Black Hat 2015 – 5 security vulnerabilities that have researchers worried

What's the next thing to worry about?

Abstruse, sometimes informative and occasionally sensational, the Black Hat show's security presentations don't always describe the attacks that are happening today so much as what might be coming down the pike. In that sense, it's a sort of early warning system - as long as you can separate the far-fetched theoretical hacks and attacks from the ones that might actually come to pass.

There is no single theme that stands out at Black Hat - it's more a case that everything is going to hell in a handcart. But the quality has risen over time. Here we pick on a few of the important presentations.

Malvertising - it's suddenly got a lot bigger

In the space of barely a year malicious advertising (malvertising) has grown from an interesting tactic employed by cybercriminals into the most important way to distribute malware. The world has yet to catch up with this change despite numerous warnings about its effectiveness.

According to a presentation by security firm RiskIQ, which monitors two billion publisher pages and 10 million mobile apps each day, the volume has jumped by 260 percent in a year with fake Flash updates now the most common lure. The firm blames the rise of 'programmatic advertising', the way that ad traffic is now being managed by machine-to-machine technology that offers numerous places for malvertising to hide, spread and thrive.

This obviously presents a major headache for enterprises and consumers alike, neither of which expect to encounter malicious code inside or being served from what might otherwise be the legitimate ads that fuel the Internet.

"The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware," said RiskIQ co-founder and CEO, Elias Manousos.

"Malvertisements are difficult detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users."

Android - a tale of two flaws

This was without doubt the most significant Black Hat show for Android, an operating system whose flaws are starting to come to light at an alarming rate. The biggest of these was something called Stagefright, discovered by a small outfit called Zimperium, coining a flaw nickname that caught the right mood or alarm.

Techworld has covered the Stagefright flaw in some depth elsewhere but the fact that almost the entire Android user base was vulnerable to something that could be exploited with almost no complexity grabbed the attention. Patches have been issued although they will take time to reach handsets until which the best advice is to turn off MMS auto-retrieve.

Close on its heels came a second less alarming but in some ways more complex flaw from Check Point called 'Certifi-gate'. The issue with this one is that it could be much harder to fix because it exists in remote support plugins used by many smartphone makers and carriers.

Border Gateway Protocol (BGP) - more attention neededBGP is one of those things engineers pay attention to. As one of the core protocols on which the Internet operates, BGP matters because it is used by routers to keep each other informed of router peering - without that the Internet would have no resilience, indeed arguably would cease to be the Internet.

Considered resilient and secure, it wouldn't take much for an incident to cause big problems. Indeed, there have been a small number of infamous examples where things went awry, including the Pakistani Government attempting to block YouTube by interfering with BGP tables in 2008 and a Chinese ISP that in 2010 accidentally started propagating 3,700 routes they had no rights to.

There are some opportunities for attacks on this infrastructure but another big issues, according to a presentation by Wim Remes of Rapid7 is simply that analysis of misconfigurations is currently poor. Oversight is there but with the Internet of Things upon us, it needs to shape up and rapidly, possibly using development such as Resource Public Key Infrastructure (RPKI).

Man in the Cloud - the invisible attack?Research by Imperva underlined how cybercriminals are using synchronization services such as GoogleDrive, Box, OneDrive and DropBox as infrastructure for an emerging type of attack that requires little attack code and that can't currently be detected by endpoint security systems.

Imperva's discovery is that these services are designed in such a way that while the account credentials can't be hijacked, the tokens used by them are highly vulnerable to interception in ways that allow attackers to compromise files traversing the services. Since enterprises allow these services, and see them as secure, the risk is that they will be targeted. The services can also therefore act as channels to remove data without that being detectable, and for command & control.

Blue Coat systems reported on an attack in late 2014 that appeared to be based on the same principle.

Windows Server Update Services Vulnerability - hijacking trust

A presentation by UK-based Context Information Security covered the surprising vulnerability of Windows Server Update Services (WSUS) which they found allows a user with low privileges to install software as if they were genuine parts of the Windows Update process on internal networks. The flaw is only present where firms are not using SSL, and resort to plain HTTP but it turns out that is the default.

"During the update process, signed and verified update packages are downloaded and installed to the system. By repurposing existing Microsoft-signed binaries, we were able demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands," said the researchers.

Enterprises were advised to check the registry keys settings in the WSUS group policy settings - any Windows PC not using https is vulnerable.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityblack hat

More about Check PointGatewayImpervaindeedMicrosoftRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts