BlackHat
Latest
Apple delivers Black Hat talk to mediocre reception
CNET's posted a strange writeup for Apple's first talk at the Black Hat security conference, and though the piece is short on details, the theme is clear: There wasn't a lot of groundbreaking news shown off to attendees. Manager of Platform Security Dallas De Atley basically gave a quick rundown of the security measures built in to the architecture of iOS, and didn't give much more. Any hackers looking for Apple to speak in person about vulnerabilities or work being done for the future of the Mac or iOS platforms were apparently turned away disappointed. But I would argue that Apple just showing up at the Black Hat conference is the beginning of a good public dialogue with the company on security. Apple has been quiet to say the least in the past, preferring instead to just close its doors and windows where security is concerned, and release hotfixes and updates on its own schedule. Just an appearance at the Black Hat conference, then, is a gesture by Apple that it recognizes the values of hackers and their culture. As CNET's writer says, maybe next year Apple will have a more satisfying presentation.
Security experts hack payment terminals to steal credit card info, play games
If a payment terminal could be forced into servitude as a crude handheld gaming device, what else could it be made to do? Researchers at the Black Hat conference showed just what mischief a commonly used UK PoS terminal could get up to when they inserted a chip-and-pin card crafted with malicious code. That enabled them to install a racing game and play it, using the machine's pin pad and screen. With the same hack, they were able to install a far less whimsical program as well -- a Trojan that could record card numbers and PINs, which could be extracted later by inserting another rogue card. On top of that, criminals could use the same method to fool the terminal into thinking a transaction was bank-approved, allowing them to walk out of a store with goods they hadn't paid for. Finally, the security gurus took a device popular in the US, and used non-encrypted ethernet communication between the terminal and other peripherals to hack into the payment device and take root control. Makes you want to put those credit cards (and NFC devices) away and stick to cash -- at least you can see who's robbing you blind. [Original image credit: Shutterstock]
Hacker finds flaw in hotel locks, can ruin your vacation with $50 DIY gadget
Admittedly, the headline is designed to get your dander up. You're in no immediate danger of a technologically-gifted thief plugging a couple of wires into your hotel door and making off with your sack of souvenirs from the Mall of America. But that's not to say it's impossible. Cody Brocious, who was recently brought on by Mozilla to work on Boot to Gecko, is giving a presentation at the annual Black Hat conference in Vegas where he demonstrates a method for cracking open keycard locks with a homemade $50 device. The hack only works on locks made by Onity at the moment, and real life testing with a reporter from Forbes only succeeded in opening one of three hotel doors. Still, with between four and five million Onity locks installed across the country (according to the company), that is a lot of vulnerable rooms. The attack is possible thanks to a DC jack on the underside of the lock that's used to reprogram the doors. This provides direct access to the lock's memory, which is also home to the numeric key required to release the latch -- a key that is protected by what Brocious described as "weak encryption." Ultimately the source code and design for the Arduino-based unlocker will be published online alongside a research paper explaining how these locks work and why they're inherently insecure. The hope is that manufacturers will take notice and improve the security of their wares before the world's ne'er-do-wells perfect Brocious' technique.
Apple to present at Black Hat conference
This Thursday, Apple is poised to do something its never done before --- give a formal presentation at the Black Hat security conference. According to Bloomberg, Dallas De Atley of Apple's platform security team will give a presentation on iOS security to the hackers in attendance. This isn't the first scheduled showing by an Apple representative. A panel presentation by Apple employees was slated for Black Hat 2008, but the event was abruptly canceled when the marketing department found out about it. This bit of trivia comes from Black Hat general manager Trey Ford who discussed the matter with Bloomberg. Black Hat 2012 is significant as the security conference is celebrating its 15th anniversary. Five of the speakers from the first Black Hat event are returning and will present their vision of security for the next 15 years. You can follow the events via Black Hat's twitter account or its Facebook account. Images will be posted on its Flickr account as well. [Via Bloomberg]
Apple to present at Black Hat conference for first time, talk about iOS' padlocks
Apple is taking a different, more cautious tack when it comes to security these days. That doesn't make it any less surprising that the company is planning to give a presentation at the Black Hat conference: the company will have someone on stage for the first time and won't just socialize in the corridors. When he takes to the podium on July 26th, platform security manager Dallas De Atley will go into detail regarding iOS' security measures in front of an audience used to finding a way around them. The company hasn't said whether that involves current or future technology; we suspect that Apple may be eager to show what iOS 6 brings to the table, however. If it all goes down like Black Hat general manager Trey Ford says it will, Apple may both open up a bit on security and set more of the agenda this week -- instead of letting conference goers set it themselves.
