The 2018 Black Hat conference–summer’s week-long celebration of all things infosec–kicked off with an inspiring exhortation by Parisa Tabriz, Director of Engineering at Google. She urged attendees to forget the status quo and stop playing security Whack-A-Mole. Using examples from her oversight of Google Chrome and the Project Zero team, she laid out three principles to improve security research.
First, don’t just fix problems as they pop up; seek the root cause. Second, identify milestones in your process and celebrate reaching them. (Nothing fancy; she mentioned a poetry slam and homemade HTTPS cake.) Finally, build out your coalition. Keep communication about your project and its progress open upward to management and outward to colleagues and partners.
With the keynote satisfyingly complete, we headed for the always-enlightening sessions. Of course, we two reporters couldn’t possibly cover them all, but we charted a path visiting sessions that would interest both ourselves and you, our readers. We found plenty to admire–and to fear.
SATCOM Hacking For Fun and Terror
Four years later, he returned to Black Hat to show that his concepts were not only real but far rosier than the truth. Not only are SATCOM systems loaded with backdoors, making them desperately easy to control remotely, but Santamarta also found that many are accessible via the internet. During his research, he was able to find airplane systems registering on the Shodan search engine while the planes were flying.
He even saw malware trying to automatically install itself on an airplane, and he found all kinds of botnets sitting on maritime SATCOM systems. The most shocking discovery Santamarta made was that he could potentially use a hijacked antenna as a weapon. Not only could he point the antenna at whatever he wished, but he could also coax it into transmitting far more power than it was ever intended to send.
Self-Driving Cars Are Surprisingly Safe
Chris Valasek and Charlie Miller used to display dramatic car hacks–for example, remotely taking control of a Jeep and driving it into a ditch. They now work for Cruise, GM’s self-driving car division.
Instead of attackers, they’re now protectors, working to make self-driving cars safe. Miller and Valasek always put on a good show. They clarified the taxonomy of self-driving cars, from the automation-free Level 0 to the current Level 4, which is completely automated but restricted to driving a known area.
Sorry: Level 5, Kitt from Night Rider, doesn’t exist yet. Good news! Those stories you read about tricking self-driving cars by modifying street signs, blinding their radar, and so on?
They’re just not true. Modern self-driving cars run only in areas that have been exhaustively mapped. Even if you should knock down a stop sign, the car still knows to stop.
Enter God Mode
Researcher Christopher Domas has spent a long time mucking around in the guts of computers, looking for ways to exploit vulnerabilities in low-level processes. We’re talking about the stuff that makes your CPU run here. While researching patents related to the x86 CPU architecture, he discovered several clues that suggested that undocumented commands could allow someone with the lowest level of access on a computer (ring 3) to jump to the highest level (ring 0).
After buying 57 computers for research, Domas set about looking for these secret commands. He chose for his target the VIA C3 CPU that had a hidden RISC core alongside the x86 core. To search out the hidden commands, he treated it like a black-box problem, sending in tons of inputs and observing the outputs to divine what was happening in the middle.
Using timing side-channel analysis, Domas was able to determine when one of his inputs did something. During his research, he would have to use a similar technique several times. At one point, he had seven computers hooked up to a master computer that could automate the process of sending possible inputs.
He even set up a relay box to power-cycle the test computers when they inevitably froze up from the instructions he sent. This portion of the research alone took three weeks of constant testing. Domas’ hard work was rewarded when he eventually discovered all the necessary steps to talk to the hidden RISC core and use it to gain a level of access that should be impossible.
It’s the kind of story Black Hat loves: a ridiculous goal, masterful knowledge, and outrageous exertion to achieve that goal. As for Domas, he thinks of this work as a case study. “Backdoors do exist in hardware, but we can find them,” he said.
When security researcher Balint Seeber moved to San Francisco, he was startled by the weekly ritual testing of the emergency sirens. He quickly moved to curiosity about these wailing horns mounted on poles around his city and began to wonder how it all worked.
Fortunately, Seeber is really into radio, and he set to work discovering what made these systems tick. Along the way, he spent hours surreptitiously mapping and photographing sirens around San Francisco, looking for clues as to how they communicated. He also grabbed tons of data with software-defined radio and an enormous system of antennas installed in his attic.
His detective work paid off when he not only reverse-engineered how the city of San Francisco controls its sirens, but discovered that it used no security mechanisms at all–meaning that anyone like him could set the sirens off whenever they wished. Through an ethical disclosure process, Seeber informed the city and the siren manufacturer, leading to a patched system for the city. Not only that, some additional work uncovered similar vulnerabilities in the siren system for Sedgwick County, Kansas.
