I wish I had attended the conference because it has generated at least a dozen incredible headlines that should worry us all – and that is on a good day.
Black Hat is really a misnomer – it is all about some 9000 white hat hackers coming together to reveal the vulnerabilities discovered since the last conference and to win admiration from their peers. It has six days of intensive demonstrations, briefings, and hero moments
Here is a brief overview of some of the issues. Hope you sleep well!
Perhaps the most telling statement was that the dream of Internet freedom is dying according to Jennifer Granick, Director of Civil Liberties at the Stanford Centre for Internet and Society. Jennifer intimated that freedom would have to be traded off for security, “It will be a slick, stiff, controlled, closed thing and when that happens we need to be ready to smash it apart and make something better.”
Nation-state hacking, usually via malware, is not going to stop as nations become more concerned about their sovereign security and spy on other nations and corporations (and vice versa) using malware as the vector. It cannot be stopped, it is well funded, it is leading edge and it is done in absolute secrecy yet amazingly similar techniques are also being used by organised crime. “Destover malware that attacked Sony Entertainment was allegedly developed by North Korea, however it is only a few generations removed from the Wiper malware created and used by the NSA in 2012,” said Joshua Pitts, director of security research at NopSec.
Internet of Things (IoT) was again singled out for the tsunami of hack attack vectors it created. I won’t bore you with how but simply say that every IoT device is a small computer designed to communicate with a larger computer, usually in the cloud. Without protection and standards these could be hacked to open front doors, to use cameras in TVs to spy, to interrogate the fridge to indicate long periods of closed doors (holidays) or to take over and control building infrastructure and plunge a lift 60 stories to the ground. But in this case a Wi-Fi connected printer was used to steal data from a protected network – a hack called Funtenna turns a Wi-Fi connected printer, washing machine, air conditioner etc., into a radio transmitter.
Imperva, showed how ‘man-in-the-cloud’ attacks – a common flaw in many cloud based storage systems, could access your data without passwords. File synchronization services, such as Google Drive, Drop Box and others are becoming widespread for private and business use. The attack works by grabbing the password token (a file that sits on a user's devices) obtained by a phishing attack or a drive-by web page exploit, and fooling a new machine into thinking the attacker is the account's owner. There is no simple fix as tokens are needed to make cloud access simple.
Jeep hacking is fun and we are not talking about dissatisfied owners chopping up their Jeeps. If you own a Wi-Fi or mobile broadband connected Jeep hacking everything from its radio volume to speed is easy. To be fair it is not just Jeep - the automotive industry needs to take care as internet pervades the car. “Telematics systems or Bluetooth connected devices allow for a way inside the car from the outside; exposing it to the entire world. Once in, a hacker can take his time navigating these systems because they typically lack real-time defences and countermeasures. It might take several months for them to learn the coding and eventually seep into the electronic breaking system which is often a Wi-Fi connection itself from the brake pedal to the computer to the engine. They might also target a host of other systems, such as: acceleration, engine shut-down by triggering or inserting false fault. The computer thinks the engine is overheating when it is not, for example.”
The speed at which hackers are exploiting so called zero day attacks is reducing. “This zero-day campaign is notable for the speed demonstrated by exploit kit makers in integrating the exploit into their platforms,” said Malwarebytes researcher Jean Taggart. “This was further facilitated by the helpful readme files provided by Hacking Team, which clearly explained how to deploy the vulnerability.” Software companies – like Adobe and its Flash vulnerabilities – need to react and patch within hours, not weeks or months.”
Android got a rough time from all – StageFright and Certifi-gate were popular topics. To Google’s credit it is pushing out the largest ‘software update ever’ but it can only do that directly to Nexus devices as the remainder comes via telco carriers and manufacturers. The problem simply is that the user, at some point, lets malware install on their device – be it from rooted devices, corrupt app stores, or just lack of knowledge. Google is beefing up the ‘Verify apps’ and ‘Safety net’ features. Google admits that at least .5% of Android devices are compromised. Just as you thought it was safe Black Hatters identified a way called FireEye to obtain fingerprints from devices that use this authentication.
Microsoft is confident that its Windows 10 is the most secure operating system ever but has raised the bar with its improved Bug Bounty scheme. The problem for Windows (say up to Vista) is that it kept building on code from as far back as Windows 95 and the operating environment changed to include the Internet. Rewards for the Bounty for Defence, a reward for defensive ideas that accompany a qualifying Mitigation Bypass submission, have been raised from $50,000 to $100,000. It has also extended a program to its Azure cloud and Active Directory services. As W10 now has complete control over the OS via over the air updates and has few if any of those previous Windows legacy vulnerabilities having been largely developed over the past 18 months – it believes it is the most current OS capable of dealing with modern threats.
Apple got a serve – its devices are not ‘impervious’. Hackers showed how to create effective malware to bypass Apple's native malware mitigations and third-party security tools - Macs are actually vulnerable to software-only firmware attacks (long thought to be possible only on PCs). Other sessions dug into neglected attack surfaces on iOS 8 mobile devices. Its Apple pay was singled out as a concern. By using an off-the-shelf phone and software, hackers can clone common NFC payment cards to charge fraudulent transactions.
SIM cards came in for special mention. NSA and GCHQ have access to millions of keys for encrypted SIM cards. Security researcher Yu Yu demonstrated how 3G/4G SIM cards could be cloned by using differential power analysis to crack encryption keys in less than an hour. Then hackers can clone the SIM card.