Black Hat 2013 came to a close yesterday. The event, held in Las Vegas, USA, from July 27 to August 1 was full of heckles, hacks and a heck of a lot of jaw-dropping briefing. Here are 10 of the most intriguing briefings you may have missed at this year’s event, and what the presenters had to say about their talks.
Above my pay grade: Cyber response at the national level
Presented by – Jason Healey
Incident response is usually a deeply technical forensic investigation and mitigation for an individual organisation. But for incidents that are not merely cyber crime but truly national security events, such as large-scale disruptive attacks that could be acts of war by another nation, the process is completely dissimilar, needing a different kind of thinking.
This talk discussed exactly how, detailing the flow of national security incident response in the United States using the scenario of a major attack on the finance sector. The response starts at individual banks and exchanges, through the public-private sector information sharing processes (like FS-ISAC).
Treasury handles the financial side of the crisis while DHS tackles the technical. If needed, the incident can be escalated to the military and president especially if the incident becomes especially disruptive or destructive. The talk examined this flow and the actions and decisions within the national security apparatus, concluding with the pros and cons of this approach and comparing it to the process in other key countries.
BlackberryOS 10 from a security perspective
Presented by Ralf-Philipp Weinmann
BlackBerry prides itself with being a strong contender in the field of secure mobile platforms. While traditionally BlackBerryOS was based on a proprietary RTOS with a JVM propped on top, the architecture was completely overhauled with BlackBerryOS 10. Now the base operating system is the formerly off-the-shelf RTOS QNX, which doesn’t exactly have an excellent security track record. Moreover, for the first time in BBOS history, native code applications are allowed on the platform.
This talk presented an analysis of the attack surface of BBOS 10, considering both ways to escalate privileges locally and routes for remote entry. Moreover, since exploitation is only half the work of offense, we’ll show ways for rootkits to persist on the device. Last but not least we settled whether BlackBerry Balance really holds what it promises: are mobile devices really ready to securely separate crucial business data from Angry Birds?
Buying into the bias: Why vulnerability statistics suck
Presented by Brian Martin and Steve Christey
Academic researchers, journalists, security vendors, software vendors and other enterprising… uh…enterprises often analyse vulnerability statistics using large repositories of vulnerability data, such as CVE, OSVDB, and others. These stats are claimed to demonstrate trends in disclosure, such as the number or type of vulnerabilities, or their relative severity. Worse, they are often (mis)used to compare competing products to assess which one offers the best security.
Most of these statistical analyses are faulty or just pure hogwash. They use the easily-available, but drastically misunderstood data to craft irrelevant questions based on wild assumptions, while never figuring out (or even asking us about) the limitations of the data. This leads to a wide variety of bias that typically goes unchallenged, that ultimately forms statistics that make headlines and, far worse, are used for budget and spending.
As maintainers of two well-known vulnerability information repositories, we’re sick of hearing about sloppy research after it’s been released, and we’re not going to take it any more.
We gave concrete examples of the misuses and abuses of vulnerability statistics over the years, revealing which studies do it right (rather, the least wrong), and how to judge future claims so that you can make better decisions based on these "studies." We covered all the kinds of documented and undocumented bias that can exist in a vulnerability data source; how variations in counting hurt comparative analyses; and all the ways that vulnerability information is observed, cataloged, and annotated.
Exploiting network surveillance cameras like a Hollywood hacker
Presented by – Craig Heffner
This talk examined 0-day vulnerabilities that can be trivially exploited by remote attackers to gain administrative and root-level access to consumer and enterprise network surveillance cameras manufactured by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities.
Additionally, a proof-of-concept attack was demonstrated, showing how a remote attacker can leverage the described vulnerabilities to freeze and modify legitimate video streams from these cameras, in true Hollywood fashion.
Fact and fiction: Defending your medical devices
Presented by – Jay Radcliffe
In the past 18 months we have seen a dramatic increase in research and presentations on the security of medical devices. While this brought much needed attention to the issue, it has also uncovered a great deal of misinformation. This talk tackles those confusing and controversial topics. What’s the reality of patching a medical device? Is it safe to run anti-virus protection on them?
The presentation outlined a framework on how vendors, buyers, and administrators of medical devices can bring substantive changes in the security of these devices. The talk also have the unique element of discussing a medical device software bug that InGuardians uncovered. This bug was discussed in detail and replicated live on stage. InGuardians has worked closely with the FDA on properly documenting and submitting this through their tracking system. This was covered in full detail so other researchers could find out how to properly disclose bugs and vulnerabilities.