Microsoft advises nuking Windows Gadgets after security hole discovery, we mourn our stock widgets
Whether you see Windows Vista and Windows 7 Gadgets as handy tools or a blight upon a pristine desktop, you might want to shut them off for safety's sake. Mickey Shkatov and Toby Kohlenberg have found that the desktop widgets' web-based code have flaws that would allow malicious Gadgets, or even hijacked legitimate Gadgets, to compromise a PC without having to go through the usual avenues of attack. Microsoft's short-term answer to the vulnerability is a drastic one, though: a stopgap patch disables Gadgets entirely, leaving just a barren desktop in its wake. There's no word on a Gadget-friendly solution arriving before Kohlenberg and Shkatov present at the Black Hat Conference on July 26th, but we suspect Microsoft's ultimate answer is to move everyone to Windows 8, where Gadgets aren't even an option. We understand the importance of preventing breaches, of course -- we're just disappointed that we'll have to forgo miniature stock tickers and weather forecasts a little sooner than expected.
WhiteHat Security hacks into Chrome OS, exposes extension vulnerability at Black Hat
It's been a rough Black Hat conference for Google. First, FusionX used the company's homepage to pry into a host of SCADA systems, and now, a pair of experts have discovered a way to hack into Chrome OS. According to WhiteHat security researchers Matt Johansen and Kyle Osborn, one major issue is Google's vet-free app approval process, which leaves its Chrome Web Store susceptible to malicious extensions. But there are also vulnerabilities within native extensions, like ScratchPad -- a note-taking extension that stores data in Google Docs. Using a cross-site scripting injection, Johansen and Osborn were able to steal a user's contacts and cookies, which could give hackers access to other accounts, including Gmail. Big G quickly patched the hole after WhiteHat uncovered it earlier this year, but researchers told Black Hat's attendees that they've discovered similar vulnerabilities in other extensions, as well. In a statement, a Google spokesperson said, "This conversation is about the Web, not Chrome OS. Chromebooks raise security protections on computing hardware to new levels." The company went on to say that its laptops can ward off attacks better than most, thanks to "a carefully designed extensions model and the advanced security available through Chrome that many users and experts have embraced."
Black Hat hackers demo Square card skimmer, feed it stolen credit card numbers
Here's some more fun out of Vegas, this time involving Jack Dorsey's Square and a little thing we like to call credit card fraud. Researchers from Aperture Labs (seriously) held two demonstrations at the Black Hat Conference. The first used a script, written by Adam Laurie, to convert stolen credit card data into a series of audio tones that were then fed to the Square app via the headphone jack on a phone -- removing the need to have a physical card. A second avenue of fraud, also using code authored by Laurie, turned the Square dongle into a skimmer. It intercepted incoming data, which is unencrypted, and spit out human readable numbers that could easily be used to clone a card. New hardware that encrypts information pulled from the magnetic strip is in the pipeline but, until then, it seems everyone's favorite smartphone-based payment service has some troublesome holes to fill.
