Black Hat set to expose new attacks

Conference briefings show how to compromise SSL, steal keyboard activity from power lines

The Black Hat conference unfolds in Las Vegas this week with an agenda set to expose exploits as varied as tapping power outlets to capture keyboard signals and closing up holes in the use of the secure protocol that protects online bank transactions.

The Black Hat conference unfolds in Las Vegas next week with an agenda set to expose exploits as varied as tapping power outlets to capture keyboard signals and closing up holes in the use of the secure protocol that protects online bank transactions.

Black Hat's most notorious incidents

Black Hat 'supertalk' halted due to vendor concerns

Other briefings will consider the uses of lasers and analysis software to figure out what's being typed on laptops and detecting what damage has been done via attacks that leave no trace on computer hard drives.

Black Hat USA 2009, considered a premier venue for publicizing new exploits with an eye toward neutralizing them, is expected to draw thousands to hear presentations from academics, vendors and private crackers.

For instance, one talk will demonstrate that if attackers can plug into an electrical socket near a computer or draw a bead on it with a laser they can steal whatever is being typed in. How to execute this attack will be demonstrated by Andrea Barisani and Daniele Bianco, a pair of researchers for network security consultancy Inverse Path.

Attackers grab keyboard signals that are generated by hitting keys. Because the data wire within the keyboard cable is unshielded, the signals leak into the ground wire in the cable, and from there into the ground wire of the electrical system feeding the computer. Bit streams generated by the keyboards that indicate what keys have been struck create voltage fluctuations in the grounds, they say.

Attackers extend the ground of a nearby power socket and attach to it two probes separated by a resistor. The voltage difference and the fluctuations in that difference – the keyboard signals – are captured from both ends of the resistor and converted to letters.

This method would not work if the computer were unplugged from the wall, such as a laptop running on its battery. A second attack can prove effective in this case, Bianco's and Barisani's paper says.

Attackers point a cheap laser at a shiny part of a laptop or even an object on the table with the laptop. A receiver is aligned to capture the reflected light beam and the modulations that are caused by the vibrations resulting from striking the keys.

Analyzing the sequences of individual keys that are struck and the spacing between words, the attacker can figure out what message has been typed. Knowing what language is being typed is a big help, they say.

Another presentation will show how confidential online connections such as banking transactions made from public wireless hotspots remain vulnerable to attacks despite improved security that was supposed to fix the problem.

The vulnerability means that attackers can lurk in the middle of what victims think are secure SSL sessions with banks, retailers and other secure Web sites, picking off passwords and other information that can be used later to steal account funds or compromise confidential business data, say the researchers, Mike Zusman, a consultant with Intrepidus, and Alexander Sotirov, an independent researcher.

An improved method of qualifying businesses for SSL certificates – called extended validation (EV) SSL turns the address bar in browsers green to assure users that the connection is in fact being made using EV SSL certificates. It is supposed to indicate that end users are connecting with a legitimate business, not an attacker. To do so, the entity obtaining the SSL certificate has undergone prescribed scrutiny and qualified for the certificate.

But a green bar may hide the fact that the browser is actually connecting using SSL certificates approved via the traditional, less secure version of certificate issuance called domain validation (DV), which has no guarantee that such validation criteria were met, Zusman says. Those DV connections can be compromised by attackers.

To take advantage of this weakness, hackers would set up laptops in a public Wi-Fi zone and use well known methods for compromising the wireless access points such as ARP or DNS spoofing or hacking management platforms.

With control of the DNS for the access point, the attackers can establish their machines as men-in-the-middle, monitoring what victims logged into the access point are up to. They can let victims connect to EV SSL sites – turning the address bars green. Subsequently, they can redirect the connection to DV SSL sessions under certificates they have gotten illicitly, but the browser will still show the green bar.

Attackers could drop malware into victims' browsers that would grab passwords later when they access sensitive sites from secure networks that the attackers have not cracked, he says.

Web sites can fix their end of the problem by adopting all EV SSL certs for all the elements of their sites, even those served by third parties. That would require creators of Web sites to find out whether all the elements of their pages use EV SSL certificates.

But makers of Web browsers would also have to adapt. Web browsers need to be able to detect and prevent the intermingling of DV SSL protected content with EV SSL protected content, Zusman says. They would also need to consider the type of certificate involved when they apply same-origin policy, which determines how to handle elements originating from the same site.

Meanwhile, researchers who work for Mandiant will present a tool for piecing together what malicious activity might have been carried out by an attacker's payload that runs only in memory and so evades traditional disk forensics.

In particular, the memory forensics tool being presented by Mandiant's Peter Silberman and Steve Davis finds traces in memory of what activities might have been performed via Meterpreter, a software module for the open-source Metasploit penetration testing framework.

Meterpreter can be injected into a legitimate running process on a victim's computer and thereby avoid detection by host intrusion-detection/prevention system software. Meterpreter can then be used as a platform for further attack to log keystrokes, end processes, upload and download files and otherwise compromise the machine.

Using an adapted version of Mandiant's commercial Memoryze memory-forensics software, the researchers say they can parse Virtual Address Descriptor files in Windows. The tool looks for the packet structure of the protocols Meterpreter uses to talk to its server. Based on these recovered fragments of communication, analysts can infer what attack occurred. For instance, evidence of dumped hashes might indicate that passwords were compromised, they say.

Because the data is volatile, the tool cannot recover 100% of Meterpreter's activity, but it is a proof-of-concept that could possibly be refined, Silberman and Davis say.


Copyright © 2009 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022