5 Vulnerability WarningsResearch Highlights from Black Hat Europe 2015 in Amsterdam
When it comes to the latest research into vulnerabilities in widely used tools and technologies, and how attackers could abuse those flaws to steal data - or worse, this year's Black Hat Europe conference in Amsterdam didn't fail to deliver as promised (see Black Hat Europe: Hot Sessions).
While there were numerous top-notch presentations across the two-day conference, here are five selected vulnerability warnings detailed by researchers, as well as related enterprise information security defenses:
Self-Encrypted Drives: Don't Sleep
Don't let laptops with self-encrypting drives go to sleep - instead, use hibernation mode, or shut it down completely when it's not in use. That warning was sounded by Daniel Boteanu and Kevvie Fowler, who both work for KPMG Canada's Forensic Technology Group, and who detailed four full-disk encryption flaws that an attacker could abuse to bypass the hardware-based crypto on SEDs, which are built to comply with the Trusted Computing Group's Opal Storage Specification.
"After an SED is unlocked, it will remain in that state until it is powered off or explicitly locked," the researchers warn. As a result, if an attacker can trigger a soft reset, for example by causing a "blue screen of death," then they could boot the machine using an alternate DVD or thumb drive, and read all of the data stored on the still-decrypted SED.
Until drive manufacturers implement related fixes, the researchers have detailed three recommendations enterprises can use to mitigate the threat, which include disabling or restricting sleep mode, as well as disabling the Windows automatic restart feature, which an attacker could use to create a soft reboot.
Windows BitLocker Defeat
Have you installed the Nov. 10 Windows security update from Microsoft? If so, then you're patched against a flaw that was detailed by Ian Haken, a security researcher at software development product vendor Coverity, who showed how the software-based BitLocker encryption feature built into Windows can be bypassed.
"This isn't really BitLocker-specific - more generally, this is an authentication bypass for domain accounts," he said. "If someone is logged in, locks their screen and steps away, you could use this to unlock the PC - someone on their laptop at a coffee shop, or on their computer in an office."
Beyond installing the Nov. 2015 Windows security update, Haken's presentation also flashed to another workaround cited by the anonymous information security pundit who goes by "SecuriTay."
Enable dat PIN: "The bypass can be exploited only if the computer has BitLocker enabled WITHOUT a PIN or USB key" https://t.co/93wNbJlSVY— SecuriTay (@SwiftOnSecurity) November 10, 2015
Or as Microsoft notes in its security update: "The bypass can be exploited only if the target system has BitLocker enabled without a PIN or USB key, the computer is domain-joined, and the attacker has physical access to the computer."
Fooling Self-Driving Cars
Bad news for self-driving car buffs: The automated vehicles rely on a variety of off-the-shelf components that can be spoofed. Meanwhile, other technologies built into so-called connected cars - meaning they have an Internet connection - can be abused to track drivers and intercept sensitive data.
Those warnings were sounded by Jonathan Petit, a principal scientist for security services and application security training firm Security Innovation, who found that the cameras that are used in self-driving cars, as well as for some driver-assistance features, can be fooled using "easy and cheap" technologies, for example by targeting the cameras with laser pointers, which might then interrupt the camera's ability to detect barriers, or pedestrians. Accordingly, he says such systems must be designed to avoid such attacks. "Don't trust automated vehicle sensors unless you implement countermeasures to mitigate such threats," he says.
Oil and Gas Cybersecurity Concerns
Vulnerabilities in the SAP systems that are widely used to control oil and gas production could be remotely abused by online attackers to do everything from shut down plants and damage equipment, to commit fraud and alter the quality of petroleum products. That warning was sound by researchers Alexander Polyakov and Mathieu Geli from ERPScan, which focuses on the security of enterprise resource planning systems.
The researchers detailed flaws and misconfigurations they have found in a number of products used in the oil and gas industry - including the SAP xMII system, SAP Plant Connectivity, SAP HANA, Oracle E-Business Suite platform as well as some widely used Open Platform Communications servers such as Matricon OPC - that attackers could use to access and mess with critical systems.
For example, attackers could create malware designed to exploit the software flaws to "dynamically [change] oil stock information in all oil and gas companies where SAP is implemented," the researchers say. SAP reports that firms that use its software account for about 70 million of the 90 million barrels of oil produced each day. As a result, a dedicated attacker could theoretically fool systems into understating the amount of oil present in plants, thus driving up the price of oil. Likewise, they might also relay incorrect data to tank information management systems, and adjust the maximum filling limit of tanks, leading to overfilling and potential explosions.
To protect systems, the researchers recommend that oil and gas firms review all connections between their ERP software and other applications and secure those connections whenever possible, not least by locking down all domain-related credentials.
Banking Infrastructure Threats: Presentation Canceled
A serious risk that was set to be detailed at Black Hat Europe 2015 was a flaw - or flaws - in financial services software from Temenos. Such software is reportedly used by 38 of the world's 50 largest banks, and processes daily transactions that affect more than 500 million banking customers. And this critical piece of infrastructure is "not as secure as you think," warned security researcher Nadeem Douba, who was scheduled to present related research at the conference.
Found another 0day in #Temenos... Sad times.— Nadeem Douba (@ndouba) October 22, 2015
Apparently, however, those flaws are so severe that the researcher opted to not yet release details publicly. "After further consideration as well as discussions with various stakeholders, I have decided that it is not the right time to publish my research on Temenos," Douba said. "I believe publishing my findings in a public forum at this time may expose some Temenos customers to significant risk. As a result, I cannot in good conscience proceed with the presentation."
Stay tuned for Black Hat Europe 2016?