Microsoft offers 'mad loot' Bluehat prize to entice security developers (video)
Mere numbers aren't enough to describe cash prizes for Microsoft, it seems. The firm's inaugural Bluehat security competition's introduction video opted for a clearer term: "mad loot, lots of it." The big M hopes the hefty first prize of $200,000 will inspire the creation of the next generation of defensive computer security technology. The most innovative "novel runtime mitigation technology designed to prevent the exploitation of memory safety vulnerabilities" (phew!) will take home the aforesaid mad loot, while second and third places will receive $50,000 and an MSDN Universal subscription, respectively. The winner won't be announced until Blackhat 2012, of course, and applicants have until April to submit their prototypes and technical descriptions. Hit the break for the official announcement video, complete with CG backgrounds and prize euphemisms.
Hackers break into Subaru Outback via text message
We've already seen SCADA systems controlled by Google Search, and now the Black Hat Technical Security Conference is offering up yet another slice of cringe-inducing hacker pie. A pair of pros from iSec Partners security firm was able to unlock and start the engine of a Subaru Outback using an Android phone and a process they call war texting. By setting up their own GSM network, they were able to snatch up password authentication messages being sent from server to car, allowing them the option to ride off in a brand new crossover. Apparently, your car isn't the only thing in danger of a war-texting takeover, however, as the team says there are a slew of devices and systems, accessible over telephone networks, that are vulnerable to similar attacks, including A-GPS tracking devices, 3G security cameras, SCADA sensors -- and thus the power grid and water supply -- home automation, and urban traffic control systems. Somehow this group of otherwise innocent looking New York texters appears a whole lot more sinister now.
Google search opens SCADA systems to doomsday scenarios
Google, the service so great it became a verb, can now add security risk to its roster of unintended results. The search site played inadvertent host to remotely accessed Supervisory Control and Data Acquisition (SCADA) systems in a Black Hat conference demo led by FusionX's Tom Parker. The security company CTO walked attendees through the steps required to gain control of worldwide utility infrastructure -- power plants, for one -- but stopped short of actually engaging the vulnerable networks. Using a string of code, unique to a Programmable Logic Controller (the computers behind amusement park rides and assembly lines) Parker was able to pull up a water treatment facility's RTU pump, and even found its disaster-welcoming "1234" password -- all through a Google search. Shaking your head in disbelief? We agree, but Parker reassured the crowd these types of outside attacks require a substantial amount of effort and coordination, and "would be extremely challenging to pull off." Panic attack worn off yet? Good, now redirect those fears to the imminent day of robot-helmed reckoning.
Charlie Miller finds MacBook battery security hole, plans to fill with Caulkgun
Those batteries have probably met a worse fate than the white MacBook line they came from. According to Forbes, Charlie Miller's managed to render seven of them useless after gaining total access to their micro-controllers' firmware via a security hole. Evidently, the Li-ion packs for the line of lappies -- including Airs and Pros -- are accessible with two passwords he dug up from an '09 software update. Chuck mentions that someone could "use them to do something really bad," including faulting charge-levels and thermal read-outs to possibly even making them explode. He also thinks hard-to-spot malware could be installed directly within the battery, repeatedly infecting a computer unless removed. Come August, he'll reportedly be detailing the vulnerability at the Black Hat security conference along with a fix he's dubbed Caulkgun, which only has the mild side-effect of locking-out updates by Apple. Worth being safe these days, though. Right? Full story in the links below.
Black Hat security conference offers two-day Macsploitation class
Attention would-be Mac hackers and those hoping to write viruses and malware for Mac OS X! You can bone up on your Macsploitation skills at an upcoming two-day class to be held at the Black Hat security conference July 30 through August 2. This isn't the first time that Black Hat has featured Mac hacker training. The class, which will be taught by Italian security consultant Vincenzo Iozzo and Mac Hacker's Handbook author Dino Dai Zovi, requires registration ($2000 now, $2700 onsite) and has a number of other prerequisites as well. What kind? Well, in addition to bringing your Mac along to the site, you'll want to make sure you have a Windows XP virtual machine running on the Mac, the IDA Pro disassembler and Apple's Xcode tools package. If you want to impress the instructors, you'll also want to grab zynamics' BinNavi reverse-engineering tool. For the most part, the people who attend Black Hat are good guys who are there to learn how to keep our systems safe. As noted on ZDNet, Mac OS X security remains much better than that of Windows. Mac OS X 10.6.6 only included one security fix, while Microsoft's February Patch (released last Tuesday) plugged 22 vulnerabilities. If your work involves Mac security, there's no better place to pick up the skills that you need to be an expert than at Black Hat.