Software-defined radio talks at Black Hat are always fun because of the specialized knowledge and detective work that goes into the security research. Notably, Seeber was able to find critical pieces of information–including a look inside the siren control box and audio of a Sedgwick county siren control system broadcast–from local news broadcasts uploaded to YouTube.
Voice Authentication Cracked With Ease
As voice recognition improves, some companies begin to treat it as voice authentication. John Seymour and Azeem Aqil, security experts from Salesforce, set out to determine the safety of voice authentication. Their goal: break into an account using a synthesized voice and do it in a reasonable time, with reasonable hardware.
That is to say, do it in days, not months, using a desktop, not a server farm. Using readily available open-source tools and resources, they eventually came up with a method to go from a voice in a YouTube video to a functioning synthesized imposter in a day or two. Normally, the creation of a working voice synthesizer needs 24 hours of audio input with transcription.
They managed to get the job done with 10 minutes of audio by amplifying the samples and using a technique called training transfer, which let them first teach the model to speak and then fine-tune it to match the target.
Attacking Critical Infrastructure
Any time you see the name Marina Krotofil on the Black Hat sessions list, it’s worth your while to attend her talk. Often highly technical, her work is some of the most interesting in the field of defending critical infrastructure such as factories and power plants from attackers seeking to disable or ransom them. Her previous work includes using bubbles to cripple a factory.
Yes, bubbles. At Black Hat 2018, she was joined by fellow researchers Younes Dragoni and Andrea Carcano. Together, they examined the Triton malware, which was designed to attack safety system controllers–the last line of defense at an industrial site.
The researchers tore Triton apart and explained, step by step, what it does and why. It’s like following in the footsteps of the attackers. For reasons unknown, Triton was never given a malicious payload to deliver.
One thing the three researchers could conclude was that Triton was too valuable a resource to simply be intended to shut down the factories it infected. It might have been made for something far more dramatic or dangerous.
Hacking Voting Machines Is Easy; Reputable Elections Are Hard
The Russian interference campaign with the 2016 US election is the single biggest cybersecurity story since Edward Snowden, and it has renewed interest among researchers about relevant issues, such as voting systems. Last year, Carsten Schuermann, an Associate Profesor at IT University of Copenhagen, hacked a WinVote electronic voting machine at DefCon.
This year at Black Hat, he showed that while hacking these voting machines is trivially simple, confirming whether an attack has occured is enormously difficult. Schuermann had a lot to say about the importance of paper ballots and standard election audits in order to reinforce democracy. But he also found some weird stuff on the WinVote machine.
Anomalous attempts to dial out via its modem, files that appear identical but are flagged as altered, and a Chinese MP3 were just a few of the oddities. These really might be the world’s worst voting machines.
Even Sloppy Hackers Get the Goods
Stealth Mango sounds like a character on an Adult Swim cartoon, but it’s actually the name of a serious surveillanceware tool that’s been implicated in nation-state attacks. Andrew Blaich and Michael Flossman of Lookout have a long history of discovering and taking down such nation-state malware.
Their presentation revealed that you don’t have to be sophisticated or clever to plant malware and steal data. During the course of their investigation, they found that Stealth Mango’s creators hadn’t locked down their own systems, so Blaich and Flossman captured a copy of the stolen data. They also found names, email addresses, and social media accounts of the perpetrators embedded in the code; sloppy!
Pawing through the command and control servers, they identified the location of the attacks, in the government center of Islamabad, Pakistan. That command-and-control center is now kaput, but they expect Stealth Mango’s creators will be back.
The Meltdown vulnerability is notable for two things: being catastrophically bad and enormously widespread. This vulnerability, like the God Mode mentioned elsewhere in this article, relied on the microarchitecture that governs how CPUs operate.
Except in this case, Meltdown let someone without the proper credentials access all the memory on the machine. In their talk at Black Hat, three of the key researchers behind the discovery of Meltdown gently guide the audience through how Meltdown works and how they found it in the first place. They also took a moment to call out the technology industry as a whole, saying it’s time that critical components like CPUs start being designed with security first, rather than speed and performance.
Cyber Warriors Need Love Too
This year Black Hat added a focus on mental health in cybersecurity, with four tracks devoted to the subject.
