Newfound Evil Twin attacks against WLANs and compromising computers by taking advantage of software coding errors called ‘dangling pointers’ are just a few of exploits to be divulged at the upcoming Black Hat/Defcon hackerfest
Exploits that can lure wireless LAN users into phony access control points, plus discussions of how to break into computers by manipulating coding errors will be hot topics. At one session, AirTight Networks will demonstrate how phony WLAN access points can be set up to trick a WLAN user into using them -- an attack AirTight says neither its intrusion-prevention system (IPS) nor anyone else’s can stop.
“We call it ‘multipot,’ and we accidentally stumbled upon this observation in our own testing,” says Pravin Bhagwat, CTO at AirTight, about its planned demo at Defcon.
The ‘multipot’ attack, according to Bhagwat, is a variation on the Evil Twin ploy, in which a single WLAN access point is given a spoofed Service Set Identifier based on the SSID of a legitimate wireless access point, something done through WLAN sniffing.
“With Evil Twin, the attacker sits in the path of the network, monitoring the user with the purpose of stealing log-in credentials and observing other traffic,” says Bhagwat. Today’s IPS can thwart this by breaking the connection by keeping track of authorized access points, he says.
But to his dismay, Bhagwat says AirTight has found if the attacker has set up two or more controlled Evil Twin access points to lure in a single WLAN user, the IPS is ineffective at repelling the attack.
“You kill one connection but the new one is enabled,” says Bhagwat. “Why can’t you knock both off at the same time? Because you need a sensor to transmit and it can only transmit one at a time. It’s a cat-and-mouse game.”
Bhagwat says AirTight will be doing the Multipot demonstration at Defcon because “there’s a need in this industry to become aware of this so new technologies can be developed.” AirTight says it’s experimenting with a new defense but doesn’t expect to be able to publicly reveal it until later in October.
A session at Black Hat that could provoke discussion will show how it’s possible to remotely compromise servers by exploiting poor software coding called dangling pointers that developers might leave in C or C++ applications.
Danny Allen, director of security research at Watchfire, which will be demonstrating the attack, describes a dangling pointer as a software error in which a pointer that’s supposed to indicate a specific address in memory holding a particular software object is actually pointing to an address in memory that doesn’t hold anything.
“Dangling pointers were never deemed to be a security risk, but we’ll show a way to automate remote command execution to alter the pointer to look at the place where we have the ability to write code,” says Allen. “You can automate where you want malicious code to be. We’re not trying to find your dangling pointers for you, but we’ll show how they can be exploited to take root control of the machine.”
Microsoft earlier this month released a patch for Microsoft Internet Information Server after Watchfire recently showed Microsoft how a dangling-pointer code flaw it had left unfixed for two years could be manipulated, says Allen.
“Microsoft never fixed this before because it wasn’t considered a security issue,’ says Allen. But in the Black Hat demonstration, Watchfire will present a too -- which it won’t generally release -- that will show how to redirect dangling pointers and upload a malicious-code payload to a target, in this case an upatched version of Microsoft IIS. Understanding about security risk of dangling pointers is ‘in its infancy,” says Allen, but it should be on the radar screen.
Other sessions scheduled for Black Hat and Defcon next week include:
* Several presentations on the topic of fuzzing, the investigative process of using specialized tools to run scripts that are tuned to throw garbled data at an application in order to see how it handles it in order to discover unwanted code-execution risks. At one such session, researchers from TippingPoint, which are expected to discuss Sulley, an open source fuzzing tool being released at Black Hat.
* Security in VoIP will get a critical review from Barrie Dempster, senior security consultant at NGS Software and in a separate session, from Himanshu Dwivedi, founding partner at iSec Partners, who will detail exploits against VoIP protocols IAX and H.323. NGS Software director of research John Heasman will also present on the security implications of Apple’s preboot environment for Intel-based Macintoshes, the Extensible Firmware Interface.
* Sipera Systems product manager Sachin Jogelar is expected to discuss vulnerabilities associated with dual-mode VoIP phones that can automatically switch between Wi-Fi and cellular networks.
* Researcher Roger Dingledine will discuss how the Tor anonymity network he helped develop will be extended to make it harder to block users accessing it.
* In a session entitled “Hacking Capitalism,” Matasano Security researchers will detail the specialized protocols used by the financial industry to execute billions of dollars in trades, and discuss the flaws inherent in them. In a separate session, Matasano Security promises to reveal vulnerabilities in data-leakage prevention products.
* Researchers from Germany-based ERNW GmbH are scheduled for a talk about Cisco Network Admission Control and its purported design flaws.
* Security researchers Joanna Rutkowska and Alexander Tereshkin, both with Invisible Things Lab, are scheduled to present some new findings about virtualization-based malware, new methods for compromising the Vista x64 kernel and the supposed irrelevance of the Trusted Platform Module and BitLocker. Rutkowska gave a presentation on rootkits and Microsoft software at last year’s Black Hat that won a standing ovation from the audience. As a counterpoint at this year’s event, though, Symantec researchers will take an opposing view in their presentation entitled “Don’t tell Joanna, the Virtualized Rootkit is Dead.” At this session, Symantec will disclose techniques for detecting any trace of virtual-machine malware though not necessarily eliminating it. Symantec says there’s a friendly competition going on now between Rutkowska and Symantec on this.
* IBM Internet Security Systems researchers Mark Dowd, John McDonald and Neel Mehta will discuss C++-based security and vulnerabilities that can exist in C++ applications, some which may not have been publicly disclosed before.
* HD Moore, director of security at BreakingPoint Systems and founder of the Metasploit Project, will discuss new techniques for compromising organizations, along with new modules that will available for the Metasploit Framework, an open source exploit-development platform.
Social issues won’t be overlooked at Black Hat, as Gadi Evron, security evangelist at Beyond Security, takes up the topic of “Estonia: Information Warfare and Strategic Lessons” in a talk on what happened in Estonia during the massive denial-of-service cyberattack there last April.
And Kenneth Geers, author of several books on nations’ and terrorists’ interests in cyberspace, war and security, promises to take up provocative topics, including “Which countries have the worst Orwellian computer networks?”
Some controversy already has swirled around the Black Hat conference as last moth a presentation that promised to undermine chip-based desktop and laptop security was suddenly withdrawn without explanation. The briefing, “TPMkit: Breaking the Legend of [Trusted Computing Group’s Trusted Platform Module] and Vista (BitLocker),” promised to show how computer security based on trusted platform module hardware could be circumvented. No explanation was forthcoming by Black Hat or the researchers.