Eric De Grasse
Chief Technology Officer
Project Counsel Media
[ for our introduction to these two events and first report click here ]
8 August 2019 (Las Vegas, Nevada) – We just wrapped our Black Hat coverage (the event ends today) and I fired off a short report to our cyber security clients, and now I am about to join the team at DEF CON (it opens today) … two back-to-back, exhausting events that allow us to spend 12 days here. But not at the hotel pool until we’re finished. We have 5 folks on the team and we still cannot over it all.
Some background
I have been doing these events for about 6 years (several years with my partner, Greg Bufithis, but he is now off the conference circuit) and they are always great fun. For Black Hat, what started as a bunch of friends hanging out in a cheap hotel has grown into the largest assembly of computer security talent in the world. The Black Hat conference space spreads out across five hotels, filled with exhibitions, hawkers and hackers, all trying to pull stuff down or push it across.
It’s a brutal conference schedule and one that punishes the unprepared. As I noted in the intro last week, there are actually three overlapping shindigs this week – Bsides LV, Black Hat and DEF CON – and all cater to slightly different groups. The biggest, by attendance, is Black Hat, which has morphed and swollen from its original incarnation to become a five-day training and conference session. While the quality of the talks is usually good, it’s increasingly a vendor show – give it a few more years and Black Hat could end up as RSA. But with hookers.
Black Hat was founded by Jeff Moss – aka Dark Tangent – in part to pay for DEF CON, which is the largest gathering of non-corporate hackers in the world. You won’t see suits at DEF CON; the talks are generally more advanced and edgy, and the space is littered with specialist villages for lockpickers, aviation and car hackers, and social engineering zones.
But just like Black Hat, DEF CON has metastasized and has tens of thousands of visitors and now sprawls over three different hotels, leading some to say it’s just become too big.
Both the main conferences are brilliant. Between these two events you capture the entire gamut of hacker culture. This is where we build on our existing cyber/security/intelligence community networking contacts who we call upon all year to assist in our blog posts, but more importantly for the cyber work we do for clients. We have a penetration testing company, used for testing computer systems, networks and web applications to find security vulnerabilities that an attacker could exploit. If you were at the Legaltech trade show in New York earlier this year, some of you met with our cyber team to show you how easy it is to hack e-discovery document review facilities … and to show you how we can track people via the oh-so-vulnerable Hilton Hotel wi-fi system.
What we learned at Black Hat
Our cyber security clients have received daily updates and this weekend will receive a more detailed report. But for the nonpaying members of our audience, a few items of interest:
Ransomware
Ransomware infections may be down (widely reported here and across cyber security media) but only because attackers are getting better at targeting them. Malwarebytes (a big vendor in this area) circulated a report that shows while instances of consumer ransomware infections are down 25 per cent over the last year, attacks on businesses are skyrocketing, up a whopping 235 per cent over the same period. This is not, however, because criminals are losing interest in using ransomware. Rather, they are getting a much better return from fewer attempts on higher-value targets: namely, enterprises.
Rather than simply trying to spray out as many spam messages or fake ads as possible in an attempt to get users to download their ransomware and generate a quick payout, criminals have found there is more money in targeting specific companies and trying to conceal their nefarious activities until they can lock up the most valuable data with the best chance of a payout. And as Heimdal Security showed us, recent attacks on governments and large enterprises have shown just how efficient and lucrative this strategy can be as a single organization will shell out tens of thousands just to get back data from a single ransomware outbreak.
How powerful are Russian hackers?
Well, will wonders never cease. The introduction of Russia’s Sovereign Internet rules is having an impact on the way criminal hackers around the world do business. This is according to security house IntSights, which says that the law, set to become official in a few months, will force many hacking groups to change the way they operate both in Russia and in other countries. The rule would lead to Russia developing its own standalone network that could be cut off from all connections outside of the country if need be and continue to function.
It creates this infrastructure that kind of isolates Russia a little bit. A lot of outsiders feel threatened because they feel they may not have access to the Russian internet, but really Russia’s intention is to become sovereign over their own infrastructure so if there is an attack to cut them off, they can go on with business as usual. While the Russian government is notorious for turning a blind eye to criminal hackers (and in some cases even enlisting them for official activities), the new law will still have a major impact on how cybercrime is conducted both within and outside the country.
In particular, hackers operating within Russia will have to make sure that the services they use to conduct attacks, such as VPNs, are either Russian or operate in compliance with the strict sovereign internet requirements that have lead many VPN providers to already pull out of the country. Although Russia is hardly known for cracking down on crime, this is really going to create a new culture for darkweb usage.
