Black Hat and DEF CON are both focused on discovering and discussing vulnerabilities, but we heard one interesting thing said at DEF CON by the founder of both conferences, Dark Tangent: “Defcon is a hacker con, not an infosec con.”
Our team visited both conferences held during the summer in Las Vegas, and we even met some of you guys (Hey you!) who showed up, following the info in our newsletter!
We truly enjoyed our experience. So much so that we’ve prepared a list of our favorite talks at DEF CON and Black Hat.
Black Hat Briefings, or just Black Hat, is one of the most important infosec conferences in existence, with the goal of bringing together information security experts, hackers, industry-leading professionals, executives, government agencies and even non-technical people with an enthusiasm for computer security. It’s mostly scheduled prior to DEF CON and is held annually in the USA, specifically, Las Vegas, Black Hat also holds regular events in Europe and Asia.
Due to the nature of the conference itself, it’s considered more corporate and commercial than DEF CON, while both are founded by the same person — Jeff Moss. Black Hat 2018 was held in Las Vegas, beginning August 4th with Trainings that lasted until August 7th. The main conference followed, from August 8th until August 9th. This year it featured the largest number of attendees to date, with nearly 19,000 people! We were there of course, with a table at the conference hotel where we invited people to join us throughout the day, for networking as well as having fun.
Some amazing talks took place, and while we weren’t able to attend all of them, here is a list of the ones that really stuck with us:
Last Call for SATCOM Security
Ruben Santamarta, a security researcher at IOActive, held a talk on August 9th about vulnerabilities found in SATCOM infrastructure. “A Wake-up Call for SATCOM Security” was published at Black Hat in 2014. This important whitepaper gained a lot of media coverage at the time, but not much has changed with SATCOM since then.
Now, Ruben is back with three real-world scenarios that involve vulnerabilities in satellite communications, allowing malicious attackers to take control of them. Airborne SATCOM equipment on in-flight commercial airplanes, stations in war zones used by the US Military and earth station vessels all have vulnerabilities that can give remote attackers a harmful advantage, all originating from the internet.
This talk started by describing found vulnerabilities including backdoors, insecure protocols and network misconfiguration, showing one-by-one which of them are present in aviation, maritime and military land stations. Santamarta also revealed how such hacks are possible and how hackers are able to use the Internet to turn critical devices used in these industries into radiofrequency (RF) hazards.
We’re presented with a frightening fact: hundreds of US and European airlines have forces that can be accessed from the Internet, due to insecure in-flight connections. Maritime vessels are also high-risk environments; Santamarta showed how SATCOM antennas can be turned into RF transmitters that expose vessel crews to radiation.
Technologies covered in Ruben’s talk have a remarkable impact on our society, and the safety and security risks they pose need to be addressed.
You can read the entire talk from Ruben Santamarta at Black Hat here.
Applied Self-Driving Car Security
Charlie Miller and Chris Valasek of Cruise Automation shared information about the security of autonomous cars: they are, in fact, more secure than most people think, but remain a vector of security breaches. Attack surface reduction while these vehicles are being developed is in everyone’s interest.
A few years ago, this team showed that a Jeep Cherokee could be hacked by a malicious attacker, with wired or Internet access to the vehicle allowing them control of the steering wheel and brakes. They made headlines when they actually steered the Jeep into a ditch. After this eye-opening demonstration, they have continued to work with self-driving car companies and warn the public of how and what can go wrong in this new industry.
Truth is, many of us won’t be owning self-driving cars any time soon, but it’s likely we’ll be driven in them — making it clear that keeping them safe is everyone’s business.
The good news is that these self-driving cars are less “hackable” than other vehicles. Even if we’ve seen that exploiting a few computerized functions in regular cars can lead to a hacker taking control, fully computerized self-driving cars are still being developed; there is plenty of space to do everything right.
Self-driving cars communicate via Ethernet, not the traditional CAN, and their data center is located in the trunk (not leaving much space for your luggage, right?). The increase in data that needs to be processed means those cars rely on Ethernet to speed up loading time.
This in itself is a good security wise, but some issues still need to be resolved. For instance, Layer two in the OSI stack has no encryption.
A frequent point of unauthorized access is via GPS. Fortunately, self-driving cars, due to the low resolution and inaccuracy of GPS, use maps and LiDAR sensors that provide accuracy within an inch.
Communication with monitoring teams also needs to be bulletproof, since self-driving cars will need a constantly watchful eye while receiving information regarding the picking up and dropping off of passengers.
Another point made clear is that self-driving cars don’t need a plethora of features that can lead to the increase of attack surface, such as Bluetooth and FM radio.
Finally, the talk emphasized the fact that many self-driving cars are made by putting sensors on factory-made non-autonomous vehicles. It’s possible that these base cars have simple vulnerabilities that can later be exploited by hackers, on the resulting self-driving cars.
TLBleed: When Protecting Your CPU Caches is Not Enough
Ben Gras, security researcher at Vrije Universiteit Amsterdam, presented new technology of a novel side-channel attack, one that leaks information out of TLBs.
Let’s back up a little.
Earlier this year, we witnessed Intel being hit with class action lawsuits, spurred by the discovery of vulnerabilities involving side-channel attacks and the failure to address them, even after the information was made public.
Researchers from VU were able to exploit those security vulnerabilities to extract crypto keys from other programs when they tested Intel CPU.
Ben Gras showed us details about a new form of side-channel attack that he calls “TLBleed.” This type of attack leverages the translation lookaside buffer — the TLB found in Intel CPUs that provides a memory cache. Since TLBleed relies on CPU it can bypass cache protections already in place.
“We achieve a 98% success rate after just a single observation of signing operation on a co-resident hyperthread and just 17 seconds of analysis time” as Gras claims in the abstract.
As we’re dealing with a new technique of side-channel attacks, it’s certain they’ll only keep improving.
Understanding and Exploiting Implanted Medical Devices
Security breaches often lead to the exposure of sensitive data and financial loss for individuals and companies, but what happens when a security vulnerability can be exploited — and lead to life-threatening situations?
Researchers Billy Rios, founder of WhiteScope, and Jonathan Butts, CEO of QED, presented cyber vulnerabilities found in pacemakers, insulin pumps and other implanted medical devices that can be exploited and lead to interference in a patient’s therapy.
Along with the security vulnerabilities they discovered during their 18-month course of research, the duo revealed the alarming response (or lack of it) of manufacturers and coordination linked with DHS ICS-CERT and the FDA, and questioned whether their responses were sufficient when viewed from a patient’s perspective?
“Exploitation of these vulnerabilities allow for the disruption of therapy as well as the ability to execute shocks to a patient,” as stated in the abstract.
Dissecting Non-Malicious Artifacts: One IP at a Time
Ido Naor and Dani Goland, co-founders of VirusBay, presented data they’ve collected from a mix of well-known antivirus software, highlighting the files flagged as not malicious. Within that data we’re shown information clearly required to remain private, including company contracts, internal communication and other sensitive data no company would want leaked.
How did this happen?
Most companies and enterprises around the world use antivirus software services to scan their data, and identify and remove threats that are deemed as malicious. But when parts of data are marked as ambiguous, they’re sent to a cloud service for further analysis with many online scanners, and that is where the trouble starts.
In their presentation, they showed how they created an intelligence tool that, when inserted with an API key, scans and reveals sensitive data within non-malicious datasets. The conclusion of their talk is that companies need to keep a closer eye on their security and be wary of sensitive data being sent to clouds and scanners for examination.
Ah, another DEF CON. The longest-running true hacker convention that brings together hackers, security researchers, journalists (does anyone remember when an undercover journalist was booted out of DEF CON in 2007?), students and even government and federal employees — who doesn’t like to play Spot the Fed?
DEF CON has existed for 25 years, becoming a pop culture staple. WIth new and different contests, cyber-security challenges and amazing speakers, this year’s DEF CON 26 was held at Caesars Palace August 9th - August 12th.
The number of attendees was staggering at the largest DEF CON yet — with 28,000 people!
