Defensive play in football

Black Hat 2017: 5 takeaways for security teams

Black Hat has wrapped up in Las Vegas. Once again, the security conference, now in its 20th year, attracted a big crowd. An estimated 16,000 security and information technology experts showed up for the event and for six days were blitzed with training sessions, briefings, speeches, and workshops.

With all that activity, it can be hard to pick up the signal from the noise, so here are some important takeaways from this year's gathering.

Go to TB LearnSIEM: Introduction to cybersecurity threat detection analytics

Get back to basics

In his keynote at the conference, Facebook's chief security officer, Alex Stamos, called on security practitioners to focus on the people they're supposed to be protecting, not on the exotica of cybersecurity.

Stamos pointed out that, while zero-day vulnerabilities may fascinate security researchers, most of those attacks never affect the mainstream. Meanwhile, more mundane security problems—password reuse, phishing, and spam, for instance—have a more significant impact on people's lives but are dismissed as uninteresting.

Those attitudes could be seen on the conference floor, noted Chris Drake, founder and CEO of Armor. "All the vendors that are here and all the conversations that are taking place are focused on extreme security rather than norms," he said.

"I've seen a ton of cool technology with whiz-bang capabilities, but most companies are struggling with simple good hygiene. The industry has done a good job developing stuff, but it's way ahead of many organizations' ability to execute."
Chris Drake

Stamos called for a renewed focus on defense. "We have to focus on defense—and broaden our scope of what we consider our responsibility," he said.

Dino A. Dai Zovi, CTO of Capsule8, agreed with Stamos. "We're seeing a lot of work across the industry that isn't solving the problems we're having," he explained. "We're concentrating on attacks that are exceedingly rare at the expense of building practical solutions that address common problems."

During a presentation at the conference, Dai Zovi noted how container security was a major issue, with orchestration systems of many organizations being used without their security features fully enabled. "Vulnerabilities aren't needed to compromise those systems because basic functions like authentication, authorization, and separation of control plane from data plane are not enabled in the open-source versions of these systems."

[ Software Container Security POV: Are Containers Secure? ]

3G , 4G tracking hack is real

It's long been thought that it was impossible to hack into 3G and 4G LTE networks to track phones, but that's a myth, as two researchers demonstrated at the conference.

Ravishankar Borgaonkar and Lucca Hirschi illustrated how a flaw in the cryptography used by 3G and 4G networks can be leveraged to track a person's location through a cellphone. They found a weakness in the authentication and key agreement used to enable subscribers to communicate with their networks.

Agreement depends on a counter that resides on an operator's system. However, not only is that counter not well protected, but it leaks information as well. That information can be used by an adversary to monitor caller patterns—when calls are made, for example, or text messages sent—and establish the location of a phone.

What's concerning about the discovery is that it could lead to a new wave of cell site simulators, also known as stingrays, which have been used in the past by law enforcement agencies to carry out cellular surveillance, sometimes without warrants.

More cracks in two-factor authentication

Many websites these days use two-factor authentication (2FA) to protect their users' accounts from compromise. Typically, when you log into a site with 2FA, a six-digit code is sent to your cellphone and you then enter it into a form at the site. The system is considered more secure than just using a username and password because it requires not only something you know—your user name and password—but also something you have—your cellphone. Black Hat attendees, though, learned that 2FA is not as safe as it's cracked up to be.

"Multifactor authentication protects against an attacker who has access to compromised credentials from using those credentials, but if you phish a victim, you can man-in-the-middle that authentication process," said Seth Art, principal security consultant at OpenSky.

Art, whose company conducted a session on the subject, explained that a person can be lured to a web page that looks like it belongs to a legitimate organization—the user's bank, for example. After the target enters his username and password into the bogus login page, the adversary behind the page logs into the genuine site, which sends a 2FA code to the user. At the same time, the adversary loads another page to receive the 2FA code. The user enters the code. The attacker takes the code and completes the login at the legitimate site.

"A lot of people have a false sense of security that multifactor authentication is a protection against phishing attacks, but it's not."
Seth Art

Soft targets: Taking over a wind farm

For years, security experts have been sounding alarms about the nation's infrastructure being a soft target for hackers. Researchers at Black Hat did nothing to disabuse attendees of that notion.

Jason Staggs, a researcher affiliated with the University of Tulsa, demonstrated how hackers could infect a single wind turbine with malware and spread it through an entire wind farm. He showed how his malware could turn a turbine on or off or put it in an idle state.

Staggs also discovered that physical security around wind farms is weak. Often, the only thing between an attacker and the farm is a padlock. "There are also many vulnerabilities in the networks controlling these wind farms," noted Phil Neray, vice president for industrial cybersecurity at CyberX.

Those vulnerabilities include weak authentication, poor passwords, and lack of network segmentation."They can also insert a device in the middle of those networks and change the rate at which the turbines were spinning, which is exactly what happened in the Stuxnet attack," Neray said.

Meanwhile, the researchers inserted software on the network that hid from the control panels of the wind farm's operators that anything was amiss with the turbines.

Attack of the Internet of Things

Although there have been some high-visibility stories about the Internet of Things (IoT) being used for cyberattacks, it was shown at Black Hat how these things can cause physical harm to people.

For example, two researchers demonstrated how a car wash could be hacked and the car washing machines used to strike people in the facility. It was also shown how to gain control of an industrial robot to injure people.

"The cyber domain and the physical domain are intersecting in a way that we've never seen before. Cyberattacks that would previously have resulted in lost data now could jeopardize human safety."
Phil Neray

Go to TB LearnSIEM: Introduction to cybersecurity threat detection analytics
Topics: Security