Ten scary hacks I saw at Black Hat and DEF CON
While cyber security is increasingly important, researchers show how little of it we actually have
Are your systems optimized for maximum speed and performance? (I can tell you, 99% of the computer networks we review are NOT.
Black Hat and DEF CON
Rootkits in your CPU are now a thing
Researcher Christopher Domas from the Battelle Memorial Institute disclosed a design flaw in Intel’s x86 CPU microarchitecture that dates back to 1997. The vulnerability, which affects all Intel CPUs older than the second generation Core processor family, also known as Sandy Bridge, can be leveraged to install a rootkit into the deepest parts of a system, the System Management Mode (SMM). This can make malware undetectable to security products and allows attackers to reinfect the operating system even after a complete wipe.
Intel released firmware updates for some of its server and desktop motherboards, but other manufacturers have to follow suit. Since Sandy Bridge was released in 2011, older boards might not even be supported anymore and might not receive updates. Even if they do, it’s unlikely many users will install the updates, so vulnerable systems will still be around for years to come.
Critical vulnerabilities put hundreds of millions of Android devices at risk
There were two major Android security issues presented at Black Hat that put hundreds of millions of Android devices at risk. One was a vulnerability in a core Android media processing library called Stagefright that could be exploited via a single MMS messageor browsing to a Web page. The flaw prompted Google, Samsung and LG to commit to monthly security updates for their devices.
In a different talk at Black Hat, Android’s lead security engineer, Adrian Ludwig, referred to the Stagefright patching effort as the “single largest unified software update in the world.”
The second issue was not in the core Android components, but in the support tools that manufacturers and carriers install on their devices so that technical support staff can remotely troubleshoot issues. Security researchers from Check Point Software Technologies found multiple issues with these remote support tools that allowed any malicious applications to communicate with them and take control of devices.
When computers help you shoot, hackers can help you miss
Black Hat and DEF CON
Computer-assisted rifles are scary, but remotely hacking into one and forcing the shooter to miss his target or potentially to hit something else is even scarier. That’s what security researchers Runa Sandvik and Michael Auger did with a TP750 rifle and scope made by precision guided firearm manufacturer TrackingPoint, which they attacked over the gun’s built-in Wi-Fi access point.
Their hack, which was presented at both Black Hat and DEF CON, prompted a response from the manufacturer that amused many attendees: “Since your gun does not have the ability to connect to the Internet, the gun can only be compromised if the hacker is actually physically with you. You can continue to use Wi-Fi (to download photos or connect to ShotView) if you are confident no hackers are within 100 feet.”
Pass the hash… on the Internet
Black Hat and DEF CON
SMB relay, the network version of a long-time hacker favorite attack called “pass the hash,” was believed only to work inside Windows networks. Security researchers Jonathan Brossard and Hormazd Billimoria found that that’s not actually true and that an attacker can harvest Active Directory NTLM (NT LAN Manager) credentials from the Internet by simply tricking a user to visit a Web page in Internet Explorer, open an email in Microsoft Outlook or play a video file in Windows Media Player.
SMB Relay involves using man-in-the-middle techniques to capture authentication requests from a Windows computer to a server and then relay those requests back to the server in order to be authenticated as the user. The requests include a cryptographic hash derived from the user’s password that can be cracked with some special hardware in some cases. However, in most cases the hash can be used as is, to impersonate users.
Brossard and Billimoria showed that they can pull off the same attack against cloud-hosted Exchange, Sharepoint and other Windows-based servers by using a relatively new feature called NTLM over HTTP. The issue stems from a system DLL that automatically sends the credentials to a remote SMB server even when an Internet Explorer option is set to only send credentials to the local network.