Mobile threats and other new directions from Black Hat
Mobile computing seems to be the new frontier in cybersecurity, edging out the cloud as a fruitful area for research and hacking at last week’s Black Hat Briefings. But stealthy persistent threats remain a serious concern and the emerging Internet of Things offers new challenges to privacy.
It’s getting harder to spot trends at Black Hat as the annual security conference grows and evolves, however. It remains a premier venue for original research, but with more than 7,500 attendees and presentations offered in 11 simultaneous tracks at the U.S. Briefings July 31 and Aug. 1 in Las Vegas, it no longer is a compact community where you can keep your ear to the ground. The crowds not only are larger, they also are more diverse, with a growing number of corporate and government types joining the hackers and researchers (although government employees are loath to identify themselves).
That change was illustrated by the reception given NSA Director Gen. Keith Alexander, who gave the opening keynote. Although Black Hat founder Jeff Moss said in introductory remarks that tensions between the hacker/security community and government were at an all-time high in the wake of revelations about domestic NSA snooping, the general found a largely friendly crowd. Yes, there was a shouted expletive and a few taunts from the audience, but people seemed to be mostly on Alexander’s side.
“There is such a thing as professionalism,” one audience member sniffed at the heckling.
But pushback has always been a hallmark of Black Hat and attendees are encouraged to challenge unsupported claims. This year’s audience seemed to be unusually willing to accept on faith assertions from Alexander that a more skeptical crowd would have questioned. Statements such as, “we have tremendous oversight and compliance” in surveillance programs, and the claim that there has never been any NSA overreach in gathering data. Alexander might be right, but we have no way of knowing as long as the programs remain classified. The general said “trust me,” and the audience did.
That said, there still is a lot of research being presented. As mobile computing comes of age there is a growing interest in possibilities offered by the Google Android and Apple iOS platforms. A malicious USB charging device can bypass digital signature requirements on many iPhone versions to install phony apps with malware without jailbreaking the phone.
Cryptographic keys for signing Android applications can be exposed to create bots that can set up unlimited numbers of spam accounts on social networking sites. Other vulnerabilities in Android authentication can allow legitimate apps to be altered, giving an attacker system control of the phone. Automated exploits for this one already are in the wild.
The BlackBerry OS 10 presents an attack surface that can allow remote entry and unauthorized escalation of privileges. And there are new mobile malware and mobile rootkits, and the LTE network itself is far from secure.
All of this takes on added significance as desktops become obsolete, laptops passé, and everyone uses tablets and smart phones to access data and applications that are being moved to the cloud.
At the same time, complex multistage threats and rootkits still are being advanced and distributed denial-of-service attacks capable of delivering multi-gigabit streams to targets are being offered as a service. In short, nothing is getting better and a lot of things are getting worse. All of this means plenty of job security for anyone who can defend a network, a server, a computer or an application.
As long as you can keep up with the bad guys, that is.
Posted by William Jackson on Aug 06, 2013 at 8:41 AM