Josiah Dykstra and Dr. Celeste Paul, both researchers for the NSA, explored the problem of stress for cyberwarfare operatives. Another session examined the connection between autism and cybersecurity brilliance.
The panel included Rhett Greenhagen, who worked at the Department of Defense for years, has been diagnosed as being on the autism spectrum, and now does security research for McAfee; Casey Hurt, the Chief of Information Assurance at the Department of Defense and Rhett’s one-time boss; and Dr. Stacy Thayer, a specialist in organizational and business psychology. Talking about the problems and benefits of hiring workers on the autism spectrum, the panel concluded that such workers can be extremely helpful, seeing patterns others don’t, as long as management supports them.
Dr. Christian Dameff, an Emergency Medicine physician, and Jay Radcliffe, a security researcher, spoke on fighting burnout, depression, and suicide in the security community. And Jamie Tomasello, the senior manager of security operations at Duo Security and a certified information privacy professional, shed light on the of addiction among those stressed out by a security career.
What Air Gap?
When you really, really need to keep a secret, it’s a good idea not to put it on a machine connected to the internet. But when you disconnect that secret-keeping computer, you’ve created an air gap, and that’s considered one of the best ways to keep information secure. Right?
Well, not so much. Researcher Mordechai Guri has spent years finding new ways to move information off air-gapped computers in increasingly difficult scenarios. At Black Hat, he did a quick rundown of some of his great air-gap escapes.
He’s found ways to leak data through speakers, fan noise, the sound of the arm in a hard drive, and magnetic fields. In one case, he created software that could convert the monitor cable into a rudimentary FM antenna to transmit data. In another scenario, he used the path between the CPU and the RAM as a cellular antenna.
Fearless Twitterbot Hunters
Jordan Wright and Olabode Anise, researchers from Duo Security, decided to see if they could train a machine-learning system to distinguish bot accounts from real people. They used the Twitter API to gather a vast repository of accounts, tweets, and metadata. Using this data store, they trained a machine-learning network to sort bot accounts from good accounts.
But the network wasn’t as accurate as they had hoped. Taking a different approach, they took their verified collection of bot accounts and unraveled the network created by the accounts following and followed by those bots. They closed by pointing to their research on GitHub and inviting attendees to join the Twitterbot hunt.
Defeating LTE Networks With Just £200
Running a cellular network is hard.
Not only do you have all those pesky consumers to worry about, but you also need to manage and optimize all these cellular base stations to provide coverage for the cellphones. Enter Self Organization Networks (SONs). These are smart networks on which the cellular base stations take data from each other and the cellphones they service to automatically configure and optimize themselves for better performance and less human intervention.
The problem, as researcher Altaf Shaik discovered, is that the SON LTE design is built on a mistake: it blindly trusts the information it receives from cellphones and other base stations. Using just £200 worth of equipment, Shaik showed how to confuse and entangle SON networks, force the shutdown of base stations, and cause phone calls to drop. The solution?
Don’t design systems that trust information without some kind of verification.
Cracking Cryptography at a Distance
At past Black Hat conferences, we’ve seen techniques for cracking cryptographic calculations by measuring changes in the voltage drawn by a smartphone or by measuring electromagnetic radiation emitted when electronic switches toggle between values. But the power-measurement trick required replacing the smartphone’s battery with a current-analysis tool, and the radio-wave method worked only in close proximity to the phone. A group of academics from Eurocom demonstrated a technique for cracking crypto at distances up to 10 meters by tapping the radio frequency noise emitted by a smartphone.
Admittedly, the demo required a very specific setup. But they pointed out that since such tapping is possible at all, it could well become more flexible and more dangerous.
Stealing Secrets from VPNs With Compression
They ensure that three-letter agencies and your ISP can’t spy on or profit from your internet traffic. Surely putting them together is a good thing, right? Not exactly.
Using a Compression Oracle attack, researcher Ahamed Nafeez showed how he could extract secret information that should be secured by the VPN. The attack hinges on how compression algorithm works: by taking repeated elements and replacing them with short codes. To extract the session ID, for example, Nafeez injected plain text he knew to be present in the secret information and then changed one number.
Do that repeatedly, and every time you see the size of the encrypted data drop, you know that what you sent is part of the secret information. Repeat as necessary, until you’ve stolen all the info you need. The good news is that Nafeez’s attack hinges on the victim visiting an HTTP site, but these are rapidly becoming extinct, and just as rapidly, they’re being flagged as malicious by default.
