The Black Hat DC 2009 conference proved a rich showcase for hacks which brought the security of many of the top-of-the line products from computer industry's biggest players to their knees. In short, Black Hat DC continues to show just how insecure computing still is, and how easy it is to steal seemingly secure information and takeover supposedly secured systems.
One of the conference's highlights was Vietnamese security researcher Minh Duc Nguyen's presentation on cracking facial biometrics with ease. He delivered on his claims about how easy it was to bypass this form of security, hacking a Toshiba, Lenovo, and ASUSTek system without much effort.
He used a special software suite he compiled, which took several pictures of the real user (which could in theory be obtained off Facebook or another social site or news sites in the case of public figures) and used them to generate fake images, which would eventually yield a match to the login system's special images. The system could not distinguish well between 2D and 3D, so it was as easy as holding one laptop's screen with the phony images in front of the biometrics laptop's webcam.
He describes, "Our research showed that all of the three manufacturers have the vulnerabilities in their face authentication software. Even though they have applied more technical modifications to reduce the weakness, they have not been able to solve it completely. And we proved it in the Black Hat Conference. The result is this feature is not secure enough to protect the users’ [computers] from being tampered [with]."
Another high profile presentation was Vincenzo Iozzo's presentation of how to inject malicious code into a Mac OS X system without leaving a trace. The attack did require piggybacking on a reliable exploit for an unpatched OS X vulnerability, however, given Apple's slow rate of patching, this does not seem like a very big limitation. The new method helps solve the issue of how to avoid detection and yet run binaries which may not be installed on the attacked system's hard drive.
Mr. Iozzo describes, "My technique partially solves [these issues]. In fact, the whole attack is performed in-memory, which means that when the machine is powered off it isn't possible to understand what happened because the attack leaves no traces on the machine. My technique allows an attacker to inject and execute binaries which are not present on the victim's machine, so also the second problem is solved. Finally, when one wants to execute a binary into the victim's machine it is necessary to execute a syscall, execve(). This might raise some alarms of IDS [intrusion detection system] systems or other types of security countermeasures and therefore detect the attacker."
Another presentation highlight featured another hack focused on avoiding detection. Independent researcher Moxie Marlinspike showcased his new SSLstrip tool, which allows hackers to perform man-in-the-middle attacks on HTTPS traffic, silently injecting itself in the middle logging the ingoing traffic after interception and then changing it and sending it out. This allows the attacker to send the user to a malicious page by changing the traditional redirection from HTTP to HTTPS.
The new technique's only weakness is that an attentive user may realize that the page they were redirected to is HTTP, not HTTPS, which can be seen in the address bar. Otherwise, the system entirely tricks the user making information typed into a phony HTTPS page seem legitimate. States Mr. Marlinspike, "The basic premise is that most people interact with HTTPS … through HTTP itself. Most people come to SSL by either clicking on a link or getting redirected, and both of those are points that can be attacked … the basic thesis of the whole thing is that we have a secure protocol that basically depends on an insecure protocol."
If you're looking forward to more Black Hat news, Black Hat DC is a wrap; but Black Hat USA will be held July 25 to 30 in Las Vegas.
quote: The attack did require piggybacking on a reliable exploit for an unpatched OS X vulnerability, however, given Apple's slow rate of patching, this does not seem like a very big limitation.