Hackers disguise phone as keyboard, use it to attack PCs via USB
We've seen hackers use keyboards to deliver malicious code to computers, and we've seen smartphones used as remote controls for cars and TV -- but we've never seen a smartphone disguised as a keyboard used to control a computer, until now. A couple folks at this year's Black Hat DC conference have devised a clever bit of code that allows a rooted smartphone -- connected to a PC through USB -- to pose as a keyboard or mouse in order to attack and control the computer. The hack takes advantage of USB's inability to authenticate connected devices coupled with operating systems' inability to filter USB packets, which would enable users to thwart such an attack. While utilizing a digital costume to hack a computer is a nifty idea, it doesn't pose much additional risk to users because the method still requires physical access to a USB port to work -- and most of us would probably notice someone plugging a smartphone into our laptop while we're using it. [Image Credit: Angelos Stavrou / CNET]
Why Apple's "walled garden" is a good idea
Many developers and users of Apple's iOS devices bemoan the "walled garden" of the App Store approval process, but it appears that the company's measures have prevented mass data theft from iPhones, and iPads. At the Black Hat security conference being held in Las Vegas this week, mobile security firm Lookout announced that an app distributed in Google's Android Market had collected private information from millions of users, then forwarded it to servers in China. Worse than that, the exact number of affected users isn't known, since the Android Market doesn't provide precise data. Estimates are that the app was downloaded anywhere from 1.1 million to 4.6 million times. The app appeared to simply load free custom background wallpapers, but in fact collected a user's browsing history, text messages, the SIM card number, and even voice mail passwords, and then sent the data to a web site in Shenzen, China. This is different from the recent AT&T website leak that could have let a hacker access 144,000 iPad 3G user email addresses, since in this case the data theft actually did happen, was being perpetrated by malicious hackers, involves much more personal information, and affected many more people. So what's the difference between the security methodologies used by Google and Apple? Apple approves iOS apps only after they've gone through a strict (and frustrating to developers) process, while Google's Android Market simply warns the user that an app needs permission to perform certain functions during the installation. iOS apps must be signed by an Apple-created certificate, which means that malicious developers have a harder time distributing malware anonymously. Lookout also noted that iOS remains virus-free, since third-party apps can only be distributed through Apple's heavily-moderated App Store, and the apps run in a sandbox environment where they can't affect the system. Lookout chief executive John Hering said that "he believes both Google and Apple are on top of policing their app stores." It's just those odd cases where apps don't do what they're advertised to do that can cause problems for users. [via AppleInsider]
Some Windows CE-based ATMs especially generous (and vulnerable to hackers)
Speaking at the Black Hat conference in Las Vegas, a fellow named Barnaby Jack (really!) used custom software to hack Windows CE-based ATMs on stage. After using an industry standard key to gain entry to the machines (apparently many ATM owners are too lazy to install new locks) Jack was able to load a rootkit on the device using a USB thumb drive. From that point, it was just a matter of running another program that caused all the cash therein to shoot out in a comical manner. The machines used in the presentation were manufactured by Trannax and Triton, both of which have have had a chance to send a security patch to customers prior to the demonstration. However, there are four different machines in common use that are still vulnerable. And no, he won't tell us which ones.