The big take-away? While Russia is tightening its grip on the internet and becoming more insular, it also gives its domestic hackers more motivation to launch attacks outside their borders. The sovereign internet will make it much easier for Russian law enforcement to crack down on hackers that target Russian entities. But the government will still likely turn a blind eye to threat actors that target foreign entities – particularly those operating in enemy states, like the United States.
In other words, as hacking within Russia becomes more difficult and dangerous, expect to see Russian hacking groups focus even more of their attention on western countries, where the attacks will not draw a police response. This is particularly bad news given the technological advantage many Russian hacking crews enjoy. The IntSights team noted that many of the major attacks and exploits to arise in recent months, such as the Windows RDP BlueKeep flaw, were weaponized in Russia long before hackers in other countries were able to get working attack code launched in the wild.
WTF is Boeing on?
I lost track of how many sessions we attended where we learned how to hack some device. DEFCON will be wall-to-wall with these sessions. And not just presentations. There will be hands-on “come, sit down, use our equipment and we’ll show you how to do it”.
But the big standing-room-only session at Black Hat had to be the presentation on how to potentially hijack a 787 by exploiting bugs found in internal code left lying around on a public-facing server. And, of course, Boeing immediately slammed it and said it was “irresponsible and misleading”.
But the presenter, Ruben Santamarta, who is the principal security consultant at pen-testing biz IOActive and who I have written about before, and who is held in very high regard by the hacker community, was the star.
Lots to digest so let me bullet-point the key things I explained in my more detailed briefing note to clients:
- It is important to note that there are essentially three electronic networks on a 787: the first is home to non-critical stuff like the in-flight entertainment system; the second is used by slightly more important applications reserved for crew and maintenance teams; and the third is used by the vital avionics gear that controls the airplane’s flight and reads its sensors.
- The software Santamarta probed – a crew information service – lives on the second network. He suggested it may be possible to exploit holes in, say, the in-flight entertainment system on the first network to access the adjoining second network where one could abuse the flaws he found in the crew information software to then reach into the adjoining third network. Once there, one could tap into the avionics equipment to hijack the 787, in theory.
- Boeing, however, insists the software on the second network cannot be exploited as IOActive described, nor can a miscreant direct the avionics from other networks, due to restrictions in place, such as hardware filters that only allow data to flow between networks rather than instructions or commands. One quietly hopes the avionics can’t be taken over by malformed data that triggers vulnerabilities within the flight control systems on the third network.
- During his talk, Santamarta acknowledged he had no way of proving he could actually commandeer the flight control systems via the holes he found in the crew-facing software. For one thing, he couldn’t persuade Boeing to let him loose on a real passenger jet: “We have confirmed the vulnerabilities, but not that they are exploitable, so we are presenting why we think they are. We have got very limited data, so it’s impossible to say if the mitigation factors Boeing say they have work. We offer them our assistance.”
- Boeing’s engineers claimed “we knew of IOActive’s investigation into the leaked code and we fixed it” – without providing any evidence how.
- Ah, yes. It’s all very vague because no one really wants to spill too many beans about the cyber-security of a passenger jet. And Boeing is really quite cross about the whole thing.
FBI, NSA to hackers: “Let us be blunt. Weed need your help”.
This has been all over the press but just a few points. America’s crime-fighters, desperate to recruit white-hat hackers to collar spies and cyber-crooks, are quietly and slightly relaxing the ban on hiring anyone who has used illegal drugs. Generally speaking, dabbling in any kind of substance abuse will rule you out of the running for a job at the NSA, Homeland Security, the FBI, and so forth. It should, therefore, be no surprise that the Feds have been unable to recruit talented hacker folks due to their past experimentation with chemicals.
What with marijuana now legal in various US states, including California, and it being 2019 and all, and the recruitment of infosec bods is still somewhat of a struggle, it appears Uncle Sam is easing up. So, if you haven’t done anything bonkers, like injected mephedrone into your eyeballs over breakfast (it’s on the breakfast menu at my hotel), kept it to a few tokes of Mary Jane, and if you can pass, and continue to pass, a drug test, and you have the infosec skillz needed, Uncle Sam wants you… to apply, at least. As one NSA recruiter here said: “Look, I used to smoke weed in high school. Now, so long as you can pass a drug test and don’t do them any more, then it won’t hurt your application.”
While certain US states have approved the use of the devil’s lettuce, under federal law, it’s still rather illegal, and the Feds want to make sure none of their agents are on the wacky baccy. Nevertheless, even the FBI has relaxed its stance somewhat.
