The annual Black Hat and Def Con security conference in Las Vegas have wrapped up after more presentations of interest to CISOs. Following our earlier roundup of a few of them, here’s more highlights:
Nick Kralevich, head of Android platform security at Google, talked about the company’s efforts to make Android more secure. “My job is to reduce the attack surface to the point even if there are bugs, those bugs don’t mean anything,” he was quoted by ThreatPost as saying.
That includes making sure an application can only do what it is intended to do, minimizing the surface that is exposed and containing processes within Android and follow the principle of least privilege.
For a long time Google focused on exploit mitigations such as fstack-protector and ASLR, says the report, and preventing format string vulnerabilities. But the publication of Stephen Smalley’s “The Case for Security Enhanced Android” , which pointed out several components of the Android were vulnerable to nearly a half dozen rooting exploits, changed the company’s strategy. Kralevich said it made him realize the focus needed to be on on reducing the Android attack surface and not exploit mitigation.
Today, he said, every Android process runs in a sandbox that has minimum privileges.
He said the upcoming version of the OS, so far dubbed Android O, takes containment a step further by separating the hardware-specific drivers and firmware used by companies such as Samsung or Qualcomm from the Android operating system. That will make Google’s ability roll out OS patches without having to wait for things such as chipset compatibility.
You may recall the spread last month of the WannaCry ransomware worm, which included code that scans networks for systems with Microsoft Server Message Block (SBM)v1 for file sharing open on port 445. Although that vulnerability — discovered by the U.S. National Security Agency and leaked by the Shadow Brokers — had been patched in May by Microsoft, companies that hadn’t installed the patch were vulnerable.
At the Def Con conference security vendor RiskSense demonstrated another SMB vulnerability it dubs SMBloris, which uses the bug to launch distributed denial of service (DDoS) attacks. A researcher told ThreatPost the vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000.
The researcher says a single board computer based on the Raspberry Pi platform and some Python code could take down the biggest Web servers. In theory that means there’s no need for a distributed attack with a botnet. However, Microsoft has told RiskSense it won’t issue a patch. “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”
The RiskSense researcher admits it would be hard to patch, and suggests a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.
RFID badges for secure access are common in many organizations. But Dennis Maldonado, the founder of Houston Area Hackers Anonymous, who is also an engineer at penetration testing company Lares Consulting, demonstrated at Def Con the possibility of cloning a badge. His equipment allows an attacker to remotely scan a card from a distance of approximately two feet and then send that data to a cloning machine up to 30 feet away which would then automatically write to a new card. The story was carried by Mashable.com.
Back at Black Hat, researchers from ESET and Dragos Inc., which specializes in industrial control system (ICS) security, did an analysis of the recent attacks on the Ukranian power grid dubbed Industroyer.
“The good news is the malware likely won’t work in North America without modifications, and even then it wouldn’t trigger widespread blackouts and critical infrastructure failures,” according to a news report on TechTarget.
“The bad news, however, is that the Industroyer malware shows a considerable evolution of tradecraft for cyberattacks against industrial control systems, as well as a clear willingness to cross hypothetical lines by targeting and even destroying critical infrastructure.”
The malware was designed to attack specific ICSes to exploit a vulnerability in a Siemens ICS product, according to the report. Siemens patched the flaw with a firmware update, but Industroyer masquerades as a “Trojanized” version of Windows notepad, which it replaces in the target system, and has not only a primary backdoor, but a secondary backdoor it can activate if the primary one has been mitigated. It also disrupts response and recovery efforts.
The lesson for infosec pros, one of the presenters made clear, is that the attackers didn’t discover a zero-day bug; they took the time to learn about the specific ICSes, communication protocols and energy grid operations in Ukraine to build the attack.