Back to the Basics: Black Hat 2018

LAS VEGAS, August 7-9 2018 – As nearly 19,000 of us from the hacker and research community descended upon Vegas for Black Hat, the outside temp hit 111 degrees, a record last set in 1994.

Fortunately, the power grid held, and we were kept comfortable (sometimes too cold) for the duration of the two-day security training event at the Mandalay Bay Hotel and Casino. However, some slot machines, elevators, and other embedded systems didn’t fare so well under hacker tinkering over the weekend at Black Hat sister conference, Def Con, as covered by Jack Morse, fellow member of the press.

These hotel hacks reported by Morse were simple demonstrations of software and hardware hacking into critical infrastructure systems (hey, elevators are critical). Demonstrations of grid hacking, car hacking and voting machine hacking were also urgently covered during sessions at both Black Hat and Def Con.

Everything Cyber is Hackable   

Risks from IoT, cloud-based computing, mobility, and lack of resources were topics well-covered by Parisa Tabriz, Google’s Director of Engineering and Project Zero Manager, during her conference kick off keynote, “Optimistic Dissatisfaction with the Status Quo: Steps we Must Take to Improve Security in Complex Landscapes.”

In it, she argued convincingly about going back to the basics – secure design, fast and accurate patching of vulnerabilities - and she told her personal story of challenging the status quo.

Improvement Takes Time

Tabriz used examples of long-term infrastructure improvements, like Chrome’s enforcement of encrypted browsing (HTTPS). Internet providers that use HTTP rather than HTTPS are labeled as insecure starting this past July.

Some businesses object to this ‘Migrate or face embarrassment’ move on Google’s part. Google countered by posting comprehensive help documents for businesses to make the migration.

She also described the time (nearly 7 years) and team commitment put into this upgrade that she called a “feat of engineering.” Myriad browser program interdependencies – from plug ins to the O/S – had to be considered (and no, none of them made it easier with a common language).

 “The message that it took years to make this change is incredibly important,” said Adam Shostack (author of Threat Modelling: Designing for Security) during an impromptu hallway interview shortly after the keynote. “Changes that really matter take time.”

Tabriz also used the keynote to showcase another long-term program developed by her team at Google, Project Zero, which, she says so far has identified 1,400 critical vulnerabilities across O/S, software, cloud-based and hardware systems while speeding up vendor patch times to 90 days or less.

In Support of DevOps

While these Google projects were long in the works, they specifically support today’s demand for faster development by providing more secure foundations and libraries for developers and vulnerability managers, Tabriz explained.

Investments, industry collaboration, and buy-in to infrastructure improvements like this, Tabriz said, take us one step closer to getting ahead of criminals rather than “playing whack-a-mole with our attackers.”

Cybercriminal Industry Worth Billions; Plus Geopoliticized Malware and Other Scary Findings at RSA 2018

SAN FRANCISCO, April 17, 2018 – Back in 1995, I first started researching the lives and friends of Kevin Mitnick as an author’s assistant for what would turn out to be a best-selling book. Although I wondered what I was getting myself into, I wanted to know who these cyber hackers were, why they broke into systems, and more importantly, I wanted to learn from them.

This need to understand your enemy in cyberspace has become abundantly clear again at the RSA Security Conference this year (Some 23 years later if I’ve done the math right). 

During Monday’s pre-show activities, two companies in particular revealed chilling research uncovered during their security and investigative operations and data collection.

Let’s start with the value attributed to cybercrime and crimeware. At an analyst dinner sponsored by Bromium (the book’s publisher), Dr. Michael McGuire, senior lecturer, University of Surrey estimated the market is easily worth $1.5 trillion, based on interviews with convicted cyber criminals.

“That’s the GDP of a mid-sized country,” he says. “And that’s a very conservative estimate.”

Cybercrime-as-a-service platform managers can earn up to $2 million a year, individual high-earners make up to $166,000 a month, and middle-earners make a mere $75,000 a month, according to his calculations.

Makes you wonder if we (the good guys) are working for the wrong side. But then consider the “dark side” of criminal endeavors involving this much money: kidnapping, coercion, jail time, even murder accompany criminal enterprises of this value. The funds are even being used to fund terrorism in an economy that is so strong it could break the financial system if it were to be brought down, Dr. McGuire conjectures.

Lately, specific cyber crime activity has been shifting away from ransomware and damage-based attacks to accessing stolen computing power to mine bitcoins, according to another equally-compelling report unveiled by Comodo’s Threat Research Labs earlier in the evening.   Back door attacks, which are needed to continue to access the hijacked computer for its bitcoin computing power, are also spiking upwards, according to the report.

The report results, delivered by Comodo senior scientist Kenneth Gears, also shows that greed is not the only motivation behind cyber attacks. On a large display screen, Gears pointed out distinct hikes in regional cyber attacks in South America, Mexico, Canada, the Koreas and Iran (among other countries) during times of political turmoil.

Gears adds “Cyberspace reflects human activity, whether it be an election or conflict.”

The Weaponization of Smart Dust and Other Internet of Things – RSA 2017

SAN FRANCISCO, FEB 16 2017 – Imagine billions of sand-sized computing devices tossed into municipal waste, still alive by battery and calling out to one another. Imagine them joining a billions-strong botnet stretched out across the land sending short signals to deny service and pass along small bytes of malware to anything within proximity.

Think this is something from the future? Think again.

Late last year, smart things such as cameras were conscripted into botnets under the Marai Malware family, disrupting more than 900,000 Deutsch Telecom users, as well as 2,400 routers in England, and continues to morph and prey on new vulnerabilities found in other types of smart devices.

Meanwhile, smart dust or MEMS – Micro Electric Mechanical Systems – in the form of used RFID packaging, micro sensors (the size of salt grains) and other smart waste are already being tossed into dumps without end-of-life kill processes or even a means to turn them off, says Michael Patterson, CEO of Plixer, during the RSA Security Conference exhibition. 

“These are purpose-built smart devices with unique protocols, communications to their servers, and access to their administrative community,” he says.  “Without governance and oversight – like Underwriter Laboratories that we have for other electrical devices – these miniature smart chips have the potential to become a real risk to cyber security.”

So concerning are these smart devices that Adi Shamir (who’s last name represents the ‘S’ in RSA encryption technology) will soon release a paper he titled “IOT Going Nuclear.” In it, he says he demonstrates how someone could sit in a hotel room, plug one infected smart light into a socket, and then spread malware from one smart light to others.

Based on density of the smart light fixtures, you could infect a whole city in minutes, turn off all the lights and hold the city ransom until the city pays to have the lights turned on, continues Shamir, a professor of computer science at the Weizmann Institute in Israel.

Ransomware holdups have already happened with other smart devices, for example in late 2016, LG television systems were hijacked by ransomware and turned into bricks until TV owners ponied up money to get them working again. 

“The government should NOT allow devices that are not sufficiently secure to connect to the public internet,“ Ramir says, which drew loud applause from the crowd attending the RSA cryptographer’s panel keynote session on Tuesday.

Whitfield Diffie, co-inventor of the Diffie Hellman Key exchange back in the 70’s (who was also on the panel), says that throwing more layers of security on top of this problem is not the answer. Instead, he urges everyone to reset their strategies and improve their products with secure engineering and software coding in the first place.

 “If anything like the resources being spent on interactive security – virus screening, fighting back, et cetera – were spent on the improvement on the logical functions of devices, we’d get much much better results,” says Diffie, currently a crypto export with Cryptomathic.

Will anybody heed such sage advice? Engineering and development have historically focused on ‘go-to-market’ first. Security, if considered at all, is usually an afterthought or the result of their products being hacked. This is why we’re in this mess in the first place!

Autos are Computer Networks-DEF CON 2016

LAS VEGAS – The electronics in cars have become complex computing networks unto themselves, according to researchers at Black Hat Briefings and DEF CON security conferences in Las Vegas this past week (Aug. 3-7).

Monitoring systems, mapping and directions programs, roadside assistance apps, sensors and cameras are but a few of the independent apps and networks controlling today’s automobiles.

Consider that each of these apps uses its own signaling technology and protocols (WiFi, Bluetooth, GPS, cellular, dedicated networks, etc.) to communicate internally, or with other vehicles on the road, and to phone home for updates, and you begin to understand all the access points bad guys can take to control a moving vehicle to cause damage and loss of life.

“Today’s vehicles have more than 100 million lines of code,” says Craig Hurst, who as director of Intel’s transportation division, was at DEF CON tirelessly pitching the new Automotive Security Review Board - see (see https://asrb.org),  which he is also executive director of.  “Think of today’s vehicles as systems of systems that get much more complex as vehicles get smarter.”

Since 2013, multiple reports have cited that there are more than 100 million lines of code in automotive systems, including in a 2015 NY Times article here: http://www.nytimes.com/2015/09/27/business/complex-car-software-becomes-the-weak-spot-under-the-hood.html?_r=0 .

But with autonomous driving vehicles being developed for tomorrow (think 2020 or a little beyond), the time is now for organizations like the ASRB to promote common standards and best practices across all chip makers, application makers and parts manufacturers that go into the ecosystem of autonomous driving cars.

