July 27, 2016

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Presentation on how to break Tor removed from Black Hat schedule

Tor project logo(LiveHacking.Com) – A highly anticipated briefing about a low-cost technique for de-anonymising Tor users has been removed from the Black Hat 2014 talk schedule for as-yet unknown reasons. The talk, which would have presented a method on how to identify Tor users, was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers.

The spokesperson for the conference, which is running in Las Vegas on August 6-7, said that a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the material he would reveal has not been approved for public release by the university or by the Software Engineering Institute (SEI).

The Onion Router (TOR) Project network was originally developed with the US Naval Research Laboratory as part of an investigation into privacy and cryptography on the Internet. Tor re-directs Internet traffic through a set of encrypted relays to conceal a user’s location or usage from anyone monitoring their network traffic. Using Tor makes it more difficult for online activity to be traced including “visits to Web sites, online posts, instant messages, and other communication forms.”

According to Roger Dingledine, one of the original Tor developers, the project did not “ask Black Hat or CERT to cancel the talk. We did (and still
do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” He went on to say that the project encourages research on the Tor network along with responsible disclosure of all new and interesting attacks. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he added.

Security researcher Alexander Volynkin was scheduled to give the talk titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ at the Black Hat conference. It would have outlined ways that individuals can try to find the original source of Tor traffic without the need for large amounts of computing power.

Black Hat: DARPA Launch Cyber Fast Track Program

(LiveHacking.Com) – Peiter Zatko, a hacker known as Mudge who now works at the Defense Advanced Research Projects Agency (DARPA) has told security experts at the Black Hat conference in Las Vegas of DARPA’s new “Cyber Fast Track” program which enables the Pentagon to quickly fund hackers to tackle its tough cybersecurity challenges.

This latest project, aimed at getting cybersecurity expertise into government, cuts red tape and allows hackers to apply for funding for projects that would help the Defense Department secure computer networks.

Zatko said he decided it was time to start funding hackers and boutique security firms, “and making it actually easy enough for them to compete for government research money with the large, traditional government contractors.”

Addressing a key issue for hackers doing government projects, they will be allowed to keep the commercial intellectual property rights while giving the Defense Department use of the project.

Black Hat: The Pwnies 2011 Security Award Winners

(LiveHacking.Com) – The winners of this year’s Pwnie Awards have been given out during the BlackHat USA security conference in Las Vegas. The annual awards ceremony celebrates the achievements and failures of security researchers and the security community.

The award for the Best Server-Side Bug went to Juliano Rizzo, Thai Duong – Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.

The Pwnie for Best Client-Side Bug was awarded to Comex – Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted on jailbreakme.com and was successfully used by thousands of people to jailbreak their iOS devices.

The Best Privilege Escalation Bug went to Tarjei Mandt – In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In his presentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.

The Most Innovative Research Pwnie went to Piotr Bania – To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that’s deserving of respect.

And finally the Lamest Vendor Response was awarded to RSA –  They got hacked, their SecurID tokens were totally compromised, and they basically passed it off as a non-event and advised customers that replacing the tokens is not necessary … until Lockheed-Martin got attacked because of them.

Windows XP is Petri Dish For Rootkit Infections

(LiveHacking.Com) – A six month study, by the AVAST Virus Lab, has found that 74% of rootkit infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

Window XP is the most common PC operating system with around 49% of avast! antivirus users running it compared to the 38% with Windows 7 and the 13% with Vista.

And the problem seems to be that there are a large number of pirate copies of XP which don’t run automatic updates as they can’t be validated by the Windows Genuine Advantage validation process. This leaves the out-of-date and upatched OS open to all kinds of attack, even old ones long patch by Microsoft.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.

Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.
The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

Experts from AVAST Software will be attending the upcoming Blackhat events in Las Vegas on August 3-7, 2011.

Free Access to Black Hat USA 2010 Media Archive

Black Hat USA 2010 was one of the best hacking events in 2010. There were many interesting hacking projects and vulnerability exploits such as ATM machine hacking.

Black Hat USA 2010 media archive is available for free to public. In this archive you can find whitepapers, presentations and source materials.

Visit Black Hat USA 2010 Media Archive for full access.