Interesting and scary things from Black Hat 2013

Black Hat 2013 concluded in the first week of August.

Some interesting/ scary things from Black Hat 2013
 
Spear Phishing – Is not fishing with a spear, far from it.
 
If your IT administrator with access to corporate resources, especially administrative access, then beware – a new kind of attack is specifically aimed at your profile. The usual warning you get is not to open mails from unknown and suspicious sources. This warning has to be slightly modified to now warn you that you should be wary of links in messages seeming to come from friends. Research shows that your social networking footprint – your tweets, your facebook messages etc. are carefully studied and mails are specifically crafted for you.
 
Let us see how this works. Let’s say that you have have recently posted a photo that says ‘visited my brother raj and his wife raji’. The hacker will search your list of friends to find out who raj is, where he stays, what kind of work he does, his childrens’ profile, where his wife raji works, whether raj is your only brother. He will visit the profile of common friends to gain more information about you. Believe me, a detailed profile of a person can be built using this methodology – given the increasing amount of interaction people have on social networking sites.
 
Million Dollar Botnet
 
The researchers from White Hat demonstrated that by spending just 50 cents and placing an ad in legitimate online ad network – an ad that would ping their test server, they could get 1000 unique users to ping their test server. Extrapolating, just by spending $500, one could get a million users pinging a server. This would surely crash the target.
 
The researchers were able to do it because the ad networks do not effectively monitor to check if the ad being placed contains any malicious code – indeed they do not have the technical capabilities to do so.
 
There is no quick solution to this problem. No vulnerability was being exploited, the hack just made use of the way in which the core internet infrastructure and the ad networks work.
 
The web is broken
 
The core security mechanism that supports the internet is SSL. One session in Black Hat demonstrated a way to break this security – read encrypted messages under certain conditions. Today’s internet commerce is worth NN Billion and growing. SSL is one of the basic mechanisms that help us buy things on the internet; by helping to keep our card numbers and related authentication information safe. What happens when this is compromised is anyone’s guess. The US-Cert does not currently have any solutions to this problem.
 
A charger that hacks.
 
Charging your iPhone using an unknown charger – hotel rooms, lounges, airports etc – might be dangerous. One session in Black Hat this year demonstrated something called Mactans – a charger that takes complete control over your phone; even after it is unplugged from the charger. The demo made everyone sit up and take notice – the iPhone was hacked, turned off and then turned on again on it’s own, swiped for access and entered the passcode and made a phone call. It was eerie; something out of a ghost movie perhaps.
 
At least this one has a feasible solution – do not plug in your iPhone into a charger you do not own or know to be secure.
 
Other interesting stuff:
1) Your car can be hacked
2) Security Cameras can be hacked
3) All mobile platforms are insecure including iOS and Blackberry 10
4) SIM cards can be hacked

Comments are closed.