really was quite dark), stepped the kind of man you’d cross the road to avoid, who, with all the charm and grace that your average backyard computer enthusiast can muster, said “you guys work”. Very good, that was almost a complete sentence.

Now, to complete the picture a little, my friend and I were dressed in suits (pants & jacket, having just come from work), mine including a tie. This gentleman was wearing something he robbed from a corpse. He then proceeded to tell us he is trying to break back into the IT industry but “keeps coming up against brick walls, you know what I mean”. Brick walls included the fact that he hadn’t worked in IT for 9 years, since he was made redundant from a government position, he was on workers comp, after hurting himself lifting “146kg window frames” (presumably while training for the Olympics) and – my favourite – “cultural problems”. He then proceeded to tell us how outrageous it was that anyone could say they’d have cultural problems working with him, finishing the sentence with “bloody Asians”. The fact that he’d just confirmed their statement was clearly missed on him.

So anyway, on to the seminar. The event was billed as a detailed discussion of privacy concerns and IT security. Things continued their direction south when the speaker got up and said that he didn’t have very good English but he’d try. Fair enough, even if there’s a language barrier, the concepts of the topic should be worthwhile, right? Wrong. Let’s see what the amazing “cyber security” concerns of tomorrow are, according to Mr. Prinya Hom-anek.

  • Google hacking: This is where, I shit you not, you Google search for stuff like passwords or Excel files containing key corporate info, in the hope that some Gumby organisation has posted them on their Internet site and simply doesn’t know it. I am dead serious. This clown actually suggested this will be the main problem for organisations of tomorrow and the place for the “clever hacker”. He actually tried to convince us a bank in Thailand was “hacked” in this way. A quick one for the record. Searching for stuff on Google is not hacking, it’s searching. Google-searching, if you will. That’s what Google is for.
  • SQL Injection: If I understand correctly, this is where you travel back in time to 1998. Seriously, the man tried to suggest that SQL injection, where you use the “magic password of ‘or ‘1′=1′” and this can the magically get you into “any SQL protected site” (apparently irrespective of the coding of said site). Apparently, many Thai governments sites have been “hacked” this way (again, the definition of hacking appears flawed), due to their use of phpMyAdmin. This implies either a) the Thai government has not updated phpMyAdmin in about 8 years nor have they updated their SQL server or b) the guy is making crap up based on some extremely old article he has read. The latter seems likely, as many of his graphics had “Gartner 2001″ at the bottom.
  • NetCraft Hacking: Another gem. This is where you go to Netcraft and (shock, horror!) – IT TELLS YOU WHAT A SITE IS RUNNING! Honestly, it was like this guy had only found the net last week. He then proceeded to tell us he used this tool to find sites running Apache. That’s the same Apache web server that serves up around 80% of the web. Well done, champ.
  • Hosts file hijacking: Yes, again, we’re travelling back in time to the mid 90’s, to the world of host file hijacks! While you’re here, have a quick look around the fresh new OS from Microsoft, Windows 95! Okay, I am sure host file hijacks occur in virus and spyware today, I know they do. This is not cutting edge, however. Nor is it highly relevant in a corporate environment where host file look ups are likely to be disabled.
  • Viruses in Emails: Man, I wish I was joking. This guy excitedly told us how viruses can be contained in emails and that the extension can be faked!

So what’s the next big things on the horizon of Mr. Prinya Hom-anek?

Blue Tooth Hacking:
This is where you send a request to someone’s blue tooth phone and, if they’re retarded enough to accept it, you can do stuff with their phone. Yes – that would be the point of bluetooth. The fact that they have to actually accept the connection is a mere detail in the exciting world of Mr. Prinya Hom-anek. Oh, that and you have to be within 10M of the target, with your laptop. When queried about the logistics of chasing someone inconspicuously down the street with a laptop aimed at them, he quoted (and by quoted I mean stole the credit for) a Slashdot article from last year where someone designed a bluetooth sniper rifle, with a range of around 1km. Then he suggested you could climb onto a roof and point it at people. I seriously hope he tries this. Especially back home, in Thailand. If there’s one thing police love to see it’s a guy on a roof pointing guns at people; that won’t get you shot at all… Incidentally he demonstrated this with a Linux script which he had modified (and by modified I again mean changed the name of the author’s name to his name).

To complete this story I really must describe how we found out about the 10m range of the laptop. The grave robbing frame-lifter mentioned above yells out “RANGE” (again, just falling short of a complete sentence), during the demonstration (which didn’t work, as the demonstrator had failed to top up his mobile phone charge). The poor presenter simply looked confused and asked for clarification of the sentence, to which this nutbar merely repeated “RANGE?” This went on for about an entire two minutes, before someone interpreted back into Human that he meant “what is the effective range of this attack?”

To sum up, the whole thing was pitched at the most basic, home computing, entry-level stuff. To be fair, the calibre of attendees was probably far lower than this, so things worked out fine by and large.

At this point, my friend and I staged a walk out, so I can’t tell you how it finished. I’d go on with the clownery (such as using notepad to type “pretend web pages” in, because he hadn’t checked that his net connection worked, including “Briteny Sphere Nude”) but there’s really no logical limit to how shit it was.

Well done, IEEE and ACS. I look forward to never attending any of your seminars ever again.