Black Hat updates of Day 2
Before I talk about Day 2 of Black Hat 2009 let me quickly come back to the out-of-Band Microsoft patches from this week. In the meantime MS confirmed that a single character in its development code is responsible for the bug that has let hackers exploit Internet Explorer. "The bug is simply a typo," confirmed Michael Howard, a principal security program manager in Microsoft's security engineering department. You can find the details on Michaels Blog at:
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
This year’s focus at Black Hat 2009 was absolutely clearly on Apple and in general around security of mobile devices. In the meantime the conference reached his end and the people are getting ready for DefCon17 at the Riviera hotel and casino in Vegas.
After plenty of parties and drinks last night a large crowd was up and ready already at 10 AM to be part of the demonstration given by Luis Miras, and independent security researcher, and Zane Lackey of iSec Partners. Both showed that there are several architectural and implementation problems in today’s mobile phone networks. They can be used to force users to open malicious files, allow attackers to gain control of users' phones and change phone settings to redirect mobile Internet traffic to a proxy controlled by the attackers.
They announced also the release of a tool called TAFT “There's an Attack for That” which will operate on jailbroken iPhones and is capable to launch all kind of mobile attacks they described before. You can find a story about that at
http://news.cnet.com/8301-27080_3-10300174-245.html
But this was not all which Apple had to swallow this time. Mac security researcher Dino Dai Zovi revealed a significant vulnerability in Mac OS X. He and other Mac security experts warn that Mac OS X could prove to be an easy target. Dai Zovi, who is the co-author of "The Mac Hacker's Handbook," said in his presentation that once hackers start to put substantial resources into targeting Apple's computers, they will be at least as vulnerable as Windows machines.
At the core of the hack he explained to the audience is a short code script that would give a hacker access to a Mac's memory. Through this hole it is possible to gain root access to the machine, and subsequently a remote network connection is possible. That then would allow someone to gain access to local personal data, attack the machine, execute files, or quietly monitor Safari to sniff attempts to access bank details online.
Isn’t that scary? I think it is time for all of us to get rid of the traditional impression or believe that Macs are more immune to viruses and attacks than PCs. We should all start to include existing Mac installation into our traditional IT processes including vulnerability and patch management. More details can be found at
http://www.reuters.com/article/technologyNews/idUSTRE56S77Q20090730?pageNumber=1&virtualBrandChannel=0
Another very interesting focus this year was on Cloud Computing. Most organizations look at cloud services from a cost leadership point of view. They expect cost savings and at the same time increased flexibility. With having the services available in the cloud IT shops are trying to ease there remote access burden. Very often they forget that the improved availability via remote access to company resources will come at a cost. Alex Stamos from iSec Partners (http://www.isecpartners.com/) explained how easily data and application owner can loose control over their resources. From his point of view Cloud Services are useless as they are today and not worth the risk. Stamos added “You have massively less protection if you are cloud computing than if you own your own machines,”
I personally don’t agree with this strict view of it. For me Cloud Services are yet still in their infancy. No enterprise organization will go completely into the cloud soon. For a long period of time we will see hybrid solutions. Right now most IT shops are in the experimentation phase to learn what is possible. I expect that by end of 2012 Cloud Computing will have reached his mail stream phase. If you look at Cloud Computing from a Service Management point of view then it becomes relatively clear that it is nothing else then service delivery and consumption model. The point which is shocking to me is that most organizations believe that they will safe money with Cloud Computing. I think this is wrong. At the moment many companies try to move there on premise IT model into an off premise IT model expecting the vendor to manage the services using the old service descriptions. I guarantee you this will fail and I have proof for that at hand.
More details about Stamos view can be found at http://ow.ly/15Jl9y
I personally enjoyed the story about how San Francisco's parking meters can't discern a genuine payment card from a faked one. You can find the story at
http://www.pcworld.com/article/169370/black_hat_researchers_find_free_parking_in_san_francisco.html
Last but not least I want to drive your attention to a popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic. Researchers showed that it is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.
The service called Computrace LoJack for Laptops contains design vulnerabilities and a lack of strong authentication that can lead to “a complete and persistent compromise of an affected system,” according to a presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies. Please read the full story at
http://blogs.zdnet.com/security/?p=3828
and check if your organization is using this service.
With this I will prepare myself now for the second night of Black Hat 2009 parties. I hope you enjoy the material and if everything goes right I will give you another update tomorrow with the news from day 1 at DefCon 17.
