Security researchers, consultants and vendors gathered in Las Vegas last week for the annual Black Hat conference. While the RSA Security Conference each spring may be the biggest security gathering of the year, some may argue that the summertime Black Hat conference is where the most important security thought leadership announcements and discoveries are made each year. Unlike RSA, Black Hat isn’t a conference for flashy product announcements–instead, researchers get together to disclose newly discovered vulnerabilities, exploits and hacking techniques that can have a big impact on any channel partner’s customer base.
Even if you or your on-the-ground technical didn’t the show, there’s a lot of important information to glean from what happened there.
Are Your Routers Pwned?
According to researcher Craig Heffner, millions of routers worldwide could be vulnerable to attack using an attack technique called DNS rebinding. Highlighted by Dan Kaminsky’s wave-making presentation at Black Hat a couple of years ago and around for more than a decade, DNS rebinding is hardly new. The attack is made possible by the nature of the Domain Naming Service, which allows site administrators to balance traffic to a single site through numerous IP addresses. This ‘feature’ of DNS is also a flaw, allowing attackers to tinker with IP addresses and hijack browsers of unsuspecting users.
Heffner says he was able to use DNS rebinding to create a malicious site that routes visitors to their home network’s IP address and enables the site owner to hijack their browser and obtain access to visitors’ router settings. The groundbreaking part of his attack technique is that it circumvents current DNS rebinding protections achieved by browser patches and tools such as OpenDNS and the Firefox NoScript plug-in.
"It just hasn’t been put together like this before," Heffner told Forbes magazine about his new spin on DNS rebinding.
Heffner says that he’s tested 30 router models popular in the home and SMB networking market so far and more than half are vulnerable to his attack. He’ll reveal the technical details behind the attack at his presentation at Black Hat and publicly release a tool that can automate his attack methods. His facts bear at least a second glance by channel partners responsible for securing their customer’s network infrastructure–particularly those SMB customers likely to use the type of home routers Heffner tested during his research. Not only is the tool valuable for penetration testing, but his announcement provides more incentive for partners to review the login information of routers under their care, as changing default settings can often mitigate a lot of the risk from such an attack, according to Heffner.
Mobile Mania
The explosion of mobile apps touching sensitive stores of data, combined with the ubiquitous connectivity of high-speed mobile telecommunications network makes mobile security research intriguing to hackers of black, white and grey hat varieties.
"In order for (mobile) applications to do great things, they have to access sensitive information, they have to be able to interact with the phone," says Kevin Mahaffey of Lookout, a mobile security vendor.
Drive-by-Download Overdrive
Your clients’ users might not know it, but without any protections they are susceptible to malicious downloads simply by visiting infected sites or looking at infected HTML-enabled e-mail. This so-called drive-by download attack is changing the face of Web security as we know it.
Even though many security companies have reacted swiftly to detect and deter drive-by downloads, the game of cat-and-mouse between malicious hackers and researchers plays on. Black Hat will play host to the announcement of "some very advanced techniques that (are) almost impossible to overcome by automated analysis in the past, now, and in the future," according to Wayne Huang and Caleb Sima, who will present the findings of their recent project.
Huang and Sima are releasing a new drive-by download attack framework, Drivesploit, built on top of the popular Metasploit framework.