Wi-Fi-spying gizmos may lurk in future parcels
Oh, those crazy kids. This is a bit of a follow-up to my client briefing note on “wardriving” – when you cruise a neighborhood scouting for Wi-Fi networks. Well, why not just try using the postal service instead? But you’ll need a new name. Let’s call it “warshipping”.
It works like this: the IBM cyber security team built a low-power gizmo consisting of a $100 single-board computer with built-in 3G and Wi-Fi connectivity and GPS. It’s smaller than the palm of your hand, and can be hidden in a package sent out for delivery to a target’s business or home. Once it arrives, it can be activated remotely over the internet, or when it detects it is near its destination using GPS. It can be instructed to scan for vulnerable networks to infiltrate or spoof nearby legit wireless networks to harvest pass phrases from those connecting, or get up to other mischief over the air.
NOTE TO OUR WASHINGTON, D.C. READERS: yes, you remember The same method used by the Chinese hackers about two years ago on K Street where you have a string of businesses … Starbucks, FedEx Office, McCormick & Schmicks … all using AT&T wi-fi services that the Chinese were able to spoof.
Any obtained information can be relayed back to base, over the internet, and it can be commanded to drill further into any networks it is able to break into, installing spyware as it goes. This widget is potentially potent as it passes through a business on its way to someone’s desk. Think of the volume of boxes moving through a corporate mailroom daily. Or consider the packages dropped off on the porch of a CEO’s home, sitting within range of their home Wi-Fi. Using warshipping, the IBM team was able to infiltrate corporate networks undetected. Quoting Charles Henderson, head of the IBM team:
With our warship device, we could also launch other active wireless attacks, such as a deauthentication attack or “evil twin” Wi-Fi attack. By launching an evil twin Wi-Fi network, we could then set up a rogue Wi-Fi network with the warship device and coax our target to join our new decoy network. Our target would then divulge their true credentials (including username and password). This would provide us with further access that could be used for follow-up attacks against the enterprise wireless network.
Once we broke in via the Wi-Fi access, we could then seek to pivot by exploiting existing vulnerabilities to compromise a system, like an employee’s device, and establish a persistent foothold in the network. With this ability to get back into a compromised network, attackers can move through it, steal sensitive employee data, exfiltrate corporate data or harvest user credentials
Bottom line: in this warshipping project, they were able to establish a persistent network connection and gain full access to the target’s systems. This warshipping has a number of advantages for hackers. For one thing, there’s no need to suspiciously cruise a location; just send a box anonymously instead and control it from the comfort of your own home (or Starbucks) via Tor.
And an important point. So far, this gadget is only at the proof-of-concept stage, though in the future IBM predicts it could become popular with crafty snoops. We can well assume Big Blue is not the first to come up with this sort of idea: a cheap rooted Android phone could work just as well as the above described single-board computer – if not better because a smartphone is unlikely to raise many suspicions. In fact, I hear tell we’ll see some stuff at DEFCON. In any event, IBM recommends banning employees from shipping personal packages to their offices, thus easily allowing all parcels to be intercepted, and checking deliveries with a suitable radio frequency scanner.
Spoofing websites
I’ll wrap this up with a few notes on a new investigation that has detected more than 540 domain names linked to the Walmart brand and camouflaged as career, dating, and entertainment websites.
The initial intent of this investigation was to analyze spoofing campaigns targeting Fortune 500 companies, but researchers’ findings took them down an unexpected path. Generally with phishing domains, they see things escalate between 24 and 48 hours. Within two days of their analysis, researchers saw more of these suspicious websites being blacklisted.
Of the domains found so far, many appear to target job hunters and people using online dating and entertainment websites. It seems the attackers’ intent is to exploit this interest by creating fake sites designed to capture users credentials, going step-by-step to set up a credential page so they can verify they are who they claim to be, while at the same time scraping login data. As of now, it seems the actor or group behind this campaign is solely after credentials.
While spoofing is not a new threat, the attackers’ ability to mimic the look and feel of target websites, signifies there are groups with both the resources and sophistication to launch a large campaign – and we are seeing that across the cyber attack surface. And there is a problem – security pros are likely to check the domain of a suspicious page. Consumers may not.
And now, with so many open source tools available to help with network security, it can be tricky to figure out where to start, especially if you are an IT generalist who has been tasked with security.
It wasn’t just Walmart. At a session we did not have time to attend, one group talked about Amazon – how they monitor Amazon in the days before and after Prime Day to watch for suspicious activity and found 4,000+ attacks using spoofing techniques and phishing scam techniques.
Now … lunch and then on to DEFCON.
