Mobile and Web security will be major topics at Black Hat

Security researchers will disclose new vulnerabilities affecting mobile and Web technologies at security conference

Security researchers are expected to disclose new vulnerabilities in near field communication (NFC), mobile baseband firmware, HTML5 and Web application firewalls next week at the Black Hat USA 2012 security conference.

Marking its 15th year, thousands of security enthusiasts and IT professionals flock to the annual Las Vegas conference to watch some of the industry's top researchers present their latest findings.

With the rise of smartphones during the last few years, mobile technologies have become a major focus of security research -- and for good reason. Many of today's mobile phones are actually mini computers that store a wealth of sensitive data and this makes them attractive targets for attackers.

Some smartphone vendors have implemented NFC technology to enable contactless mobile payments. Users only have to wave their phones over NFC-capable devices to complete a transaction.

Renowned Apple hacker Charlie Miller, who works as a principal research consultant at security consulting firm Accuvant, has investigated the security of current NFC implementations and found ways in which the technology could be abused to force some mobile phones to parse files and open Web pages without user approval.

In some cases, attackers can take complete control of the phone through NFC, enabling them to steal photos and contacts, send text messages and make calls. Miller will present his findings in what is probably one of the most anticipated talks at this year's U.S. edition of the conference.

In another mobile security presentation, University of Luxembourg researcher Ralf-Philipp Weinmann will discuss attacks against baseband processors -- the phone microprocessors responsible for communicating with cellular networks.

Last year, Weinmann demonstrated how vulnerabilities in the firmware of baseband processors can be exploited to turn mobile phones into remote spying devices after tricking them into communicating with a rogue GSM base station -- a scaled-down version of a cell phone tower. The base station had been set up using off-the-shelf hardware and open source software.

This year, Weinmann plans to show that rogue base stations are not even necessary to pull off such attacks, because some baseband vulnerabilities can be exploited over IP-based (Internet Protocol) connections.

If some components of the carrier network are configured in a certain way, a large number of smartphones can be attacked simultaneously, Weinmann said in the description of his presentation.

Mobile malware is viewed as a growing threat, particularly on the Android platform. To protect Android users and prevent malicious applications from being uploaded to Google Play, Google created an automated malware scanning service called Bouncer.

At Black Hat, Nicholas Percoco and Sean Schulte, security researchers from Trustwave, will reveal a technique that allowed them to evade Bouncer's detection and keep a malicious app on Google Play for several weeks.

The initial app uploaded to Google Play was benign, but subsequent updates added malicious functionality to it, Percoco said. The end result was an app capable of stealing photos and contacts, forcing phones to visit websites and even launch denial-of-service attacks.

Percoco would not discuss the technique in detail ahead of the Black Hat presentation, but noted that it doesn't require any user interaction. The malicious app is no longer available for download on Google Play and no users were affected during the tests, Percoco said.

Web attacks and vulnerabilities in new Web technologies will also be the subject of several Black Hat presentations this year.

Cybercriminals are increasingly relying on so-called drive-by download attacks to infect computers with malware by exploiting known vulnerabilities in widespread browser plug-ins like Java, Flash Player or Adobe Reader.

Jason Jones, a security researcher with HP DVLabs, Hewlett-Packard's vulnerability research arm, is scheduled to present an analysis of some of the most commonly used Web exploit toolkits, like Blackhole or Phoenix.

Some of the trends observed by Jones in Web exploit toolkit development this year include an increased reliance on Java exploits and faster integration of exploits for new vulnerabilities.

In the past, Web exploit toolkits targeted vulnerabilities for which patches had been available for over six months or even a year. However, their creators are now integrating exploits for vulnerabilities that are a couple of months old or even unpatched by vendors, Jones said.

As far as website defenses go, webmasters use Web application firewalls (WAFs) to detect and block known attack techniques like SQL injection, directory traversal and others.

Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall, will discuss protocol-level evasion techniques that could allow attackers to bypass WAFs.

Ristic will release a tool containing around 150 tests that can be used to determine if a Web application firewall is vulnerable to the evasion techniques he developed and researched.

Ristic hopes that website administrators will use the tool to test their WAF products and report whatever vulnerabilities they find to vendors. The tool's goal is not to empower attackers, but to spark a more open discussion about protocol-level evasion between WAF vendors, their customers and security researchers, Ristic said.

The security of new Web technologies, like those found in HTML5 -- a standard that empowers developers to build innovative Web apps and services -- will also be discussed at Black Hat, which happens on Wednesday and Thursday.

Shreeraj Shah, founder of application security vendor Blueinfy, will have a presentation about how HTML5 technologies can enable stealth attacks and silent exploits.

In addition, Qualys software engineers Sergey Shekyan and Vaagn Toukharian will discuss possible attacks scenarios with WebSockets, an HTML5 technology that enhances communication capabilities between browsers and Web servers.

One of the biggest problems with WebSockets is that most firewalls and network-layer security systems are not capable of inspecting such traffic at the moment, Shekyan and Toukharian said. This means that information stealing malware can use WebSockets to communicate with its command and control servers without being detected.

In addition to mobile and Web security, Black Hat presentations will also cover security issues and attack techniques affecting industrial control systems, smart meters and embedded devices.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place