Unfortunately, we couldn’t be at Black Hat and Defcon in Las Vegas this week, but here’s our round-up of highlights from the two security events from around the web. Of course, if you look through the schedules for both events, there were dozens of other paranoia inducing talks than the ones listed below – these are merely the ones that got the most press coverage.
Black Hat’s Live Video Stream Hacked
Michael Coates, a web security expert at Mozilla, discovered he could access the live stream of the conference, which Black Hat was charging $395, free. Coates notified the third-party company providing the video stream and it was fixed within hours. Coates notes the irony and uses it as teaching point: even the most security aware organizations will still have faults, and enterprises must vet third-party providers.
Spoofing Cell Phone Base Stations
Do employees in your enterprise use cell phones to discuss sensitive matters? Worrying about hackers intercepting your cell phone calls may seem passé, but a demonstration at Defcon by Chris Paget may make you think otherwise: Paget has devised a fake cell phone tower that can intercept even encrypted outgoing calls.
Google Fraught with Malware Risks
At Black Hat, security vendor Barracuda Networks released its Mid-Year Security Report showing that Google links to twice as much malware as Bing, Yahoo! and Twitter combined.
Symantec announced similar findings this week, and released a free tool called Norton Safe Web Lite designed for detecting malicious search results. (See also: Symantec’s mid-year prediction check in.)
Barracuda and Symantec’s findings are consistent with NSS Labs‘ study comparing the malware detection rates of Internet Explorer, which uses Microsoft’s database of malicious web sites, with Chrome and Firefox, which use Google’s database.
At DefCon, Robert Hansen, CEO of secTheory ,examined a number of ways iGoogle and Gmail can be compromised using third-party add-ons.
More Bad News for Google: Android Insecurities
Google got some more bad news this week, in the form of increased scrutiny of known security issues in its Android mobile operating system.
At DefCon, a pair of security experts released a rootkit, something that they had promised previously (and others had said was possible earlier). The good news, based on discussions on Slashdot, it appears the phone’s user would have to have already rooted the phone in order for it to be vulnerable.
And, as we reported, the security firm Lookout revealed at Black Hat that it had found a series of wallpaper apps in the Android Marketplace that were transmitting users’ phone numbers, SIM card info and, potentially, voice mail passwords to the developer. The developer denied malicious intent, but the incident raises questions about Android’s security disclosures.
It’s OK Google, the Rest of the Internet is Broken Too
Google wasn’t the only company in hackers’ cross-hairs this week.
At Black Hat, Robert Hansen and Josh Sokol presented on how traffic in non-encrypted browser tabs can be used to learn about SSL encrypted traffic open in other tabs.
Hackers would already need access to a users network to accomplish anything with these SSL vulnerabilities. But it just so happens, other researchers at Black Hat found a DNS-rebinding technique that would allow black hats to take over wireless routers if they could trick users into visiting malicious web sites (of course, they could also use WPA Cracker, but that’s another story).
At Defcon, Russ McRee of HolisticInfoSec.org and Mike Bailey of Skeptikal.org revealed they could pull-off a similar trick on certain Linksys and Netgear routers using cross-site request forgery.
They also discovered they could use the same trick to gain access to CPANEL – a popular web hosting management tool.
Speaking of web site vulnerabilities, at Black Hat Dasient released its report on three biggest enterprise website malware vulnerabilities.
At both conferences, Chris Gates and Mario Ceballos gave away tools for breaking into Oracle databases.
The FBI was reportedly a bit rattled by DefCon’s social engineering contest (in the end, every contestant was able to get someone at the targeted companies to hand over sensitive information.
There was at least some good news. Representatives from Mozilla detailed plans to make the browser more secure, and it turns out Twitter is more secure than it appears.
National Insecurity
Those of us living the US may have bigger problems than hackers stealing our credit card numbers and passwords from our wireless networks, though: according to the United States Computer Emergency Readiness Team, critical infrastructure is vulnerable to cyberattack. (We’ve covered issues surrounding national cybersecurity before.) At DefCong, security expert Charlie Miller described how North Korea could launch an effective botnet attack on the US.
According to another presentation at Black Hat, malware tools are sold openly in China, giving hackers easy access to problematic software.
Given the concerns about cybersecurity in the US, it’s no surprise the federal government was actively recruiting at Defcon – but we think the anti-authoritarian nature of many Defcon attendees might make that a tough sell.
The most explosive revelation at the event might not have even been a security vulnerability at all: Chet Uber, director of the secretive private cyber-intelligence organization Project Vigilant, claimed to have personally convinced Adrian Lamo (himself a “Adversary Characterization” analyst for Project Vigilant) to inform the federal government of Bradley Manning’s claims regarding the Wikileaks video.
Jacob Appelbaum, a programmer working closely with the TOR project and WikiLeaks was detained at the US border while returning to the US from the Netherlands. And while at DefCon, he was reportedly approached by FBI agents.
Bank Hacking
Perhaps of less immediate concern to the enterprise IT managers, a presentation at Black Hat on ATM vulnerabilities probably got the most media coverage. SecureWorks also reported on a massive check fraud operation.
Conclusion
You can’t trust your phone, your search engine points you at malware, the Internet is broken, your country is in danger and so is your bank – and not even the conference designed to tell you about it can keep from getting hacked. One might be tempted to believe that things may have been better back before we had all this digital technology. Then again, there was a time when bandits, pirates and marauders posed serious physical threats to the well being of both individuals and institutions. Perhaps it’s a more civilized world in which banditry is more likely to take place over the Web than on the way to the market.
Very real, very physical wars still rage around the world (as the release of Afghanistan war logs this week reminds us), but at least the violent crime rate in the United States has been declining. It can’t be attributed to technology, but we should be thankful that while we’re engaged in the thankless job of security patch management that at least we’re not handing our companies’ fortunes over at saber-point.