When Good Security Goes Bad
Antivirus utilities typically eliminate known malware and ignore known good programs. Some of them send unknown files, ones not known to be either good or bad, to the cloud for further analysis. And that’s not necessarily safe.
Ido Naor is a senior researcher for Kaspersky, and Dani Goland is a self-styled “23-year old coding machine.” The two are also cofounders of VirusBay, a social network that helps security researchers share ideas and samples. They pulled down an immense quantity of files from a well-known antivirus aggregator, specifically choosing files that no antivirus detected as malicious. Running these through various filters and analysis scripts, they turned up tons of data that should have been private, such as contracts and internal company communications.
They concluded that security companies need to take a hard look at sending private data to the cloud for examination and should not retain non-malicious samples.
Fear, Loathing, and Two-Factor Authentication
Jean Camp, a professor at the University of Indiana, and Sanhari Das, a PhD student there, devised a study to answer that question. They chose the Yubikey security token for the study on the basis that it’s the simplest form of two-factor authentication. They then gave each study participant a Yubikey and observed as the participants attempted to register the device on a secure site.
Many ran into trouble, including quite a few who completed the registration demo and figured they were done. Dr. Camp passed recommendations to Yubico, most of which were followed.
A second round of testing went much more smoothly. Even so, participants just weren’t interested in using the devices. A survey a month after the study found none of them still using the Yubikey.
Many had discarded the device. The study concluded that consumers just don’t understand the benefits of using two-factor authentication and the risks of doing without it. They’re very afraid of losing access to their accounts if something goes wrong, and they’re not afraid of the remote possibility that someone might hack their accounts.
Going forward, Das and Dr.
Camp suggest we need clear, simple warnings, like the Surgeon General’s warning on cigarette packs.
- ^ stop playing security Whack-A-Mole (uk.pcmag.com)
- ^ proof-of-concept attacks (uk.pcmag.com)
- ^ SATCOM systems loaded with backdoors (uk.pcmag.com)
- ^ even cause burns on people (uk.pcmag.com)
- ^ probably safer in a self-driving car (uk.pcmag.com)
- ^ smart speaker (uk.pcmag.com)
- ^ break into an account using a synthesized voice (uk.pcmag.com)
- ^ bubbles (www.blackhat.com)
- ^ Triton malware (uk.pcmag.com)
- ^ confirming whether an attack has occured (uk.pcmag.com)
- ^ how Meltdown works (uk.pcmag.com)
- ^ stress for cyberwarfare operatives (uk.pcmag.com)
- ^ great air-gap escapes (uk.pcmag.com)
- ^ swept away thousands of fake accounts (uk.pcmag.com)
- ^ distinguish bot accounts from real people (uk.pcmag.com)
- ^ confuse and entangle SON networks (uk.pcmag.com)
- ^ cracking crypto at distances up to 10 meters (uk.pcmag.com)
- ^ VPNs (uk.pcmag.com)
- ^ extract secret information (uk.pcmag.com)
- ^ HTTPS to replace insecure HTTP (uk.pcmag.com)
- ^ Antivirus utilities (uk.pcmag.com)
- ^ turned up tons of data that should have been private (uk.pcmag.com)
- ^ two-factor authentication (www.pcmag.com)
- ^ why don’t you use it (uk.pcmag.com)
* Beautifully handcrafted and filled with real gemstones of very fine quality, this orgone pyramid will surely lend an elegant touch to your home decor* Height: 1.5″ Inches (approx) | Base Size: 2″ Inches (approx).* Material: Orgonite is a mixture of catalyzed fiberglass resin with metal shavings, poured into molds. Crystals, essential oils, high vibration organic materials.* Best place to keep: you can put this orgone pyramid on your office table, desk or living room.* The word Orgonite comes from “Orgone”, that refers to vital energy found everywhere in nature. It is life energy, also called Ch’i, Prana, Aether. This vital energy exists, in a natural way, under many different forms. It can be neutral (OR=orgone), positive (POR=positive orgone energy) or negative (DOR = deadly orgone energy). When positive, it enables living organisms to exist in a healthy state.* Benefits: Although main function of Orgonite is to clean stagnant and negative energy, it also helps in to feel better both spiritually as well as physically. It also helps to improve relationships, spiritual growth, vivid dreams, better sleep, removes negative energy and protect from harmful effects. * NOTE: Please allow minor deviation in looks, feel and size of the product, as these are natural and purely handmade pyramids.