5 serious security issues to watch out for at the 2013 Black Hat Conference

By on Nov 2, 2013 in Blog

For those of you who don’t know – the BlackHat Conference is an annual event that brings together the best and brightest thought leaders from all facets of the information security world. From July 27 to August 1st – we will hear speakers from the corporate and government sectors, as well as various academic and even “underground” researchers.

In short – this is where the elite infosec security practitioners go to talk shop, unveil amazing new hacks, and discuss what is really going on in the “seedy underbelly” of the information security world.

Though this is a conference aimed at security specialists (and largely theoretical at times) – this year there are some topics being discussed that we feel that more people should know about. Accordingly we’ve put together this list of five briefings which can have an actual real-world impact on our daily lives.

 

1. SIM cards finally cracked with millions of phones potentially vulnerable

The story emerged a little while ago on Forbes that German cryptographer Karsten Nohl has found a way to hack into your phone’s SIM card. Something once considered completely safe and unhackable.

This claim is based on a two-part flaw utilizing older SIM security standards and badly configured code – which could allow hackers to remotely infect a SIM card using nothing more than a simple text message. So far this flaw seems to only affect older phones (or at least older SIM technologies) – but since the news is now out that there is a way to do it, this could potentially have far reaching consequences to all mobile users.

Nohl will present his findings at the Black Hat conference on the 31st – and mobile operators as well as security professionals are likely paying close attention to this development.

 

2. Android – one root to rule them all

You may recall in early July when BlueBox broke the story of the Android Master Key vulnerability (otherwise known as security bug 8219321).   What they discovered was a vulnerability in how Android applications are cryptographically verified and installed.

This allows the APK code to be modified without breaking the cryptographic signature – basically turning the infected app into malware which can give someone root access to your phone. Basically meaning that if someone were to break into your phone this way – they would have access to all your data (e.g. documents, passwords, SMSs etc.) and be able to control your phone entirely (e.g. make calls, send texts, delete data etc.)

As you can imagine this event has created quite a stir in the Android community, and the first known malicious “master key” apps have already been discovered in China. Soon however, we will get all the nitty-gritty details about how this vulnerability works – including how to fix this particular security flaw for good.

Note that Google has already modified the Play Store to prevent infected apps from appearing in the store. This issue mostly affects “alternative” Android app marketplaces.

 

3. Java every-days – or how to exploit software running on over 3 billion devices

Over the last three years – Java has become the most frequently exploited technology by cyber-attackers. The reasons of course are quite obvious when you consider the rich attack surface, multi-platform install base, and plethora of potential victims to maximize return-on-investment.

Since we no longer live in the days where “write once, run anywhere” is considered a good thing – there has been a massive increase in efforts to discover, analyze, and patch weaknesses and vulnerabilities in the Java Runtime Environment. This year’s talk for example will focus on:

  • Vulnerability trends in Java over the last three years – while intersecting public vulnerability data with Java vulnerabilities submitted to the Zero Day Initiative (ZDI) program.
  • Reviewing Java’s architecture and patch statistics to identify a set of vulnerable Java components. This includes highlighting the top five vulnerability types and emphasizing their recent historical significance.
  • An in-depth look at specific weaknesses in several Java sub-components, including vulnerability details and examples of how the vulnerabilities manifest and what vulnerability researchers should look for when auditing the component.
  • How attackers typically leverage weaknesses in Java – with a focus on the specific vulnerability types that attackers and exploit kit authors are using.
  • Details on the vulnerabilities used in this year’s Pwn2Own competition.
  • Reviewing steps Oracle has taken to address recent issues.

 

4. Are you sure you’re having a conversation a real conversation on Twitter?

You may or may not be aware of the growing usage of Twitter and other social bots that mimic real conversations – in fact you may already be following a few of them. Today social bots have become very intelligent and sophisticated programs, moving beyond simple reposts and attempting to engage with users to promote some product or agenda.

The question being posed at this year’s BlackHat conference is – “Are some Twitter users more naturally predisposed to interacting with social bots, and can social bot creators exploit this knowledge to increase the odds of getting a response?”

This talk will provide a summary of research and developments in the social bots arms race, and share the results of experiments examining user susceptibility. Previously research has focused mostly on how to identify bots for spam detection purposes, so it will be interesting to see the security implications of this research – for example in social engineering attacks.

 

 5. How to become part of a botnet in one easy step

Online advertising is the bane of many internet experiences, and now it turns out that advertising networks can also be a web hacker’s best friend. Actually this should not be so surprising when you think about it – for example by using a few pennies per thousand impressions, any ad network will let you mass distribute your own custom JavaScriptW code.

Therein lies the issue – you are supposed to use this feature to display ads, track users, and get clicks. It has however been discovered that there is very little to prevent you from spending a little cash to create a massive JavaScript-driven browser botnet almost instantly!

This presentation by Jeremiah Grossman and Matt Johansen will demonstrate just how easy it is to hijack browsers to make them perform DDoS attacks, send spam emails, crack hashes, help brute-force passwords, or any other particular malicious function. All it takes according to Grossman and Johansen is a few lines of HTML5 and JavaScript – and this technique finally solves the main issue with creating effective botnets (which is getting them to scale quickly).

Why this is a big security issue is because this attack uses no malware or zero-days, leaves no trace once you close the malicious ad, and there is no possible patch for this issue because this is exactly how the internet is supposed to work!

Suffice it to say – this particular demonstration should prove very interesting

Post a Reply