Black Hat USA bills
itself as “the show that sets the benchmark for all other security
conferences.” While most conferences tend to over-promote themselves,
given the activity at this year’s show, that actually might be something
of an understatement.
From the defense of government surveillance delivered by NSA Director General Keith Alexander to
briefings on the coming “cryptopocalypse” and the risks associated with
embedded devices and the Internet of Things, Black Hat reminds us that a
little bit of paranoia is warranted in today’s connected world.
Here are my leading candidates for surprising, damaging ways criminal
hackers are breaching our online security and validating our paranoia:
1. Cracking HTTPS – For years, we’ve been taught that the little
“closed lock” icon and the “s” in “HTTPS” means we can rest assured that
we’ve established a secure connection with a bank, hospital or any
other website storing sensitive, personal information. At Black Hat,
attendees were taught something else.
It turns out that SSL/TLS — the underlying protocols that actually
secure the HTTP connection — are vulnerable to hacks that would let
criminals steal account numbers, passwords and other information
transmitted via HTTPS.
2. Spoofing cellular networks – For hackers, “spoofing” is the
practice of substituting an alternate, malicious resource in lieu of a
genuine resource. People think they’re responding to an email from their
bank, for instance, but are really sending their account details to a
criminal who spoofed the bank’s email address. Common in computer
networks, spoofing is now making its way into cellular networks.
Black Hat attendees learned how to take a femtocell — the box mobile
operators provide subscribers to boost their wireless signal at home or
at work — and hack it to spoof a cell tower. Now, a mobile user within
range can be tricked into connecting with the hacked femtocell instead
of a genuine operator tower. The result? The hackers can listen in on
everything — voice calls, text messages, browser and application
traffic, etc. They can also remotely clone your mobile device, without
physical access.
3. Compromising mobile devices – Mobile has been dominating the IT
and business communities for quite a while, so it’s no surprise that
it’s starting to dominate security as well. In particular, mobile apps
are ripe for compromise. For instance, in the “How to Build a SpyPhone”
briefing, you could have learned how to build a “Spy Phone” service that
could be injected into an Android app, which could then be used to
track the phone’s location, intercept phone calls and SMS messages,
extract email and contact lists, and activate the camera and microphone
without being detected.
Another briefing revealed how to infect iOS devices via “malicious
charges.” Yes, a device charger was used to inject malware into a garden
variety iPhone — within a minute of plugging it into the charger. No
jailbreaking or user intervention required. Despite its reputation for
the robust security of its i-devices, Apple managed to overlook this
particular point of attack but has since set about to remediate
the shortcoming.
4. Hacking cars – Meanwhile attendees at DEF CON can
learn how to hack the electronic control unit of a car in the session
“Adventures in Automotive Networks and Control Units.” The hacks in turn
would let you remotely control a car’s engine, brakes, GPS, dashboard
display and other electronically controlled systems, something that Forbes’ Andy Greenberg got to experience firsthand.
5. Targeting “things” – The Internet of Things is emerging as a
preferred hacking target. In contrast to PCs, smartphones, tablets and
other user-operated devices, the Internet of Things includes sensors and
processors that rely on networks and the Internet to facilitate
machine-to-machine (M2M) communications. Beyond the Internet-connected
refrigerator, such sensors may be used in car functions mentioned above,
in securing homes and businesses, monitoring manufacturing or
industrial facilities and more. In addition to the communications
networks, hackers are getting device-savvy and learning how to
compromise the sensors themselves.
If you attended Black Hat or DEF CON, I’d like to hear your thoughts
on the show. And if you have a different perspective on today’s most
pressing hacker concerns, I’d like to hear that, too. Just leave your
comments below.
And remember, just because you’re paranoid doesn’t mean they aren’t after you.
No hay comentarios:
Publicar un comentario