10 Significant Threat Findings Revealed At Black Hat 2014

Hacker Threat Research Plays Role In Shaping Security Market

Threat research presented at Black Hat 2014 and smaller, regional conferences plays a small but significant role in influencing how security vendors shape their product portfolio and feature sets, according to security experts, interviewed at Black Hat 2014.

Security researchers often focus on identifying weaknesses to emerging technology areas and can give the industry an early warning about how attackers will use new services or products to gain access to corporate resources or conduct other dangerous attacks, said Marc Maiffret, a security industry veteran and chief technology officer of security vendor Beyond Trust. These 10 significant pieces of research unveiled at presentations at the 18th annual Black Hat conference this week, could influence security vendor product roadmaps and have a lasting impact on solution providers who sell data protection, threat detection and risk management products and services.

Continued Weaknesses To Database Security

David Litchfield, a U.K.-based security researcher well-known to the security community for uncovering significant vulnerabilities and configuration weaknesses to database management system (DBMS) software from Oracle, Microsoft and other manufacturers, revealed new weaknesses in Oracle's flagship DBMS.

A data redaction feature in Oracle 12c, designed to protect sensitive data, has a significant number of security vulnerabilities, Litchfield said this week. In his presentation at Black Hat, Litchfield showed that the errors could be exploited by criminals to bypass the security feature and view sensitive information such as Social Security numbers and credit card data. The feature may give businesses a false sense of security, he said.

Cloud Security Issues Extend Beyond Availability

Andres Riancho, founder of Argentina-based consultancy Bonsai Information Security, detailed research that shows how configuration errors and common vulnerabilities expose data, account credentials and other information in applications hosted at public cloud infrastructure providers.

Riancho demonstrated how Amazon Web Services cloud infrastructure could be exploited to gain access to account credentials, log files and ultimately hijack an AWS account. He also created a hacking tool to automate the process of triggering processes to view metadata that provides significant clues that can be used by attackers to access sensitive resources. He advocated security pros to work with development teams to assess current configurations and guide future projects using resources from Infrastructure-as-a-Service providers.

Medical Device Threats Deserve Attention, Say Researchers

A growing list of tiny, but powerful, embedded systems that run insulin pumps, pacemakers and other health-care devices deserves significant attention, because they are increasingly tied to web-based services, according to researchers who discussed the issue this week during a panel discussion at Black Hat.

Weaknesses could be used to target high-risk individuals, such as political leaders and others, or expose sensitive medical data, said Jay Radcliffe, a researcher at vulnerability management vendor Rapid7. Radcliffe focuses on medical security and has hacked his own insulin pump. Radcliffe said the devices suffer from a long-standing issue of how to update the software running on them to limit the risk that they can be manipulated and prevent data exposure.

R etailers Face POS System Weaknesses, Chip-And-PIN Limitations

Retailers face significant challenges preventing memory-scraping malware from running on point-of-sale systems, according to Nir Valtman, a security researcher at Crowdome and enterprise security architect at NCR Retail. Speaking at Black Hat, Valtman described how cybercriminals have been able to easily get memory-scraping malware, including the malware used in the massive Target data breach, to execute on POS systems, identify and retrieve details. The footprint on most payment systems prevents security software from running without disrupting performance and Valtman advocated for more threat intelligence services to help retailers, rather than a technology approach.

Meanwhile, in a separate Black Hat session, Ross Anderson, a cryptography expert at Cambridge University, said U.S. retailers are going to be forced to support chip-and-PIN as a fraud reduction measure, but warned that it has weaknesses and limitations.

Yahoo Joins Google To Implement End-To-End Email Encryption

Poorly implemented data encryption or the use of weak and outdated encryption protocols were discussed by researchers in several presentations at Black Hat. But the biggest announcement about data protection came from Yahoo, which used the Black Hat conference to announce that it is rolling out end-to-end encryption for all of its Mail users. It's a move that Google announced in June, when it released a browser plugin to encrypt data.

Yahoo and Google are responding to the significant privacy and security concerns shared by users of cloud services globally, following the extensive government-spying capabilities exposed in leaked documents by former NSA contractor Edward Snowden. Yahoo chief information security officer, Alex Stamos, said encryption will be rolled out by 2015.

Automobile Manufacturers Face Significant Threats, Say Researchers

Automobile manufacturers, which are increasingly adding software to monitor and trigger sensitive system components, face a growing list of significant weaknesses, according to researchers Charlie Miller and Chris Valasek, who unveiled an analysis of automobile network data and identified a list of 20 specific models most significantly at risk.

Vehicles are increasingly using wireless capabilities, making remote attacks a reality, the two security researchers said this week at Black Hat. Miller, a security engineer at Twitter, said the two researchers looked for manufacturers that made vehicles with the most significant attack surfaces. The 2014 Jeep Cherokee and 2015 Cadillac Escalade posed the greatest risk, the researchers found. Meanwhile, the 2006 Ford Fusion and 2010 Range Rover Sport appeared to be the most secure.

OTA Updates Add To List Of Mobile Security Risks

Accuvant Labs researchers Mathew Solnik and Marc Blanchou described the weaknesses in an over-the-air update mechanism used by network operators and device manufacturers to update smartphones, tablets and other devices.

The Accuvant Labs researchers said an attacker could hijack carrier remote-control capabilities and exploit vulnerabilities in a widely used device management protocol. They said mobile devices are also at risk to rogue base station attacks, which could enable criminals to snoop on users regardless of the carrier, handset maker or device firmware.

USB Threats Increasing Significantly

Tiny USB devices have been known to pose a significant risk of infecting endpoints with malware, but security researchers Karsten Nohl and Jakob Lell demonstrated that advances have made them an even more dangerous weapon. Future attacks using a malicious USB could contain more significant capabilities, the researchers warned in their Black Hat presentation this week.

The researchers showed how an attack could be used to sniff network traffic, and take complete control of a victim's computer by making malware execute during the boot-up process. USB threats are difficult to detect because once plugged into a laptop or PC, it is often identified as a new device, and malware authors can use stolen digital certificates to spoof a device manufacturer, the researchers said.

Energy Management Platforms At Risk, Researchers Say

Vulnerabilities in Cisco Systems' EnergyWise suite were presented by researchers at German IT security consultancy ERNW, who warned that attackers could exploit them to disrupt power at organizations. The researchers reported their findings to Cisco, which issued an advisory earlier this week warning about the threat.

The information also could be used to uncover data that supports nation-state spying. Cisco EnergyWise was designed to provide readings on voltage, watts, amps and kilowatt-hour consumption of server racks, as well as take humidity, temperature and airflow readings.

Airport Security Equipment Has Significant Vulnerabilities, Warns Researcher

Widely used airport scanning equipment contains significant vulnerabilities and could be targeted locally to gain access and manipulate critical functions, according to noted security researcher Billy Rios at Black Hat this week. Rios, director of vulnerability research at Qualys, identified issues with two devices approved for use by the Transportation Security Administration and called for device manufacturers to make significant improvements to prevent access to the underlying software.

Rios said he identified credentials stored in plain text in a manufacturer's baggage-scanning equipment and other poorly implemented remote-management capabilities. Default passwords are also a significant issue, he said.