Big Black Hat 2016 Story Round-up

The hacks and vulnerabilities out of Black Hat USA are interesting every year. Last year much of the focus was on flaws within cars, mobile devices, and IoT. There was a lot of focus on those areas this year, too. And I expect much of the attention paid to vulnerabilities to continue to be on the extended Internet and IoT for years to come.

With that in mind, here are the main headlines at Black Hat USA this year:

Man-in-the-middle flaws with point of sale systems

Two researchers from point-of-sale manufacturer NCR demonstrated at the BSides conference, also last week in Las Vegas, how man-in-the middle attacks can be used to snag credit card information during transactions – even when card readers with PIN pads are used to protect the data. Both Nir Valtman and Patrick Watson demonstrated how a Raspberry Pi and software can be used to grab network traffic to pilfer the payment traffic. Because these systems don’t encrypt the data being transferred from the reader to the point of sale system, it’s easier to capture the payment information as it travels, when devices capture the traffic as it’s being transmitted, or malicious software is on the point-of-sale device itself.

More information on this demonstration can be found here, here, and here.

Apple bites into a bug bounty program of its own

Over the past few years so-called “bug bounty” programs have moved from niche to mainstream. And if anyone doubted, they can’t doubt any more. At Black Hat USA, Apple announced that it will begin offering a bug bounty program of its own.

In these programs, businesses and other organizations have processes in place to offer compensation for the discovery and reporting of “bugs” in apps and websites that could make the software exploitable to attack. These programs encourage security researchers to find and report vulnerabilities before these same vulnerabilities can be found and taken advantage of by criminals.

Ivan Krstic, Apple’s lead of security engineering and architecture, announced at the conference that Apple will offer bounties reaching $200,000 to those who discover software flaws in Apple products. Currently, the bug bounty program is by invitation. Apple will slowly expand the program, which launches next month.

There are more stories on the Apple bug bounty program here, here, and here.

New Jeep hacks

As posted last year on Wired’s story, Hackers Remotely Kill a Jeep on the Highway—With Me in It, Greenberg traveled to St. Louis to, as he put it, be Charlie Miller and and Chris Valasek’s “crash-test dummy” to see what research the pair had been up to on car hacking research. Greenberg wasn’t disappointed. In the Jeep Cherokee they used as the test system, the researchers managed to take over the client control system, change the radio station, flip on the windshield wipers, and eventually, for the main event, paralyze the car on stage.

 

The pair was up to it again this year, but this time, fortunately, the hack required phsycal access to the car – so not as scary as the remote hack demonstrated last year. As Jordan Golson of The Verge put it in his story Jeep hackers at it again, this time taking control of steering and braking systems.

Sneaky USB shenanigans

If you see a USB drive laying on the street, you might be better off just to walk on by. And if you have to pick it up make sure it’ ends up in the trash compactor. No matter how curious you may be it’s just not worth the risk. This was my takeaway reading stories flowing from the Black Hat USA 2016 security conference about a presentation by Elie Bursztien, from Google’s anti-abuse research team.

According to this story, Spreading Malware through Dropped USB Sticks Could Be Highly Effective, Research Finds, Bursztien was curious how effective scattered USB sticks would be as a delivery vector for malware. So he dropped 297 USB sticks on a university campus.

What the research found (you can see the slides here) should concern any CIO or CISO: almost every USB stick was picked up and a startling 45% of those who retrieved them clicked on files with the stick.

Bursztien explains in this blog post that there are three types of attacks with USB sticks. One type of attack is to employ HTML files to phish the user for login credentials when they click on a file. Another is to use Human Interface spoofing (HID), “HID spoofing keys use specialized hardware to fool a computer into believing that the USB key is a keyboard. This fake keyboard injects keystrokes as soon as the device is plugged into the computer. The keystrokes are a set of commands that compromise the victim’s computer,” Bursztien wrote.

Another is custom hardware that exploits flaws in USB driver software as a way to hijack direct control of a computer as soon as the USB stick is plugged in. 

Handful of web protocol vulnerabilities disclosed

If you thought key web vulnerabilities and protocols couldn’t get any more secure you were proven wrong last week when researchers displayed important web protocol flaws in HTTP/2 and new compression attacks successful against data encrypted with HTTPS. The researchers, from the university of Leuven in Belgium named their attack HTTP Encrypted Information can be Stolen through TCP-windows, or HEIST.

According to this InformationWeek story the team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.