For most companies and institutions, security is a game of catch-up. You may have the most up-to-date security software available to protect yourself from all known threats, but it’s the threat a few years down the line that will likely be your undoing. You can’t prepare yourself against an attack vector that currently doesn’t exist. However, one way to get an idea of what attacks are on the horizon is to see what new exploits are being revealed at black hat conferences. This idea is not new as most of these conferences have sponsors that are legitimate security firms.
A case in point was the recent Black Hat Europe conference where several new exploits were revealed. Keep in mind that few of the presenters will identify themselves as hackers. They operate under the banner of pentesters or bug bounty hunters. It’s a gray, hazy area which is why security experts advise caution when hiring pentesters. You never know what they might do with a vulnerability they find once you let them into your network. In any event, here are a few key points that the presenters made. Whenever possible, I wanted to present the findings in their own words so as not to inject any bias.
The state of security in general – “Your average large-company InfoSec team is still struggling with problems that we ‘knew about’ in the 90’s.” This is from the keynote presentation by Haroon Meer who actually works in security. His conclusion is that modern security teams are using methods to secure their networks that are doing more harm than good.
Cloud storage – Here’s a quote about cloud-based storage from a presentation by Siegfried Rasthofer and Steven Arzt. The quote refers to Backend-as-a-Service (BaaS); a cloud storage service offered by such major companies as Amazon, Google, and Facebook. “Many BaaS solutions are completely insecure and attackers have no difficulties in breaking into the developer’s backend.” They investigated this weakness in cloud storage and reported, “we were able to access more than 56 million sensitive user records stored in the cloud by heavily misconfigured BaaS solutions. These records contained all sorts of sensitive data processed by Android apps: medical information, credit card data, photos, voice-, audio- and video-records, money transaction records, etc. Some apps even contained credentials that gave us full control over the remote storage.” Yeah, that doesn’t look good for those thinking that the cloud is somehow secure by nature.
BYOD – Bring-Your-Own-Device (BYOD) refers to allowing employees to access corporate information through smartphones and tablets. Companies have tried a number of ways to secure these endpoints with mobile device management (MDM) solutions, but employees (and attackers) have always found ways around MDM to do what they want with their smartphones. In the same way, attackers have learned how to compromise weak endpoints to gain entrance to corporate networks. The easiest way for an employee to circumvent company regulations is to root their device. Rooting (aka jailbreaking for Apple devices) refers to taking complete control over a device to do things with it that the company does not allow you to do, such as installing certain apps or visiting certain web sites. Companies realize some employees may try to do this and have developed applications that can tell if a device connected to their network is rooted. Unfortunately, hackers have developed ways to fool security teams into thinking a device is not rooted when it really is. As Azzedine Benameur, Nathan Evans, and Yun Shen reported in their presentation, “We dissect the aforementioned applications with commonly available open source Android reverse engineering frameworks to demonstrate the relative ease of circumventing these root checks. Finally, we present AndroPoser, a simple tool that can subdue all the root checks we discovered, allowing ‘rooted’ devices to appear ‘non-rooted.’” Another case in which a software solution to MDM problems only encourages the development of software apps that can circumvent the solutions.
Compromising Android apps – Bai Guangdong’s presentation explained how Android apps can be compromised through their own authentication protocols. “We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with Internet and SD card permissions. With this exposure, the malicious apps can steal other apps’ authenticators and obtain complete control over the authenticated sessions.” Using this attack vector, he was able to compromise 80 of 117 (68.4%) of top-ranked apps.
Compromising password managers – As Alberto Garcia and Martin Vigo pointed out in their presentation, “password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim’s secrets reside in the vault. One breach to get it all.” That sounds true enough, so why not try to compromise one of the most well-known password managers, LastPass, which has over 10,000 corporate clients? And so it came to pass. The presenters developed an exploit that “is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA (two-factor authentication) trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pentester’s satisfaction.” Well, I suppose in an ideal world this exploit would only be used by pentesters, but you never know. It could fall into the wrong hands.
These are just a handful of exploits that were presented, but they expose real threats that could easily bring down a corporate or institutional network. The truth is that we will probably see the real world use of these attack vectors in the not-too-distant future. Pentesters, hackers, bug bounty hunters, and security experts take all such threats seriously. This is reflected in the fact that most attendees at such conferences usually don’t bring smartphones, laptops, or credit cards. When it comes to cybersecurity, you just can’t be paranoid enough.
The exploits explained above all make use of software vulnerabilities. It is possible to increase network security with hardware solutions that protect networks from weak endpoints. To find out more about such solutions, click here.