Black Hat USA 2007 Briefing
Over 3,700 security professionals gathered in Las Vegas early this month to preview the latest threats and to see firsthand what new attacks and compromises are coming. This year’s conference was substantially bigger than last year’s and included significant representation from vendors and the white hat legitimate security community. Unfortunately, the news from Black Hat is not good for banking and finance executives.
Numerous experts demonstrated attacks that could be launched without creating malicious script. Many features of commonly used protocols, when used in creative ways, can expose users and companies to significant vulnerabilities. One of the more interesting presentations was by Bryan Sullivan and Billy Hoffman of SPI Dynamics on the vulnerabilities of AJAX applications. Many banks and other financial organizations are adopting AJAX to give their users a richer web experience. The threat is that in almost all cases the AJAX code is executed on the client side. In the past, web application security involved validating input to protect against the execution of unauthorized code. Under AJAX architecture, clients themselves manipulate every aspect of the program, exposing organizations to the threat of malicious code on clients taking direct control over servers. The presenters demonstrated the ability to dump the entire content of a data base through a remote web service with only two commands. This dump would also be invisible to the organization. It is clear that in addition to checking inputs through web applications, all web services themselves must now be secured and its code reviewed.
The vendor community is gearing up to meet the mandates of the new PCI DSS standard that will require either the utilization of web application firewalls and monitoring or the use of static code reviews. Many web vulnerability companies have introduced dedicated compliance checking features into their products. These products scan all web input to detect and block malicious code including code coming in over port 80. Static code analysis is also growing in the marketplace. Several vendors demonstrated their application’s ability to quickly find and remove poorly written code that could lead to vulnerabilities.
Emerging technologies are at risk as well. WiFi driver flaws enable various computer systems to be remotely compromised even if their wireless adapter is not connected to a network. A zero-day exploit was demonstrated via a video (this prevented hackers from sniffing the details of the actual attack) that showed a remote exploit and installation of a root-kit on a Macbook using this flaw. This should be a critical issue in organizations since users who access common sites such as Google’s Gmail or Facebook over wi-fi could be putting their accounts at risk of hijack, or their network at risk of compromise, according to Errata Security Inc. An attacker can simply use a packet sniffer to grab session information and cookies and import this data into another web browser and hijack the user’s account. They could post information to a blog, read email or do other malicious activity. Users should not use a Wi-Fi hot spot unless they are using VPN (virtual private networking) or SSL (secure sockets layer) to access their accounts.
While it has long been known that VoIP can be compromised, iSec Partners detailed more than half a dozen different ways to compromise VoIP phone systems based on little researched vulnerabilities in the H.323 and Inter Asterisk eXchange protocols. Attackers can easily defeat authentication mechanisms in these systems if these protocols are used. These protocols are supported in products from Cisco, Avaya and Polycom. Aside from fraudulent authentication, it is possible to launch a denial of service attack against these systems that would force phones to hang up or be placed on hold or reject all calls.
Flaws in the newly released Apple iPhone were also demonstrated by Independent Security Evaluators, Inc. They showed how design flaws allow an attacker to install code that would steal any and all data on the iPhone or to redirect the iPhone’s MobileSafari browser in a man-in-the-middle attack. Given the incredible feature set of these phones, banking and finance executives may be tempted to store private or confidential data on them. However, until the flaws in the browser are fixed, it is clear that these are unsafe devices for corporate use.
Researchers from Matsano security specifically addressed the securities and financial community in their presentation on exchange protocols. While financial firms are considered to be on the bleeding edge of information technology, this desire to keep trading application open and available has led to the adoption of subpar protocols. They cautioned that industry is tending to put availability before confidentiality and that many commonly used protocols allow easy compromise and gaining of root level access. They cautioned that without attention being paid to the security vulnerabilities in the specific financial protocols, these threats could soon leave “deep scars across the industry.”
While very few of the attacks demonstrated at BlackHat this year were new, several presenters demonstrated that the attacker community has advanced significantly beyond the technical capabilities of most firms. Banks and Financial institutions should use caution in adoption cutting edge technologies without a full review of their web services, web applications, AJAX and other interactive media, and trading and transfer protocols. Unfortunately, these web application and browser based attacks will continue as a major source of attacks for many years.