BlackHat and DEFCON Highlight Dangers Ahead
In my sprint through five days of sessions, demonstrations, presentations and conversations at this year’s DEFCON and BlackHat conferences, I noted several compelling security challenges that cannot be ignored by those in the defensive security field.
I summarize some of the issues and problems below. I intend to explore them more fully in future blogs, and so stay tuned for detailed blogs, links to more information and, if possible, videos and presentations made available to non-attendees. (The headers will turn into links as they get published)
Apple is not a safe haven for users.
Researchers who found ways to exploit IOS and Mac laptops/Air notebooks garnered significant attention. There were several demonstrations, the most disturbing of which was a rootkit that was still a current vulnerability on Apple laptops and Air notebooks due to legacy Intel BIOS architectures used by Apple.
Cross VM attacks are real and are dangerous.
There were several presentations about cross VMs. The most frightening was one in which the presenter pulled full documents and SSH keys from one VM over to a bad actor VM. This vulnerability, combined with a talk about Intel Architectural issues that allow for Ring-2 access to the hypervisor level, make multi-tenant public clouds a concern for government agencies.
Active Directory problems and mitigations.
In a stellar presentation repeated in both conferences, DAn Solutions detailed and demonstrated many Active Directory vulnerabilities and standard practices that have been and are currently being exploited by bad actors. They also described mitigations that should be taken. This is a MUST see for any organization running Active Directory (i.e., everyone needs to pay attention).
HoneyPots making a comeback?
HoneyPots have been mocked for years because: 1) they are mainly research tools that do not contribute significantly to network defense; and 2) bad actors can quickly figure out they are in a HoneyPot and ignore the fake data. Considering how difficult HoneyPots have been to create, maintain and use, the results have not been worth the cost. However, several compelling presentations explained why HoneyPots are misused and misunderstood by most. If used properly, HoneyPots can be an affordable early warning feature in an enterprise security architecture.
MS WMI exploits rising and mitigations are in short supply.
WMI has been used by some of the most prominent APTs in recent memory, including the ultra-famous StuxNet. Despite that, not much work has been done by Microsoft or security vendors to understand and mitigate the incredible power an authorized (or faked) administrator can have using WMI. FireEye presented some fantastic research work on how WMI works and how attackers are using it. The company also released a free tool to query and discover details of what is going on in WMI for agencies.
IoT and mobile vulnerabilities are a problem now, not in the future.
Everyone has now heard of StageFright and the Jeep (uConnect) hack that was released by Zimperium and IO Active respectively. There is even more to this problem. Numerous presentations, workshops and contests examined how to exploit weaknesses in IoT and mobile technologies to penetrate environments. When speaking about anticipated IoT and mobile vulnerabilities, we used to say, “Not if, but when.” Well, “when” has arrived. The problems are here now.
White Hat hackers need to be trained better to secure themselves.
After wreaking havoc on Pineapple attackers last year at DEFCON, Wesley McGrew presented his tools that he used to play last year. He also convincingly argued that Pen Testers on the defensive side are weak in defending themselves, both with respect to the tools they use and how they manage the data they lawfully exfiltrate when on duty as a Pen Tester. He offered suggestions on how to better train security professionals from the beginning on protecting themselves and their clients.
Control systems in industrial facilities are in danger.
In another demonstration by IO Active, recurring presenter Jason Larsen showed that physical damage to pumps, piping, tanks and valves are very simple to execute once the control systems are compromised.
Expect to see more on these issues as soon as I can bang out blogs on each topic. I will include as much information that is available to the public without subscriptions.