Lookout's App Genome Project warns about sketchy apps you may have already downloaded
If you're an iPhone user, the only privacy notice you'll see from an app regards your current location -- as much a warning about the associated battery hit from the GPS pinging as anything. If you're an Android user, however, things are different, with a tap-through dialog showing you exactly what each app will access on your phone. But, do you read them? You should, with Lookout running a sort of survey across 300,000 apps on those two platforms, finding that many access personal information even though they seemingly don't need to. One particularly scary instance, an app called Jackeey Wallpaper on Android, aggregates your browsing history, text messages, could get your voicemail password, and even your SIM ID and beams it all to a server in China. That this app has been downloaded millions thousands of times is a little disconcerting, but it's not just Android users that have to fear, as even more iPhone than Android apps take a look through your contact infos. What to do? Well, be careful what you download to start, on Android read those privacy warnings... and we're sure Lookout wouldn't mind if you took this opportunity to download its security app. Update: We received a note from Jussi Nieminen, who indicated the data fields being retrieved, as reported by VentureBeat, are incorrect. Texting and browser history are apparently not retrieved, but your phone number, phone ID, and voicemail fields are. And, since it's not unheard of for voicemail entries to include a password when setup on a phone, it's possible they could wind up with that too. Also, the popularity of the app was apparently misstated, with actual downloads somewhere south of 250,000. Update 2: Kevin, one of the Black Hat speakers from Lookout, wrote us to let us know that the full details on the wallpaper apps have been posted here, if you'd like to read. Meanwhile, estimations of just how many people have downloaded this particular wallpaper app are all over the place, ranging from as low as 50,000 to over four million.
Researcher will enable hackers to take over millions of home routers
Cisco and company, you've got approximately seven days before a security researcher rains down exploits on your web-based home router parade. Seismic's Craig Heffner claims he's got a tool that can hack "millions" of gateways using a new spin on the age-old DNS rebinding vulnerability, and plans to release it into the wild at the Black Hat 2010 conference next week. He's already tested his hack on thirty different models, of which more than half were vulnerable, including two versions of the ubiquitous Linksys WRT54G (pictured above) and devices running certain DD-WRT and OpenWRT Linux-based firmware. To combat the hack, the usual precautions apply -- for the love of Mitnick, change your default password! -- but Heffner believes the only real fix will come by prodding manufacturers into action. See a list of easily compromised routers at the more coverage link.
Christopher Tarnovsky hacks Infineon's 'unhackable' chip, we prepare for false-advertising litigation
As it turns out, Infineon may have been a little bit... optimistic when it said its SLE66 CL PE was "unhackable" -- but only a little. The company should have put an asterisk next to the word, pointing to a disclaimer indicating something to the effect of: "Unless you have an electron microscope, small conductive needles to intercept the chip's internal circuitry, and the acid necessary to expose it." Those are some of the tools available to researcher Christopher Tarnovsky, who perpetrated the hack and presented his findings at the Black Hat DC Conference earlier this month. Initially, Infineon claimed what he'd done was impossible, but now has taken a step back and said "the risk is manageable, and you are just attacking one computer." We would tend to agree in this case, but Tarnovsky still deserves serious respect for this one. Nice work, Big Gun.
Apple keyboard gets hacked like a ripe papaya, perp caught on video
As far as Apple is concerned, the Black Hat 2009 hackers conference didn't end soon enough. Having promptly patched the iPhone vulnerability, Cupertino is facing another security hole, this time in its keyboards. A hacker going by the pseudonym of K. Chen has come up with a way, using HIDFirmwareUpdaterTool, to inject malicious code into the keyboard's firmware. While it's not yet possible to perform this hack remotely, the fact it occurs at the firmware level means no amount of OS cleanser or anti-virals will remedy it -- which might be a bit of a bother to MacBook owners who can't simply swap to an uninfected keyboard. Panic is hardly advisable, as Chen is collaborating with Apple on a fix, but if you want to be freaked out by his simple keylogger in action, hit up the video after the break.