It’s the place to be if you want to hear all the best news about security vulnerabilities and new attack techniques, as well as to showcase your own hacker knowledge.
We attended this year, as we do regularly, and even got to meet some of you who found out we were attending DEF CON through our newsletter (sign up, if you haven’t already, to be the first to hear our news).
There were many talks we enjoyed, delivered by many dear friends and colleagues. Even if it was hard for us to separate just a few of them, here is our list of the top 5 best talks at DEF CON 26:
Ridealong Adventures: Critical Issues with Police Body Cameras
Josh Mitchell, principal cybersecurity consultant at Nuix gave a talk at DEF CON 26 that tackled the growing popularity of police body cameras and the inadequate skills and procedures used in assessing their security.
Mitchell presented evidence to the audience that almost all of the tested devices from manufacturers have some form of common vulnerability, one that can be easily exploited by malicious attackers. The devices tested belonged to the companies PatrolEyes, Fire Cam, VIEVU, CEESC and Digital Ally. Interestingly, Mitchell tested 7 devices, but presented only 5 of them.
Device manufacturers are adding more and more technology and features into body-worn cameras, which provides a bigger attack surface for malicious hackers.
The large attack surface and discovered common vulnerabilities have led to the possibility of attackers launching ransomware on the devices, viruses and worms that can alter or even destroy computer records.
Most of the devices tested had Wi-Fi, 3G/4G enabling them to connect with devices in their vehicles, but they’re also able to connect to servers that allow for location tracking, the all-important live video and video uploading. None of these communications are secured, and we’re all aware of how easy it is to crack these connections.
It’s also noted that most of these manufacturers proudly and publicly feature the names of law enforcement organizations using their devices.
These devices, and the videos that are recorded on and uploaded to them, are used in courts of law as credible evidence — the issue with that is the questionable integrity of the cameras. Not only is tampering with or deleting those videos a potential problem, the videos can also be released to the public maliciously, and in that way impact court processes.
During the talk, we were introduced to techniques that can be used to assess the security of the cameras and shown how their RF components, desktop softwares, smartphone apps and the devices themselves can be attacked.
It’s in everyone’s interest to maintain the integrity and highest level of security of these devices… One can only imagine the wrongful conviction of an innocent man, based on an altered video.
Listen to the full talk here:
What the Fax?!
Check Point researchers Eyal Itkin and Yaniv Balmas reminded us all that even if we’re living in 2018, some old habits just won’t go away.
It’s frightening that we’re still using technology from the ’80s, with only minor adjustments like putting it in “all-in-one” printers. We are speaking, of course, about fax.
The presentation began with a quick rundown on the history of the fax machine — which is not that long, as there were no real improvements after 1980, especially none regarding fax security.
Speaking of unique attack vectors, this was an equal parts hilarious and scary presentation about those 20th-century relics called fax machines. They’re still widely in use, believe it or not, as all-in-one printers that include the fax feature. TL;DR — fax can be used as a gateway to internal networks. Unplug!
We as humans have evolved immensely over the last 30 years, having developed more advanced and sophisticated ways of sending digital content, so why would anyone still use fax machines?
Well, it’s complicated. Industries such as health care, government and banking still rely on faxes every day despite the lack of enforced security. Sending a fax is sometimes mandatory and the only way of sending files to some institutions. The researchers even showed us how easy it is to find a fax from President Trump.
One example of the weakness of fax machine security is that the files and data are sent without any encryption. You can imagine how easy it is for someone to tap into a phone line and intercept that data!
Flaws they discovered among popular fax machines include a common structural issue where an attacker can overload the structure that stores the data and cause it to crash.
As mentioned, the fax numbers of big enterprises and offices are public, and you can look up any fax number online. Since fax machines are almost always connected to the internal network of a company, getting inside that internal network is as easy as it can be.
Adding authentication to internal printers doesn’t work with fax, it’s in the sole design of the machine. So no matter what kind of protection the printer has, you’re always able to send your fax to the designated number.
During the talk, the researchers showed us a live demonstration of taking over a fax machine using a standard phone line and we enjoyed it immensely. It was really a one-of-a-kind journey through time.
