This week, the Black Hat Conference in Las Vegas will show how we all gamble with our security right across the IT inventory, says Eric Doyle
There will be the usual glut of food for thought at the forthcoming Black Hat Conference in Las Vegas at the end of this month (July 30 – August 4). The usual pre-show leaks show the range of vulnerabilities that will be revealed in detail.
One of the oddest revelations is that batteries have embedded controllers which could be an attack vector. Lithium-based batteries are highly combustible if treated badly but we are moving from the replaceable battery pack to the embedded battery.
Hacking The Battery And Other Hardware
Armed with a degree in screw technologies and/or glue untacking methodologies, you can make the batteries accessible but opening up the case of a laptop – or even worse, an iPhone or iPod, is not for the faint-hearted. However, according to Charlie Miller, principal research consultant at Accuvant Labs, it may be possible to tamper with the controller to cause mischief without intimate access.
He reckons that reprogramming the controller is a possible way to remotely cause equipment to burst into flames – but this is highly unlikely. Ever since a period of self-combusting computers a few years ago and some quite recent incidents, the batteries are now protected with fuses to stop the charging process if there is a constant power increase. This makes the incendiary iPhone less likely but hackers could, theoretically, change parameters or place a backdoor into the system.
The controller’s primary aim is to store battery details, accessed to show the current status of charge that can be displayed on the laptop’s screen. It also turns on and turns off the charging process when the laptop is connected to a mains supply.
The important message is that there are several controllers in a computer that work independently of the main processor but could link through to the system to help plant malware or be used to “brick” important parts of the system to render the unit unserviceable.
Speed Rather Than Security
Financial networks running without firewalls will be looked at by James Arlen, principal at Push The Stack Consulting. The systems running in banks and other financial institutions and trading firms work are tuned to work in environments where every nanosecond counts. Within the traditional trading floor applications are systems that work so fast they are purely machine to machine links that automate the trading process.
These algorithmic trading networks run without firewalls because secure systems would create latency problems. Similarly, access control lists would be equally inhibitive. The dealing environment is based on balancing risk, cost and profits – with risk mitigation being the area that seems to suffer most.
Arlen will show the danger of using developers who are probably traders, or trader underlings, with live access to the production algorithmic engine. They are allowed to make on-the-fly changes and a new form of rogue trader could be in the making. He will be looking at how you deal with a trader (or administrator) who is using access to market data networks or exchange networks to cause negative effects on other participants. In a very short time serious damage could be caused to a company.
Drive-by Android Exploits
Leaky Android phones is the focus of a talk to be given by anti malware specialist Dasient. The research team plans to show how a drive-by attack can be constructed to work on a smartphone rather than a the full-blown computers that have been targeted in the past.
“It’s possible to write an attack such that when a user simply navigates to a Webpage on a mobile phone, the attacker can get a backdoor channel to the phone,” said Neil Daswani, Dasient’s CTO.
The team will also show the results of a behavioural analysis test that they have performed on over 10,000 Android apps. Around 800 of the apps were shown to be transmitting user device IDs, usernames and contact information.
Unlike previous reports covered in the press, these applications are not malicious but normal apps such as SMS messaging aids (the BBC’s crowdsourced 3G coverage map, for instance was criticised on eWEEK Europe’s pages for taking more information than it needs). Other apps also broadcast sensitive information because they are coded incorrectly – sometimes because the safeguards that have been programmed in are badly implemented.
For those who like a bit of participation, there will be various competitions and quizzes around the expo hall. For example, Fidelis Security Systems is offering a $1,000 prize for cracking a message. The “Decode This” puzzle will begin at the start of the Briefing Days on August 2. As time goes by, the company will release a series of nine clues until someone breaks the encryption.
Although Las Vegas may be beyond most people’s budgets, key Black Hat USA content will be streamed over the Internet to allow those who are office-bound to watch and interact with some of the conference presentations.