In a very real sense, presenting this information publicly at Black Hat is an altruistic gesture. It's quite possible that the first discoverer of a security flaw could instead earn big bucks by quietly selling the information to the affected company. Facebook has paid over a million dollars in "bug bounty" payouts to researchers. Microsoft recently launched a similar program; Google, Mozilla, and others have been doing it for years. Of course, foreign governments and organized cybercrime might pay even more...
When we attend Black Hat, we carefully peruse all of the abstracts in advance to select the most interesting and scary talks.
Here are top ten alarming revelations from the 2013 Black Hat conference from pcmag.
1. Pwned iPhone. Nobody denies that Android phones are vastly easier targets for malware than iOS devices, which is one of the reasons I carry an iPhone. My sense of security was totally shattered by a talk demonstrating a technique to totally pwn an iPhone using a modified charging station. Dubbed Mactans (the scientific name of the black widow spider) this attack gives hackers complete and total control of your phone even after it's removed from the charger. The jaw-dropping demo started by hacking the iPhone and turning it off. Then, with nobody touching it, the phone turned on, swiped across for access, entered the passcode, and made a phonecall. The lesson is very clear: Don't plug your phone into a charger you don't own!
2. Security Cameras Not So Secure. You install security cameras in your office to improve security, but doing so might have the opposite effect. Modern cameras let an administrator log in from anywhere to view the video feed. They also offer easy access for hacking, with seriously lame security. One session showed precisely how to gain full administrator and root access to four different popular brands of camera. The session culminated with an impressive demo in which the presenter set up a security camera to protect a bottle of beer, then hacked the camera and "stole" the beer. Note that with this level of access the hacker could gain access to other areas of your local network; very alarming!
3. Master Key Hides Android Hacks. It's totally true that even newbie hackers can disassemble, Trojanize, and reassemble any Android app, but the modified app doesn't have the original developer's certification. Using a weakness they've dubbed "Master Key", a group from Georgia Tech demonstrated multiple ways to modify a program yet have Android still verify it as unchanged. In effect, Android verifies one program but runs another. Maybe you thought you could haunt those non-authorized Android appstores as long as you make sure the developer certificate is valid? You thought wrong
4. Femtocell Hackers Capture Cell Traffic. I knew this would be a good talk when I saw the warning signs outside the hall saying "Cellular Interception Demonstration in Progress". Femtocells are sold as signal boosters, but they can be misused. The presentation demonstrated in real time a hack that let researchers capture all traffic passing through an affected smartphone, including voice, text messages, even images sent via text. Verizon has patched the weaknesses that allowed the exploits demonstrated here, but that doesn't mean we're safe. The presenters offered one possible solution: halt the manufacture of femtocells. They plan to release a tool that will put the phone into airplane mode rather than connect to any femtocell.
5. Million Browser Botnet, Cheap! In order to launch a big Denial of Service attack, a botnet herder has to work hard getting malicious software installed on thousands of computers, right? Wrong. It turns out that by spending $50 or so on banner ads, researchers from White Hat Security managed to launch a DoS attack that successfully took down their test server. You may have been part of the test without even knowing it! The moment that ad showed up, your browser executed a snippet of Javascript, and the attack left no traces behind.
6. Don't Trust Email from Friends. Phishing attacks spew spam to thousands or millions of people, hoping a few will be dumb enough to log into a fake bank site. Spear phishing is a more focused attack typically aimed at an individual with access to corporate assets. Scammers try to create an email that's apparently from a trusted source and that seems legitimate, so the victim will click on the poison link. New research shows that they can use your public tweets and other public posts to fine-tune such messages, mimicking your writing style. We used to warn against clicking links in messages from strangers; now you have to worry about links in messages apparently from friends.
7. NSA Head Promises Truth. General Keith Alexander, head of the NSA, kicked off Black Hat with a keynote speech in which he promised nothing but the truth. "We need to hear your ideas," he said, "and you need to hear the facts." One heckler called the general a liar, and security confiscated an egg carton, but the audience was surprisingly accepting. I can't help but think we didn't get all the facts, though.
8. Even Bigger DDoS Attacks Likely. The biggest-ever Distributed Denial of Service (DDoS) attack took place earlier this year against antispam vigilante site Spamhaus. The attack was originally credited to a Dutch hacker, but apparently the true "mastermind" was a 15-year-old London boy, now in custody. The presentation included a very simple equation showing how with just a little effort the attack could have been ten or a hundred times as bad. All of the factors that went into the attack are still available to hackers, and can't easily be fixed. 30 terabyte per second DDoS attack, anyone?
9. Flame-Throwing Women. Security company Rapid7 is known for throwing lavish parties at security conferences. For the RSA Conference in San Francisco, they typically take over the immense Ruby Skye night club. For Black Hat, Rapid7's invited guests descended on The Palms. They milled around the massive pool, lounged in the cabanas, and danced to the beats at the Rain nightclub. Entertainment included a group of steel drummers, three supremely talented break dancers, and a pair of dancers who showed off their pyrotechnic skills. They tossed flaming torches and spun a hula hoop on fire while dancing. Fortunately everyone managed to avoid spontaneous human combustion. OK, it's not security related, but it was pretty scary.
10. The Death of Barnaby Jack. Hacker extraordinaire and long-time Black Hat presenter Barnaby Jack wowed audiences in past years. One year he hacked into an ATM on stage and caused it to spit out all its cash. He also demonstrated a vulnerability in commonly-used insulin pumps that could subject them to external control. Jack was scheduled to demonstrate a similar hack for pacemakers during Black Hat. However, the week before Black Hat he suddenly died. No foul play was reported, but Jack was just 35 years old. Unsettling!
Source And Picture from pcmag.com
Top Ten Scariest Things We Saw At Black Hat
