Black Hat/Def Con roundup: How Google ups Android security, another Microsoft SMB vulnerability

The annual Black Hat and Def Con security conference in Las Vegas have wrapped up after more presentations of interest to CISOs. Following our earlier roundup of a few of them, here’s more highlights:

Nick Kralevich, head of Android platform security at Google, talked about the company’s efforts to make Android more secure. “My job is to reduce the attack surface to the point even if there are bugs, those bugs don’t mean anything,” he was quoted by ThreatPost as saying.

That includes making sure an application can only do what it is intended to do, minimizing the surface that is exposed and containing processes within Android and follow the principle of least privilege.

For a long time Google focused on exploit mitigations such as fstack-protector and ASLR, says the report, and preventing format string vulnerabilities. But the publication of Stephen Smalley’s  “The Case for Security Enhanced Android” , which pointed out several components of the Android were vulnerable to nearly a half dozen rooting exploits, changed the company’s strategy. Kralevich said it made him realize the focus needed to be on on reducing the Android attack surface and not exploit mitigation.

Today, he said, every Android process runs in a sandbox that has minimum privileges.

He said the upcoming version of the OS, so far dubbed Android O, takes containment a step further by separating the hardware-specific drivers and firmware used by companies such as Samsung or Qualcomm from the Android operating system. That will make Google’s ability roll out OS patches without having to wait for things such as chipset compatibility.

You may recall the spread last month of the WannaCry ransomware worm, which included code that scans networks for systems with Microsoft Server Message Block (SBM)v1 for file sharing open on port 445. Although that vulnerability — discovered by the U.S. National Security Agency and leaked by the Shadow Brokers — had been patched in May by Microsoft, companies that hadn’t installed the patch were vulnerable.

At the Def Con conference security vendor RiskSense demonstrated another SMB vulnerability it dubs SMBloris, which uses the bug to launch distributed denial of service (DDoS) attacks. A researcher told ThreatPost the vulnerability affects every version of the SMB protocol and every Windows version dating back to Windows 2000.

The researcher says a single board computer based on the Raspberry Pi platform and some Python code could take down the biggest Web servers. In theory that means there’s no need for a distributed attack with a botnet. However, Microsoft has told RiskSense it won’t issue a patch. “The case offers no serious security implications and we do not plan to address it with a security update,” a Microsoft spokesperson told Threatpost. “For enterprise customers who may be concerned, we recommend they consider blocking access from the internet to SMBv1.”

The RiskSense researcher admits it would be hard to patch, and suggests a mitigation can be applied through inline devices including firewalls by limiting the number of active connections from a single IP address to SMB ports.

RFID badges for secure access are common in many organizations. But Dennis Maldonado, the founder of Houston Area Hackers Anonymous, who is also an engineer at penetration testing company Lares Consulting, demonstrated at Def Con the possibility of cloning a badge. His equipment allows an attacker to remotely scan a card from a distance of approximately two feet and then send that data to a cloning machine up to 30 feet away which would then automatically write to a new card. The story was carried by Mashable.com.

Back at Black Hat, researchers from ESET and Dragos Inc., which specializes in industrial control system (ICS) security, did an analysis of the recent attacks on the Ukranian power grid dubbed Industroyer.

“The good news is the malware likely won’t work in North America without modifications, and even then it wouldn’t trigger widespread blackouts and critical infrastructure failures,” according to a news report on TechTarget.

“The bad news, however, is that the Industroyer malware shows a considerable evolution of tradecraft for cyberattacks against industrial control systems, as well as a clear willingness to cross hypothetical lines by targeting and even destroying critical infrastructure.”

The malware was designed to attack specific ICSes to exploit a vulnerability in a Siemens ICS product, according to the report. Siemens patched the flaw with a firmware update, but Industroyer masquerades as a “Trojanized” version of Windows notepad, which it replaces in the target system, and has not only a primary backdoor, but a secondary backdoor it can activate if the primary one has been mitigated. It also disrupts response and recovery efforts.

The lesson for infosec pros, one of the presenters made clear, is that the attackers didn’t discover a zero-day bug; they took the time to learn about the specific ICSes, communication protocols and energy grid operations in Ukraine to build the attack.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now