Black Hat: Lots of Hacks and a Patriotic Plea
Black Hat hasn't disappointed this year, with research revealing a flaw that undercuts OSPF routing, two separate assertions that security for Apple products in the enterprise isn't that bad and a friendly hand being offered to hackers and crackers to join the U.S. fight against terrorists in cyberspace.
Perhaps the biggest blockbuster, because of the sheer scope of the potential problem, is the vulnerability an Israeli researcher found in the Open Shortest Path First (OSPF) routing protocol that puts networks using it at risk of attacks that compromise data streams, falsify network topography and create crippling router loops.
OSPF is the most popular routing protocol used within the roughly 35,000 autonomous systems into which the Internet is divided. Typically large corporations, universities and ISPs run autonomous systems.
MORE FROM BLACK HAT: Hackers and crackers needed to counter terrorists
The only remedies are using another protocol such as RIP or IS-IS or changing OSPF to close the vulnerability, says Gabi Nakibly, a researcher at Israel's Electronic Warfare Research and Simulation Center, who discovered the problem.
Nakibly says he has successfully carried out an exploit against the vulnerability on a Cisco 7200 router running software version IOS 15.0(1)M, but it would be equally effective against any router that is compliant with the OSPF specification. He says he chose a Cisco router to underscore the severity of the problem, since Cisco dominates the router market.
Meanwhile, researchers took a look at Apple's OS X operating system for desktops and laptops and its iOS operating system for mobile devices to see whether they are more or less vulnerable than competing Microsoft products.
The conclusion of Alex Stamos, who led a team of researchers from iSec Partners that researched the OS X and Windows 7 operating systems, is that Apple does pretty well, but Microsoft wins. While earlier versions of Apple's software were more vulnerable to initial exploitation than Windows 7, the latest version, known as Lion, makes up ground.
Escalating privileges remains a problem on both operating systems, Stamos says, with OS X having more potential soft spots than Windows 7. But when it comes to network vulnerabilities, Apple is the loser. "OS X networks are significantly more vulnerable to network privilege escalation," he says. "Almost every OS X server service offers weak or broken authentication mechanisms."
Stamos says the bottom line is that enterprises should run Apple OS X products in isolated islands within networks.
On the mobile side, independent researcher Dino Dai Zovi says iOS does a pretty good job running applications in a sandbox that rogue applications would have to escape in order to do damage. The operating system has a dynamic signing feature for applications in which the device itself has to approve applications before running them, not just accepting the Apple certificate that says they are approved.
He says BlackBerries have better data protection than iOS, but that they lack a sandbox for running applications. He says that Google's Android mobile operating system is more vulnerable than iOS. Android is about as secure as a jailbroken iPhone that has lost many of its security features by virtue of being jailbroken, he says.
Celebrating its 15th anniversary, Black Hat this year went beyond technical hacking and entered the realm of politics and patriotism with its choice of keynote speaker Cofer Black, former counterterrorism chief at the CIA, who called on attendees to consider joining government anti-cyberterrorism programs.
"My world of terrorism has gone," says Black, now retired after 28 years in the CIA. "Now it's your turn."
Stuxnet has forever changed the face of terrorism and the consequences of cyberattacks, Black says. The sophisticated worm that took over control mechanisms for centrifuges in Iran's nuclear refinery and wore them out, had the impact of a physical assault.
"Stuxnet is the Rubicon of our future," he says. "What had been college pranks cubed and squared has now changed into physical destruction of a national resource. This is huge."
Black says budding cyber-counterterrorists must be ready to contribute but also be ready to encounter decision-makers being unprepared to accept that cyberattacks are the coming wave.
He says that leading up to 9/11, his CIA group knew a large-scale attack was coming, but not exactly when or where. The group had trouble convincing the Bush administration of its urgency, he says, until the World Trade Venter fell. "Men's minds have difficulty accepting things with which they have no previous experience," he says.
Black Hat offered a glimpse of the potential power of facial recognition combined with social network data mining to reveal personal information about individuals based solely on a photo of them. The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who presented the research.
He admits the method is far from foolproof, but that the individual pieces of technology are developing rapidly and could be ready for use in the real world in the foreseeable future. He is working on projections of how long it will take for the technologies involved to develop to the point of being reliable.
The point, Acquisti says, is to show that a framework of digital surveillance that can go from a person's image to personal data exists today and will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. "This, I believe and fear, is the future we are walking into," he says.
Another frightening presentation showed how simple it is to hack devices connected to phone networks, with the most dangerous implication being potential attacks against the control systems in utility networks, power grids and industrial manufacturing plants.
Don Bailey, a consultant with iSec Partners, demonstrated compromising a car alarm via vulnerabilities in phone networks, but made the point that the technique works equally well against Supervisory Control and Data Acquisition (SCADA) systems used in critical infrastructure.
The implications are severe enough that he briefed the Department of Homeland Security about the problem, and he says the department is following up with vendors of vulnerable gear as well as owners of the critical infrastructure that might be at risk as a result.
Bailey says he and fellow researchers took a look at devices that are attached to phone networks for the purpose of receiving control messages and discovered two types. Then they figured out how to distinguish these devices from the less-interesting devices connected to phone networks such as phones, modems and faxes.
By following clues in owner's manuals or with a little reverse engineering of some hardware, they were able to send control messages to individual devices. He says they were able to compromise the car alarm in about two hours.
Read more about wide area network in Network World's Wide Area Network section.