And what was the biggest conclusion of this talk?
“The world needs to stop using fax!”
Listen to the full talk:
Reaping and breaking keys at scale: when crypto meets big data
Yolan Romailler and Nils Amiet, researchers at Kudelski Security, started this presentation by getting straight to the point.
“We have the public keys of all of you here that have a public key on GitHub…”
Public keys are, well, public. But what if you heard those keys can be used to access your private key?
Compromising the security of data by obtaining private keys can be done by malicious attackers even if, theoretically, they should be completely safe. Unfortunately, there may be vulnerabilities in the implementation of the code.
The researchers created a key reaping machine that collected keys for testing for vulnerabilities. They were able to collect over 300 million keys and now they can test all new RSA keys against the initial database, and in a very short period of time. “As a result of our research, we could have impersonated hundreds of people by breaking their PGP keys, mimicked thousands of servers thanks to their factored SSH keys and performed MitM attacks on over 200k websites relying on vulnerable X509 certificates,” the abstract states. Due to this presentation being so straight forward and one of the shortest talks we feature here, we advise you to listen to these guys, since we’re sure many of you have a public key on GitHub or GitLab or have pushed a PGP key on a key server.
Listen to the full talk here:
Inside the Fake Science Factory!
This presentation was held by investigative journalists and data scientists who have personally come into contact with “predatory publishers and conferences.”
The researchers presented names and proof of these publishers and how they accept even computer-generated “scientific research” if, of course, you merely pay a publishing fee. By submitting several computer-generated papers to a number of these publishers, the researchers demonstrated that there is no real peer review going on here. Basically anyone can publish their paper in this way and use the recognition from being published toward getting higher salaries if they’re professors, and even selling medication that allegedly cures cancer!
Until this research began, the fake science factory was going unnoticed, possibly even costing people their lives when fraudulent scientists were selling them medication to cure life-threatening diseases. People with nothing left but hope fell for these false advertisements backed by “scientific researchers” and published by predatory publishers.
The damage to society that these types of conferences and publishers cause is a problem we all need to address, as science in itself influences consumer behaviour, political decisions and our perception of the world.
In another part of the presentation, these researchers shared a documentary they made on the subject. The full talk and documentary are available here:
Weaponizing Unicode: Homographs Beyond IDNs
Attacks on IDN using homographs is familiar to most people. When using homographs you can easily trick the eye into thinking it’s a standard character.
The Tarquin (A.K.A. Aaron M. Brown) presented other systems in which homograph attacks exist but also offered fun side notes on homographs and plagiarism detection software.
Using a well-known quote from Shakespeare, but with a few letters swapped out for unicode, the software could not recognize it as plagiarism — students, you now know how to pass off a copied essay!
Ultimately, humans are the ones that get hacked.
On a more serious note, The Tarquin went on to describe how you can use homographs to trick and attack machine learning systems, make cryptographic canary traps and other ways of tricking mechanisms and releasing malicious software fixes, stating: “When you introduce unicode into different languages, the threat surface is limited by: developer due diligence and attacker creativity. Unfortunately, developer due diligence is poor, but attacker creativity is pretty good.”
After discussing ways you can use homographs, The Tarquin, as a proud blue team member, showed us a method of defense strategy that can work against these attacks — OCR defense. What’s great about OCR is that when a skilled attacker makes the homograph almost undetectable, the OCR can detect it more easily. This is one of those rare situations that hinges on the skilled attacker making his attack and technique worse, which works well for you and your defense.
The talk finished with a few quotes that stuck with us:
“Defenses work best when you know your attacker’s incentives, you need to know who are your attackers and ways of attack.”
And probably our favorite:
“Ultimately, humans are the ones that get hacked.”
Listen to the full talk here:
We always look forward to new conferences in the infosec world, not only to listen to a range of researchers present their breakthroughs from around the world, but also to meet all of you there. SecurityTrails works to deliver the best toolkit available, a necessity for all security researchers and infosec professionals. Sign up for your API key and see what you’ve been missing!