-Andreas
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
This year’s focus at Black Hat 2009 was absolutely clearly on Apple and in general around security of mobile devices. In the meantime the conference reached his end and the people are getting ready for DefCon17 at the Riviera hotel and casino in Vegas.
After plenty of parties and drinks last night a large crowd was up and ready already at 10 AM to be part of the demonstration given by Luis Miras, and independent security researcher, and Zane Lackey of iSec Partners. Both showed that there are several architectural and implementation problems in today’s mobile phone networks. They can be used to force users to open malicious files, allow attackers to gain control of users' phones and change phone settings to redirect mobile Internet traffic to a proxy controlled by the attackers.
They announced also the release of a tool called TAFT “There's an Attack for That” which will operate on jailbroken iPhones and is capable to launch all kind of mobile attacks they described before. You can find a story about that at
http://news.cnet.com/8301-27080_3-10300174-245.html
But this was not all which Apple had to swallow this time. Mac security researcher Dino Dai Zovi revealed a significant vulnerability in Mac OS X. He and other Mac security experts warn that Mac OS X could prove to be an easy target. Dai Zovi, who is the co-author of "The Mac Hacker's Handbook," said in his presentation that once hackers start to put substantial resources into targeting Apple's computers, they will be at least as vulnerable as Windows machines.
At the core of the hack he explained to the audience is a short code script that would give a hacker access to a Mac's memory. Through this hole it is possible to gain root access to the machine, and subsequently a remote network connection is possible. That then would allow someone to gain access to local personal data, attack the machine, execute files, or quietly monitor Safari to sniff attempts to access bank details online.
Isn’t that scary? I think it is time for all of us to get rid of the traditional impression or believe that Macs are more immune to viruses and attacks than PCs. We should all start to include existing Mac installation into our traditional IT processes including vulnerability and patch management. More details can be found at
http://www.reuters.com/article/technologyNews/idUSTRE56S77Q20090730?pageNumber=1&virtualBrandChannel=0
Another very interesting focus this year was on Cloud Computing. Most organizations look at cloud services from a cost leadership point of view. They expect cost savings and at the same time increased flexibility. With having the services available in the cloud IT shops are trying to ease there remote access burden. Very often they forget that the improved availability via remote access to company resources will come at a cost. Alex Stamos from iSec Partners (http://www.isecpartners.com/) explained how easily data and application owner can loose control over their resources. From his point of view Cloud Services are useless as they are today and not worth the risk. Stamos added “You have massively less protection if you are cloud computing than if you own your own machines,”
I personally don’t agree with this strict view of it. For me Cloud Services are yet still in their infancy. No enterprise organization will go completely into the cloud soon. For a long period of time we will see hybrid solutions. Right now most IT shops are in the experimentation phase to learn what is possible. I expect that by end of 2012 Cloud Computing will have reached his mail stream phase. If you look at Cloud Computing from a Service Management point of view then it becomes relatively clear that it is nothing else then service delivery and consumption model. The point which is shocking to me is that most organizations believe that they will safe money with Cloud Computing. I think this is wrong. At the moment many companies try to move there on premise IT model into an off premise IT model expecting the vendor to manage the services using the old service descriptions. I guarantee you this will fail and I have proof for that at hand.
More details about Stamos view can be found at http://ow.ly/15Jl9y
I personally enjoyed the story about how San Francisco's parking meters can't discern a genuine payment card from a faked one. You can find the story at
http://www.pcworld.com/article/169370/black_hat_researchers_find_free_parking_in_san_francisco.html
Last but not least I want to drive your attention to a popular laptop theft-recovery service that ships on notebooks made by HP, Dell, Lenovo, Toshiba, Gateway, Asus and Panasonic. Researchers showed that it is actually a dangerous BIOS rootkit that can be hijacked and controlled by malicious hackers.
The service called Computrace LoJack for Laptops contains design vulnerabilities and a lack of strong authentication that can lead to “a complete and persistent compromise of an affected system,” according to a presentation by researchers Alfredo Ortega and Anibal Sacco from Core Security Technologies. Please read the full story at
http://blogs.zdnet.com/security/?p=3828
and check if your organization is using this service.
With this I will prepare myself now for the second night of Black Hat 2009 parties. I hope you enjoy the material and if everything goes right I will give you another update tomorrow with the news from day 1 at DefCon 17.
-Andreas