August 12, 2014 Thu T.

Black Hat USA 2014: So Much Hack. So Little Time

As a first-time attendee to Black Hat and DEF CON hosted in Las Vegas, Nevada this year, it was, as a total understatement, pretty overwhelming. Just from sheer physical exhaustion caused by running from talk to talk while maintaining a perpetual state of complete geo-confusion (uhhh really need a reliable Indoor Positioning System (IPS) app like now), I’m not sure I’ve recovered yet. Back-to-back conferences and back-to-back talks resulted in one serious intellectual and physical marathon.

Yet, looking back, I realized how much I actually learned in such short amount of time. It was an information security boot camp experience that I definitely don’t regret.

Black Hat USA 2014

The 17th year of Black Hat brought in thousands of attendees to the Mandalay Bay Convention Center with 150 vendors. A lot of the Black Hat talks went over my head, but naturally they were the culmination of months and months of in-depth, highly-specialized and uber technical research in fields I’m no expert in. Read on for my take on some of the more interesting talks I attended:

Standardizing Security: Proposed Policies

Dan Geer, the CISO of In-Q-Tel, a not-for-profit investment firm supporting the Central Intelligence Agency, kicked off the conference with a philosophically dense and well-written talk, Cybersecurity as Realpolitik (full text) that outlined a number of security policy proposals. Those included:

1. Mandatory reporting
2. Net neutrality
3. Source code liability
4. Strike back
5. Fallbacks and resiliency
6. Vulnerability finding
7. Right to be forgotten
8. Internet voting
9. Abandonment
10. Convergence

Those don’t make a lot of sense on their own, but I’m working on a summary of his talk that explains it a bit more (as well as other talks), so stay tuned for that! His overall sentiment was that cybersecurity’s pervasiveness makes it impossible to ignore the need for standard security policies across the board.

As an experienced speaker at Congress about cybersecurity issues with a long history of significant contributions to the information security field, Dan’s talk was extremely enlightening from a high-level perspective as it relates to government policy.

IoT Authentication

Another interesting talk I went to was How to Wear Your Password, a talk that proposed the merging of the physical and logical in order to strengthen authentication security. By using a smart bracelet as an identity manager, Dr. Markus Jakobsson of Qualcomm proposed that the bracelet could authenticate as well as manage the authenticated session, while being unique to the user.

Equipped with a low-power processor, Bluetooth LE transmitter, and an accelerometer, the clasp on the bracelet would break and close a circuit when it was opened/closed - effectively qualifying authentication, and ending the authentication session.

While it was a good talk, what would have made it better would have been the inclusion of a simple rendering of the concept and scenarios; a diagram of components and even the different phases of authentication mapped out - which, I found through a search, is actually available online in his research paper (PDF).

DLP Security Flaws: Cross-Site Scripting & No Encryption

Duo Security’s own Senior Security Researcher Zach Lanier moderated a roundtable on embedded devices, and presented with Kelly Lum of Tumblr on security holes found within different popular DLP (Data Loss Prevention) solutions in Stay Out of the Kitchen: A DLP Security Bake-Off.

This was a great talk that presented never-seen-before research comparing solutions from Trend Micro, Websense, Sophos and OpenDLP (all while wearing matching neon cat-face sweaters, nonetheless). My takeaway from their talk was that Trend Micro’s DLP solution for Windows and Linux ranked quite poorly, leaving it open to serious cross-site scripting (XSS) vulnerabilities and no encryption in place. Zach’s blog on his talk from the speaker’s perspective will be coming soon, so check back for that!

Malware-Dropping Android App

Jeff Forristal of Bluebox’s presentation on Android Fake ID Vulnerability Walkthrough (slides) demoed how a phishing email pretending to be an IT department request to update and install an app could lead to the installation of a malware-dropping Android app that can steal data and passwords from multiple legit apps on a user’s phone, partly by abusing the way Android app signatures and certificates are handled. This was pretty cool as he also showed how a fake certificate can be generated with just thirteen lines of code.

Insecure Home Automation Applications: Remote Exploit

An interesting and fun talk was presented by Jesus Molina, an independent security consultant, titled Learn How to Control Every Room at a Luxury Hotel Remotely: The Dangers of Insecure Home Automation Deployment (preview slides). He exploited an old home automation protocol, KNX/IP, to turn on all of the lights of 200 hotel rooms at the St. Regis ShenZhen, a luxury hotel located in China.

While the hotel offered controls to guests with the convenience of an iPad2, security flaws also allowed Jesus to remotely control the lighting, temperature, music, and other aspects of the hotel rooms. He gave a very entertaining talk complete with a video of when he successfully hacked the rooms simultaneously.

But more seriously, this exemplifies real implications for the use of home automation applications for the hospitality industry (also related to insecurity with remote access to the Internet of Things (IoT)).

Protocol Reverse-Engineering Hack

Another somewhat similar talk I attended was When the Lights Go Out: Hacking Cisco EnergyWise (slides), presented by researchers Matthias Luft & Ayhan Soner Koca of ERNW, an independent IT security service provider based in Heidelberg, Germany.

Cisco EnergyWise provides a centralized way to manage and control commercial/enterprise power systems (used, for example, by a data center), allowing you to set power levels, put on standby or turn off power if necessary.

With the help of protocol reverse-engineering, the researchers were able to identify text strings, IPs, MAC, dates, times, EnergyWise parameters and more. Protocol reverse engineering (PRE) as defined in a paper from UC Berkeley, Protocol Reverse Engineering and Application Dialogue Replay:

The process of extracting the application-level protocol used by an implementation without access to the protocol specification.

From a security perspective, they were able to figure out the authentication protocol components, including:

KEY = HMAC_SHA1(UUID,SECRET)
Hash = HMAC_SHA1(KEY, DATA)

My favorite quote from the talk was - “Now that we know the secret, it’s basically game over...” as I tweeted along with a photo of the live demo.

By figuring out the shared secret, the researchers could get a device to be recognized by the system and compromise server/domain controls. They also found they could crash a system with a malformed packet by sending a query with certain values. They demoed a live hack of the EnergyWise system during the presentation and were able to turn a light on and off, to the cheers of the crowd.

Matthias and Ayhan reported the vulnerability to Cisco, as it is described in detail in a security advisory released earlier this week, reporting that unauthenticated, remote attackers could cause a reload of the affected device and “lead to a DoS (Denial-of-Service) condition.” Further, there was no recommended workaround available for the vulnerability.

This vulnerability has serious implications for data centers, and commercial power systems that may control larger networks; allowing remote attackers to potentially cause a mass blackout, not to mention take down entire companies, as power and networking are, oftentimes, their lifeblood.

After All That - DEF CON

Overall, Black Hat felt somewhat professional and academic in nature, with a smattering of nicely-ironed slacks and light blue button-ups among the jeans and tshirts. The vibe was brisk with more attendees from the business side of the industry congregating to hear from the top security researchers in the field. Stick around for my summary of DEF CON, which is quite different...