But that’s a little tricky when the auto makers’ immediate interests conflict with the hackers’ discoveries, something Charlie Miller and Chris Valasek, who work in security at Uber ATC, lamented during their Black Hat press meeting on Thursday, August 4. Their published exploits against their own 2013 Geep Cherokee showed, among other things, the ability to remotely drive the car into a ditch.

During the press con at Black Hat, the researchers laughingly joked that they “paid for the tow truck” to get their car out of that ditch themselves, and added that their exploits have been expensive and time consuming but worth the effort. Then they grew serious and even obtuse when asked about their relationship with the automakers and their ability to affect change. The manufacturers, they said, normally don’t get back to them so they don’t know if they’re affecting change or not.

Despite the friction between manufacturers and hacker researchers, such efforts are indeed driving change, especially when you consider that Miller and Valesek’s hacks on the 2013 Jeep Cherokee led to the recall of more than 1.4 million vehicles. See my 2015 Black Hat/DEF CON blog post here: http://derad.typepad.com/onlinecrimebytes/2015/08/internet-of-interconnected-technologies-or-iit-black-hat-and-def-con-2015.html, about how they brought the same Jeep into Bally’s and demonstrated some of their ‘safer’ remote hacks (locking unlocking doors, etc.

Recalls and updates bring about another serious risk with software-laden passenger vehicles: Along with requiring layers of security within these ‘moving’ vehicle networks, security controls must also consider how to safely update and patch these auto applications when new vulnerabilities are discovered.

Manual recalls are unbearably expensive and traditionally difficult on both makers and buyers. However, updating the software in a moving vehicle could be catastrophic if it requires a system reboot or shut down, like most hardware updates call for today in our phones and hand held devices.

That’s why the National Highway Safety and Traffic Administration (http://www.nhtsa.gov/Research/Crash+Avoidance/Automotive+Cybersecurity), the Automotive ISAC (http://www.autoalliance.org/auto-issues/cybersecurity) and other new groups like the ASRB are working now to protect cars of the future, because those cars are being developed today.

Let’s hope they get it right sooner rather than later: These new vehicles will have more code and variety of apps (almost all chip-based) than some enterprise networks. The last thing we want holding up progress is conflicting standards and protocols that have led to the ages-old interoperability vs best of breed problems that have plagued enterprise security operations to this day.

Internet of Interconnected Technologies or IIT: Black Hat and DEF CON 2015

BLACK HAT and DEF CON, LAS VEGAS, August 7 2015—Things, end points and the Internet are converging into what should be given a new term to embrace them all. I suggest calling this convergence the Internet of Interconnected Technologies or IIT.

According to the SIEM, analytics and intelligence-type vendors, the end point is no longer just a laptop or mobile device with direct user interface. Now they consider severs, routers and switches, firewalls and VPNs, and anything else with a communication port hanging off of it, along with their applications, an end point.

So that means that mobile phones are now end points. Researchers at Black Hat released new methods for advancing what were only formerly lame attacks against apple iOs; while other researchers showed new methods to break into Androids.

It also means that servers are end points, such as DNS servers and their keys and certificates, which are ill managed and a gold mine for hackers to find and manipulate as demonstrated by researchers and vendors at Black Hat.

This also turns smart cars into end points. At Black Hat, researchers Charlie Miller and Chris Valasek repeated their remote control hack that led to the recall of 14 million Jeep Cherokees. Then at DEF CON (directly following Black Hat this weekend at Paris and Bally’s), the Jeep and a Tesla were both on the show floor exhibited as new end points to hack. These end points are now hosting numerous IP addresses to support multiple smart apps that can be targeted.

Then, toss in systems spinning up in the public cloud as virtual end points with rich applications that are of interest to attackers and it’s easy to get overwhelmed. How do you manage all the risk presented in this IIT ecosystem where all end points are targets and all targets are end points?

This interconnectivity between hardware, software and silicon implanted everywhere raises questions like how to holistically (connectively) monitor and apply security rules, intelligence and vulnerability management across such a global, interconnected ecosystem?

It also reinvigorates the question of who is responsible for securing these end points—the manufacturers, the users or both? And who builds that security and who pays for it?

With so many point solutions around (such as DNS key locator services, SIEM, threat or vulnerability intelligence, and so on), it’s going to be a long haul before any ‘big picture’ solutions reveal themselves.

It seems impossibly complex, but one can hope, after mingling with 16,000 brilliant hacker minds, that these and new emerging complexities will be worked out.