I cannot sleep at night because I just got back from Black Hat

I’ve attended the Black Hat Security conference in Las Vegas for many, many years now. It is by far the best security event each year and this year was no exception. Each year seems to go something like this for me:

I attend the conference and get educated on all the new attack vectors, exploits, and general mayhem happening in the digital world. I come home afraid of my digital shadow. Throughout the year I pay attention to all the work that is done to close the holes we heard about. I start to feel better about the fate of our digital world; things are looking up! I attend the next years Black Hat Conference. I learn about the new digital Armageddon. I get scared again. Rinse and repeat. I am convinced I’m part of some sick psych experiment. Why do I go you ask? Well, I guess it is like going to a NASCAR event. You go for the thrills and the crashes!

Here is a brief glimpse of the messages that were delivered by the various researchers speaking at Black Hat this year. This is my attempt to try and distill a one hour presentation to a one sentence take away. I highly recommend that you don’t take these at face value, they are meant to raise awareness for further study. I recommend you explore the research further so you have all of the facts and the complete picture. (Some of these have already been fixed, Phew):

-The certificate authority system that is so critical to HTTPS/SSL secure website encryption is fatally flawed, has been hacked several times already where certificates were stolen and is generally in need of a major overhaul to fix the lack of true authenticity it is providing today. Authenticity is the thing that keeps us safe from SSL man-in-the-middle attacks. A very cool firefox plug-in that might help this issue was released called convergence by Definitely check it out and the paper on this whole issue called perspective.

-MAC OSX 10.7 is a must upgrade for those that take security seriously. Many critical improvements, upgrade now. Lion supports new application sandboxing, XPC for intra-application privilege separation, ASLR improvements and 64bit support, etc.

– Great analysis done of how MAC OSX holds up to Advanced Persistent Threats (ATP) attack. In a nutshell, it is way better than XP but in a dead heat with Win7.

-MAC OSX Server has major security issues and is way less secure than Win2008R2. Researcher suggested that OSX Server security is so poor as to not be deployable.

-A researcher showed an exploit against Apple’s new smart batteries used in it MacBook Pro line. The researcher showed how you could hack the battery so it would stop accepting a charge or better yet overheats and catches fire or explodes.

-Do not use Apple’s Bonjour file sharing/network discovery protocol on an untrusted network. It has major security weaknesses such as no authentication, mDNS spoofing, no user interaction required, etc.

-Study was done that shows MAC users aren’t as paranoid as Windows users about security. Thus the conclusion was they would be more susceptible to social engineering type attacks like Phishing.

-Researcher found that on several consumer Internet router/firewall products when UPNP was enabled (usually on by default) it worked on both the inside and OUTSIDE interfaces. That would mean that anyone on the Internet would be able to send your router a UPNP message to reconfigure the security settings of your device to let them in. Of course, disabling UPNP has been a best practice for a long time but I know most don’t have any idea.

-Researcher developed a cool tool called nooter and rotonooter that shows if your ISP is bandwidth or rate limiting you, certain websites or certain protocols/services.

-The basic security architecture of iOS is very well done. Lots of complex steps needed to fully compromise a device. Mandatory iOS code signing is enforced at run-time making it very secure. iOS app sandboxing fairly well done but some issues with allowing apps access to over 141 local RPC servers in the OS. iOS 4.3 now includes ASLR for all built-in apps or apps that have been compiled with ASLR PIE. App devs out there please compile your application using PIE; please. Unfortunately vast majority don’t. Biggest threat is using browsers embedded in applications. Use the native safari browser instead.

-Apple iOS turns on encryption as soon as you enable a passcode on your device. The complete file system is encrypted. However, as was previously known a simple jailbreak of the phone allows the attacker to decrypt all data. However, in iOS 4.x Apple released data protection. This feature encrypts a subset of the file system using your passcode as the key and not the normal encryption key. This means that even if they jailbreak your iPhone they would still need your passcode to unlock any folders or files protected by data protection. Unfortunately, that protection is extremely limited today. Only mail, attachments, profile passwords like active-sync IDs, and apps that ask for data protection through the API have it.

-Clever new spear phishing attack using google alerts was disclosed. This is an APT type attack where you are targeting a person or entity. It works very simply. Many executives, their staff or their marketing department use the Google alerts service to track any and all new web postings that match stuff about them or their company. Basically, it is a tool so folks can be alerted when others are talking about them in articles, blogs, etc. The idea of the spear phish is to setup a drive by download infected website and post an article about the target person or entity on your website. The person will receive a google alert message with your website link in it. The user clicks on the link to see what new press they have received on the web. The malware infected site then compromises their browser and PC. Voila, you now have a foothold into your targets internal network.

You can find the archives of the talks given this year about 6 months from now at

Until then you will have to try and track down the research using google. Sorry I can’t provide you more than that. But I can answer any questions you might have if you post them here.

To read this article in full, please click here

*** This is a Security Bloggers Network syndicated blog from Network World Cisco Security Expert authored by [email protected]. Read the original post at: