Security Week 31: News from Blackhat

Even if some kind of supergamer happens this week, no one will notice it, since all or almost all involved in the world of information security are in Las Vegas, at the BlackHat conference. One of the key industry events traditionally brings together researchers. Accordingly, the conference talks about problems, but almost does not discuss solutions. And not because there are no solutions, just such a format. Interestingly, the February RSA Conference claims to play the role of a constructive meeting about protection methods, but even there, there is a pattern break: through the lobby of business meetings using the terms “mitigation”, “integrated strategy”, “incident response methodology” sooner or later someone runs in Hoodie with a loud cry, "AAAAA, ALL WENT! 1".

Perhaps this is normal: a business with respect to IT security is positioned between a comprehensive carrot protection and a cybercrime cart. So it moves, motivated and driven, in the direction of a bright future of safe information space. Today I allow myself to move away from the usual format and talk about some interesting reports from BlackHat. The post does not claim to be complete, the conference is still ongoing: the first and second have already been submitted, but the compote will fly by next week.

tl; dr. Broke cars, encryption, Android, mail, credit cards, all tricked by infected flash drives. The Internet has been broken for a long time, for the last reporting period it was not fixed.
All episodes of the series are available by tag .

Nigerian scam with mail breakage and fake invoices
News
')
Nigerian scammers are not only letters from the widow of the untimely deceased president of bantustan. Dell Secureworks told Blackhat about a slightly more complex pattern. Fraud begins with the hacking of the mail server of a company, after which messages from counterparties begin to be tracked. If in a correspondence a transaction for a large amount is maturing, at some point fraudsters enter into the correspondence - they start passing messages from the buyer to the seller through themselves. As a rule, the most primitive method was used for this: on a broken server, a mail account was got, with a minimal difference in writing from the original one.

As a result, the buyer slips a fake invoice, the scammers get the money, after which the group goes into the fog. An interesting observation about the complexity of the attack: it is either zero or negative. It was possible to track the activity of the group thanks to the error of one of the participants: he accidentally infected himself with a malware program. As it turned out, in the whole organization, only one person at least understood something in cyber attacks, all the rest were engaged in day-work — they sent out phishing and were engaged in creative googling. According to the FBI , all attacks related to mail compromise last year caused a loss of more than 3 billion dollars.

Theft of cookies due to poorly implemented HTTPS
News Research

The lack of HTTPS leads to the theft of personal data, warn US researchers. Actually, they found on many sites, including, for example, Amazon, eBay and Target, a completely captain's vulnerability. HTTPS is often not fully implemented, or only the authorization process closes. This is good, since passing passwords in clear text is not at all OK, but the transfer of any private data in clear text in our hectic times is a problem.



Actually, with the help of common traffic sniffers, researchers were able to identify a lot of private data in unprotected transactions: emails, contacts, fragments of private correspondence and, of course, cookies. The latter is especially sad: theft of cookies in some cases helps to bypass password authentication, so that no HTTPS will help. Actually, what percentage of traffic on the network is now encrypted? The researchers answered this question by running the Tor node and analyzing the monthly traffic at the exit point. Only 25% of the data was encrypted, three quarters were transmitted in clear text. The site owners have been notified, and the problem is slowly being solved, thanks to the concepts of HTTPS Everywhere and HSTS .

In the meantime, we solve this problem, we can think about the following: users can be deanonymized by their behavior. The topic of this recent discussion is about the possibility of using Cloudflare captcha to identify Tor users.

Google compares Stagefright with the Apollo 13 mission
News

Last year's Blackhat was marked by a study on the serious vulnerability of Stagefright in Android. This year, Google talks about how this vulnerability affected the company's development methods, comparing finding a hole with the Apollo 13 mission - when the Americans broke everything on their way to the Moon, but they heroically repaired what they could and returned (well, who do not know).

In one of the few positive speeches, Nick Kralevich, head of the Android Platform Security team, said a very important thing. When they break, this is, in general, good if vulnerabilities are repaired on time, and experience is used later to develop more secure software. This is better than the complete absence of reports of holes in some kind of software. However, you need to implement a secure approach not only in the development, but also in the business model, but this is the problem with Android. But there is an interesting point: after an independent researcher discovered several hundred applications that transmitted data (presumably to their servers) in plain language, Google implemented a verification system that simply disconnects such unsafe applications before re-education.

New auto-revelations from researchers Chris Valasek and Charlie Miller
News

Last year, it was also news number one : researchers Miller and Valasek discovered a way to intercept car control remotely using a vulnerability in a multimedia system. This year, the experts shared their new findings, but announced that from now on they will not be engaged in more (all found?). On Blackhat were shown the results of the study of the same car (Jeep Cherokee researchers own), as last year.



They were able to intercept control of the steering wheel and handbrake, in the latter case they found a way to block it permanently, so that it was possible to remove the car from the parking brake only after flashing. All thanks to the substitution of the code of the electronic control unit. To manipulate the wheel while driving, it was possible to force the unit to operate in the diagnostic mode - it provided for sharp unauthorized turns. Awful? Not really. This is an offline attack, for which you need to connect to the diagnostic connector. No wifi (and that's good). There is a solution to the problem: you need an IDS system or at least code verification. The trouble is that in the automotive industry the production cycle lasts for years and decades, and so easy to roll up the update will not work. However, so far so good. Such finds are a wake-up call from the future, where all cars drive on autopilot. Well, the very future, which either suddenly suddenly very soon, or has already come.

Short:
An interesting experiment was conducted on the campus of the University of Illinois. Researchers scattered almost 300 flash drives on the territory, each placed several HTML files - if someone opened them in the browser, this fact was recorded in the server logs. Very simple and no Malvari. 48% of flash drives someone picked up and even investigated. On average, from “loss” to triggering a trap on a curious barbarian, it took 7 hours, and a fifth of the selected flash drives were investigated in an hour. In general, the vulnerability was found in about half of the people, and there will be no updates.

An interesting, but very secret presentation of new methods to steal credit card data. Including due to the interception of information from the vulnerable keyboard for dialing a PIN code.

In a key presentation at BlackHat, Dan Kaminsky again acknowledged that the Internet was broken and called for working together to improve security. In his opinion, an attempt to create a secure secure enclave in the middle of a mess (the AOL provider is cited as an example, although now it’s rather an Apple postcard) is doomed to failure. No need to treat the security market as a race for leadership. In my opinion, it’s still impossible to get rid of the race, but you can somehow direct it in a positive direction.

Lab has announced at BlackHat the launch of its own Bug Bounty program. Two days later, Apple announced its program. Their program is still half closed - we ended this stage in the spring of this year. But in any case, this is very good news.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.