Security Market Segment LS
Saturday, 08 August 2015 12:49

Black Hat Conference 2015 – “Today is a good day to hack”

By

The Black Hat Conference 2015 is over and Jeep owners are rushing to get their cars patched; nuclear power stations are cutting the internet cord; wearables can be hacked; Android is well – permeable; IoT devices are the next big attack vector; cybercrime and Nation state malware are the norm.

I wish I had attended the conference because it has generated at least a dozen incredible headlines that should worry us all – and that is on a good day.

Black Hat is really a misnomer – it is all about some 9000 white hat hackers coming together to reveal the vulnerabilities discovered since the last conference and to win admiration from their peers. It has six days of intensive demonstrations, briefings, and hero moments

Here is a brief overview of some of the issues. Hope you sleep well!

Perhaps the most telling statement was that the dream of Internet freedom is dying according to Jennifer Granick, Director of Civil Liberties at the Stanford Centre for Internet and Society. Jennifer intimated that freedom would have to be traded off for security, “It will be a slick, stiff, controlled, closed thing and when that happens we need to be ready to smash it apart and make something better.”

Nation-state hacking, usually via malware, is not going to stop as nations become more concerned about their sovereign security and spy on other nations and corporations (and vice versa) using malware as the vector. It cannot be stopped, it is well funded, it is leading edge and it is done in absolute secrecy yet amazingly similar techniques are also being used by organised crime. “Destover malware that attacked Sony Entertainment was allegedly developed by North Korea, however it is only a few generations removed from the Wiper malware created and used by the NSA in 2012,” said Joshua Pitts, director of security research at NopSec.

Internet of Things (IoT) was again singled out for the tsunami of hack attack vectors it created. I won’t bore you with how but simply say that every IoT device is a small computer designed to communicate with a larger computer, usually in the cloud. Without protection and standards these could be hacked to open front doors, to use cameras in TVs to spy, to interrogate the fridge to indicate long periods of closed doors (holidays) or to take over and control building infrastructure and plunge a lift 60 stories to the ground. But in this case a Wi-Fi connected printer was used to steal data from a protected network – a hack called Funtenna turns a Wi-Fi connected printer, washing machine, air conditioner etc., into a radio transmitter.

Imperva, showed how ‘man-in-the-cloud’ attacks – a common flaw in many cloud based storage systems, could access your data without passwords. File synchronization services, such as Google Drive, Drop Box and others are becoming widespread for private and business use. The attack works by grabbing the password token (a file that sits on a user's devices) obtained by a phishing attack or a drive-by web page exploit, and fooling a new machine into thinking the attacker is the account's owner. There is no simple fix as tokens are needed to make cloud access simple.

Jeep hacking is fun and we are not talking about dissatisfied owners chopping up their Jeeps. If you own a Wi-Fi or mobile broadband connected Jeep hacking everything from its radio volume to speed is easy. To be fair it is not just Jeep - the automotive industry needs to take care as internet pervades the car. “Telematics systems or Bluetooth connected devices allow for a way inside the car from the outside; exposing it to the entire world. Once in, a hacker can take his time navigating these systems because they typically lack real-time defences and countermeasures. It might take several months for them to learn the coding and eventually seep into the electronic breaking system which is often a Wi-Fi connection itself from the brake pedal to the computer to the engine. They might also target a host of other systems, such as: acceleration, engine shut-down by triggering or inserting false fault. The computer thinks the engine is overheating when it is not, for example.”

The speed at which hackers are exploiting so called zero day attacks is reducing. “This zero-day campaign is notable for the speed demonstrated by exploit kit makers in integrating the exploit into their platforms,” said Malwarebytes researcher Jean Taggart. “This was further facilitated by the helpful readme files provided by Hacking Team, which clearly explained how to deploy the vulnerability.” Software companies – like Adobe and its Flash vulnerabilities – need to react and patch within hours, not weeks or months.”

Android got a rough time from all – StageFright and Certifi-gate were popular topics. To Google’s credit it is pushing out the largest ‘software update ever’ but it can only do that directly to Nexus devices as the remainder comes via telco carriers and manufacturers. The problem simply is that the user, at some point, lets malware install on their device – be it from rooted devices, corrupt app stores, or just lack of knowledge. Google is beefing up the ‘Verify apps’ and ‘Safety net’ features. Google admits that at least .5% of Android devices are compromised. Just as you thought it was safe Black Hatters identified a way called FireEye to obtain fingerprints from devices that use this authentication.

Microsoft is confident that its Windows 10 is the most secure operating system ever but has raised the bar with its improved Bug Bounty scheme. The problem for Windows (say up to Vista) is that it kept building on code from as far back as Windows 95 and the operating environment changed to include the Internet. Rewards for the Bounty for Defence, a reward for defensive ideas that accompany a qualifying Mitigation Bypass submission, have been raised from $50,000 to $100,000. It has also extended a program to its Azure cloud and Active Directory services. As W10 now has complete control over the OS via over the air updates and has few if any of those previous Windows legacy vulnerabilities having been largely developed over the past 18 months – it believes it is the most current OS capable of dealing with modern threats.

Apple got a serve – its devices are not ‘impervious’. Hackers showed how to create effective malware to bypass Apple's native malware mitigations and third-party security tools - Macs are actually vulnerable to software-only firmware attacks (long thought to be possible only on PCs). Other sessions dug into neglected attack surfaces on iOS 8 mobile devices. Its Apple pay was singled out as a concern. By using an off-the-shelf phone and software, hackers can clone common NFC payment cards to charge fraudulent transactions.

SIM cards came in for special mention. NSA and GCHQ have access to millions of keys for encrypted SIM cards. Security researcher Yu Yu demonstrated how 3G/4G SIM cards could be cloned by using differential power analysis to crack encryption keys in less than an hour. Then hackers can clone the SIM card.


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments