Black Hat, Defcon Security Horror Stories Show Enterprise Vulnerabilities

A raging computer virus can wreak havoc on your network. One innocuous video surveillance camera in the parking lot outside your corporate campus can be a gateway for destruction. A code snippet from a seemingly harmless, decades-old Microsoft database utility can leave the door open for hackers.

Knowing the latest security threats is half the battle in keeping an enterprise security breach off the front pages of your local newspaper. At this summer's Black Hat and Defcon conferences in Las Vegas, experts recounted several emerging threats that could comprise intellectual property, reveal corporate secrets or run wild on corporate networks.

Java Zero-Day Exploits Spreading Like Wildfire

The Java zero-day exploit linked to the Nitro hacker group in Asia is the biggest story to come out of Black Hat, according to Anup Ghosh, CEO and founder of security software company Invincea. The Java code uses a spear-phishing technique, which targets specific companies and is a common nation-state tactic. Hackers link multiple Java zero-day attacks in the browser; Ghosh estimates there are at least 100 known sites hosting the exploit now. It is also now included in the well-known BlackHole toolkit that cybercriminals use to distribut their wares.

Black Hat News: Java Vulnerabilities Increasingly Targeted By Attackers

"Java exploits are cross-platform. Oracle has reportedly known about the flaw since April but isn't scheduled to release a patch until [its] regular patch cycle in October," Ghosh says. "The number of users that are vulnerable is extremely large."

Large security pundits, he says, are advising people to uninstall Java. Ghosh disagrees with this approach. "Uninstalling Java or disabling functionality in general is not the right solution. Start with Java, then what next? Flash, JavaScript, HTML5, the browser, the Web?"

Network Card Backdoor Access

One emerging threat has to do with the hardware products you buy. Steve Weis, co-founder of security consultancy PrivateCore, says a network card could be programmed with a backdoor that a hacker can use to gain access to your company network. This physical-level access can circumvent any security precautions you have at a software layer. Experts at the conference even named specific vendors and card models, which for security reasons won't be listed here. For a large enterprise, the solution is to audit your vendor supply chain thoroughly, he says.

Cheap Hack for Outdated VPN Software

One interesting exploit not directly related to a gap in security infrastructure is a trend that makes a known hack much easier. Security experts have known for years about the MS-CHAPv2 exploit. This VPN system from 1999 predates existing encryption technology and has known weaknesses but remains in use. Normally, cracking this vulnerability requires expert hacking skills and intensive compute power.

More Black Hat News: Vulnerabilities in Payment Terminals Demonstrated At Black Hat

However, Joe Levy, the CTO of security company Solera Networks, points out that a tool released at Defcon called ChapCrack can crack this vulnerability within 24 hours for $200.

Advanced Evasion Techniques to Bypass Firewalls

One of the most troubling developments in hacking is called an advanced evasion technique (AET). Technically, this is not a new exploit or attack, but it is a way to circumvent existing security practices, says Richard Benigno, a senior vice president at Stonesoft Americas, a network security company.

Using AET, an attacker breaks apart an exploit into pieces, bypasses a firewall and then reassembles the code to create the attack. Benigno says this technique is rare, since the hacker has to write complex code designed for a specific attack, but the threat is on the rise. One tool released at Black Hat, for example, contains 150 ways to bypass Web application firewalls.

Social Engineering to Steal Data in Minutes

At Defcon, Chris Hadnagy, who runs the site, set up an event in which a "contestant" called an enterprise and said he was from the IT department. The caller created a story about how the IT staffer was at his son's birthday party but needed some information to get some work done over the weekend. After 10 minutes, the contestant was able to find out a variety of things, such as who handles the Dumpster service for the company and operating system the company uses. The enterprise employee even visited a fictitious corporate website.

Analysis: Big-Name Companies Easy Target for Social Engineers

"All of this was an exercise, but, at the end of the day, these are similar attacks to what is being done by malicious social engineers to get information out of their victims," Hadnagy says.

Hotel Door Lock Bypass

Here's a security threat causing concern in the travel industry. According to Chet Wisniewski, a senior security advisor at Sophos, an endpoint security company, one researcher explained how he used a handheld computer to unlock hotel door locks. The researcher estimates that about 4 million locks in use today are easy targets for this type of break-in, which reads a lock's decryption key, accesses the lock's firmware and triggers an open command, all in a matter of seconds&mash;and the firm that makes these locks want hotels to pay for the security fix.

Black Hat attendees also heard about exploits related to near-field communication (NFC), a wireless protocol used in high-end phones like the Google Galaxy Nexus for financial transactions. There was even talk of how there are hacks to invade air traffic control systems and video surveillance cameras, although those discussions seem to persist every year with nary a successful demonstration to show for it.

John Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He has written more than 2,500 articles in the past 10 years. You can follow him on Twitter @jmbrandonbb. Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.

Read more about supply chain management in CIO's Supply Chain Management Drilldown.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John Brandon

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place