Researchers at the Black Hat 2015 conference next week will show how to crack Internet routing protocols, malware-detecting honeypots, radio-frequency ID gear that gates building access, and more, but also offer tips on how to avoid becoming victims to their new attacks.
A pair of researchers will release a hardware device that exploits weaknesses in RFID access controls and show how to use it to break into buildings. The device exploits the communication protocol used by most access-control systems, according to the team, Eric Evenchick, a freelance developer, and Mark Baseggio, a security consultant for Accuvant.
+ ALSO ON NETWORK WORLD: The Black Hat Quiz 2014 +
The device, which attackers would embed in the RFID reader protecting doors, can use cell phones or PCs to circumvent access controls via Bluetooth LE, they say. Their goal is to show businesses relying on RFID for physical security that they need to take steps to lower the chance of successful breaches.
Honeypots – decoy systems set up to gather information about attackers – can be commandeered and used against the networks they are meant to defend, another research team says. It will release a list of vulnerabilities that make it easy for attackers to recognize and avoid honeypots.
Further, honeypots can be not just bypassed but actually turned into an attack tool, according to the researchers, Dean Sysman, Gadi Evron and Itamar Sher, who work for Cymmetria. “As a case study, we will concentrate on platforms deployed in real organizational networks, mapping them globally, and demonstrating how it is possible to both bypass and use these honeypots to the attacker's advantage,” they say.
A separate briefing will take the alternative approach and release an open-source honeypot – OpenCanary -- that is better designed to lure attackers in so they reveal their intent. “Well deployed honeypots can be invaluable tools in the defender’s arsenal, and don't need to look anything like the honeypots of old,” say the researchers, Haroon Meer and Marco Slaviero, who both work at applied research firm Thinkst.
“We will explore the factors that limit adoption and will discuss how to overcome them,” they say. “We will demonstrate new techniques to make your honeypots more hacker-discoverable and will share data from running actual honeypots in real organizations.”
A separate briefing will show how to hijack internet routing in order to crack the encryption used to protect online transactions. This encryption – SSL/TLS – trusts the Internet’s core border gateway protocol (BGP) routers to swap encryption keys securely. But Artyom Gavrichenkov, a developer for the Qrator DDoS mitigation network, says he can hijack BGP and exploit it to break SSL/TLS. He also says he’s going to discuss how to prevent this from happening.
Android is already taking a beating with revelations about flaws in Stagefright, the Android media player, and that problem will be discussed at Black Hat by the man who uncovered it, Joshua Drake, director of platform research and exploitation at Zimperium Enterprise Mobile Security. And other researchers will show other ways to hijack Android devices.
“A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customization chain that leave millions of devices and users vulnerable to attack,” according to presenters Ohad Bobrov and Avi Bashan, both of Check Point Software.
The vulnerabilities let attackers exploit unsecured applications to gain access to any device and perform screen scraping, key logging, data exfiltration and back-door application installation, they say. The problems can be remediated to some degree, they say, but they can’t be completely eliminated.
SIM card security
How the security of SIM cards used for 3G/4G phones has been broken will be detailed in a talk by Yu Yu, a research professor at Shanghai Jiao Tong University.
By analyzing power usage of target phones, he says he was able to recover encryption keys as well as other secrets used to secure the SIM cards within 40 minutes. He says he succeeded in cracking eight SIM cards from a variety of manufacturers and service providers. The tools he used: an oscilloscope to acquire power-use data, a protocol analyzer to intercept messages, a SIM card reader and a PC that performed signal processing and cryptoanalysis.
Near-field communications payment systems such as Apple Pay and Google Wallet are vulnerable to attacks using a standard phone and “a little bit of software,” according to the description of a briefing by payment system expert Peter Fillmore. “I'll take you through how you can clone common NFC payment cards; show you the attacks and explain why it is possible,” he writes. He will also address what security mechanisms can prevent such attacks and also show how to subvert the payment systems to make fraudulent transactions.
Researchers at Fidelis Cybersecurity will challenge claims by commercial mobile phone spyware vendors that the spyware is undetectable when installed on phones. “It’s very detectable,” says Joshua Dalman, a cybersecurity specialist at Fidelis.
He and his co-researcher Valerie Hantke checked out the two most popular commercial spyware prodoucts – mSpy and SpyToMobile – and found they either created logs on the devices, created shells for pulling data off the phone or created a widget icon announcing its presence, he says.
Regardless, if BYOD phones are running these apps they can pose a threat to corporate security. If business email is synched to the phone, the spyware can capture it and forward it to third-party servers, he says.
How big a threat is this type of spyware? He quotes a Check Point study that says organizations with 2,000 BYOD phones have a 50-50 chance that at least one has spyware. This software is advertised as a way to keep an eye on spouses and what children are up to.
A pair of researchers at Crowe Horwath will demonstrate Cracklord, a platform for distributing password cracking workload over CPUs and GPUs on multiple devices in order to efficiently break hashed passwords. It can undo hashed passwords faster than an individual machine could.
The platform has two parts, Resources, which gains access to the hardware, and Queue, which is an interface for submitting cracking jobs to Cracklord. Resources uses a range of common hash-cracking tools including Hashcat, John the Ripper and rcrack. “CrackLord is a way to load balance the resources, such as GPUs and CPUs, from multiple hardware systems into a single queuing service,” say the researchers, Lucas Morris and Michael McAtee.
Fernando Arnaboldi, a senior security researcher and consultant at IOActive, says he’s found a flaw in XSLT v.1 that allows seeing part of text documents – something XSLT v. 1 is not supposed to show – before it displays an error. That partial document could reveal valuable information such as passwords, he says.
XSLT is not very good at keeping track of very large or very small numbers, he says, so small amounts of, say, Bitcoins could be removed unnoticed from an account and moved to another.
He will also show how he exploits a major Web browser to open certain files when read from any Web server a user has logged into. The problem stems from the implementation of same-origin policies that lets scripts from one Web page to access data in another if both pages have the same origin. He has told the browser manufacturer under responsible disclosure to give it the chance to fix the problem.
He says he will release a paper including code to repeat all the attacks he outlines so others can check whether their implementations are vulnerable and take steps to secure them.