In this article author has shared his personal opinion on the current and future threat vectors, after attending Black Hat conference.

I have just returned from attending the Black Hat Conference in Las Vegas Nevada. It’s always reassuring to visit Las Vegas, it’s such a crazy place that you can almost believe the rest of the world is relatively normal! However, Las Vegas is the perfect setting for this annual gathering of the Hacker community, as some of the content is truly as beyond belief as parts of Las Vegas. Each year a staggering 4000+ people attend from all over the world to listen to the new, the frightening and the truly strange exploits and hacks that have been discovered. The message this year was clearer than ever, nothing is safe from exploitation, and no matter how obscure the system, there is someone, somewhere, trying to find vulnerability in it. These exploits range from proof of concept—things that don’t have particularly practical application in reality, or wouldn’t really cause much of a problem--to hacks that very likely could expose millions to malicious exploitation.

It’s an interesting conference, with some of the world’s most respected presenters with a tremendous amount of excellent content and there’s always a share of controversy, as some of the flaws exposed are seriously threatening to the affected company’s shareprice, or at least embarrassing--particularly where the company hasn’t fixed the flaw in time.

Understanding Potential Vulnerabilities and Its Impact

There is always a tension between those who say that exposing vulnerabilities leads to exploitation and extra risk to the users, as attackers wouldn’t otherwise know about the flaws. There’s perhaps a little truth to this, and many in the community would normally inform the affected vendor before publicising a vulnerability that could cause such a problem, but history shows us that security by obscurity is of limited use. The ‘bad guys’ out there are definitely looking for these same vulnerabilities, and they will use them if possible, and won’t inform anyone about it, as they want to exploit them for financial gain. The holy grail of vulnerability seekers is to find something that no-one knows about it and exploit it before it can be patched, the difference is that with a malicious attacker, they will use it for fraudulent purposes against innocent victims, as I’ve discussed in past columns. Exploit information is valuable to both sides, but once it is in the open, it is less valuable to an attacker than to a defender. Once we know about a problem, we can usually find ways to fix it. So personally, I find Black Hat to be one of the most useful technical conferences, as it shows that there are still people who are actively interested in defending computers and networks from malicious exploitation and that there is still plenty to be done in the field of computer security.

Often, quite wrongly, people tend to think of vulnerabilities only affecting Microsoft platforms, with perhaps a few problems on other systems--it’s this sort of lazy thinking that will eventually lead to disaster for Apple Mac and Linux users. Of course, Microsoft gets its fair share of attention when new vulnerabilities are found, which is natural as it is still the most widely used platform. As I’ve mentioned previously Microsoft also does a very good job of patching those vulnerabilities in a timely manner—although we as customers are terrible at applying patches in time. One of my personal interests is mobile phone security, and plenty was said about that subject at Black Hat. Many of us have been predicting for years that mobile platforms will be the next ‘big thing’ for exploitation, but until recent years, there really hasn’t been much activity, but the twin phenomena of Google’s Android platform and Apple’s iPhone have changed all that. Hackers are spending more and more time looking at these platforms, and Black Hat had some very interesting presentations about exploits against both of those platforms using only SMS manipulations. Mobile phones are becoming the way that many of us access the Internet--and therefore internet based services such as mobile banking—so naturally any exploitation of these platforms has serious repercussions in security. We must start to consider that any system that accesses the Internet—from desktop or server systems, through network routers, through mobiles, to our cars and even kitchen appliances—simply any system is becoming vulnerable, and we must consider their protection as part of a holistic security defense.

Inside Threats

It’s also important to consider attacks from the inside, not all the threats are coming from external actors--indeed, many very potent threats come from those working in your organisation. When you have developers working for you, or contractors, do you really know what they’re putting inside that application that you are going to use for your financial recording? Humans are fallible, they often make mistakes, but they are also subject to bribery and blackmail. This was the subject of a Black Hat talk given by Jeff Willams of Aspect security, who discussed how easily JavaScript code could be inserted into otherwise innocuous data and used to spy on your organisation. He suggests ensuring that your developers work in teams--particularly where there are external consultants involved in the process, to reduce the possibility of a lone actor being persuaded to put in something that shouldn’t be there. Williams highlighted the need for regular reviews and auditing of code and more stringent checks when hiring. Those of us who regularly employ new staff here in India well know the problems of high turnover of staff; tempted away by small pay rises and promise of a better title; this of course complicates the validation process; it’s costly and time consuming to go through all the checks every time, but it’s truly worth ensuring that you get good recommendations and that new staff are more closely monitored before being given access to critical assets, or you could find out that your competitors are getting the better of your research and development without your knowledge.

Small Mistake Creates Big Damage

The whole cycle of vulnerability discovery and exploitation has become an increasingly dangerous threat and Black Hat is a reminder of the fact that we often concentrate on far too narrow a spectrum of threats. We hear a lot in the media about worms and so on the lesson that we should learn from them is not that there are worms out there that can exploit on a massive scale, but the fact that we can’t ignore vulnerabilities, even for a few days, certainly not for a few months. We perhaps don’t hear enough about the small exploits; for instance against the SSL encryption system that enables E-Commerce trust and privacy. If we did, we wouldn’t perhaps have a false sense of security about non-Microsoft systems, nor would we have any complacency about ensuring that all critical systems are well protected with multiple layers of security from Intrusion prevention, to firewalls to anti-virus software, and we can start to think seriously about mobile devices as critical assets—just think how much valuable information is stored on your smartphone.

Perhaps fittingly, the Black Hat conference was rounded off with a discussion of the Conficker worm, presented by Mikko Hypponen of F-Secure Corporation. Conficker would not have happened, or at least not on any scale if, people had simply patched the vulnerable systems. If it taught us anything, it is the same lesson that almost every other ‘big hitter’ worm has taught us, patch vulnerabilities as soon as possible, because sooner or later, someone will exploit them for malicious purposes. It seems it’s not a lesson that is being learnt well, the name of the new virus doesn’t matter at all, the threats are always there, and if you get infected, that single virus is the most important one in the world—no matter if no-one else ever gets infected with it. Conversely, if you didn’t get infected with Conficker, that doesn’t mean you’re automatically protected from everything else, or that other threats are less vital.

Conclusion

Seeing the big picture is the most important part of security, if we focus on the narrow, we will miss the wider threat--like looking through the wrong end of a telescope. They say that “What happens in Vegas stays in Vegas” but, in the case of Black Hat, there is much information that needs to be taken back to our businesses and homes and not just forgotten, so I hope this small sharing will be useful.

—By: ANDREW LEE CISSP, Chief Technology Officer, K7 Computing Private Ltd.