Best hacks and security tips from BlackHat and Defcon 2017
From voting flaws to hash collisions, it’s been yet another vintage year for hacking revelations
BlackHat and Defcon, alongside Infosec and RSA stand out as the defining events of the cyber security year, all performing different roles in informing, stimulating and networking IT professionals. BlackHat and Defcon inevitably play to the crowds far better, and 2017 looks to have been a vintage year, with the usual mire of misunderstood headlines, quirky crowd-pleasing hacks and some ingenious research to boot. Here’s a few of the top moments from BlackHat and Defcon 2017!
Who got your vote?
One particularly topical Defcon challenge involved investigating a series of voting machines, which turned out to be as secure as some ATM machines - not very at all. Some of the 30 computer-powered ballot boxes used in American elections were running very outdated and highly exploitable software, such as unpatched versions of OpenSSL and Windows XP and CE, while others had physical ports open that were accessible. One model was hacked via Wi-Fi and the WinXP MS03-026 vulnerability in under two hours, while a separate box could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, according to reports.
Ilia Kolochenko, CEO of High-Tech Bridge, commented: “Running unpatched OpenSSL on a connected system leaves it open to a range of critical vulnerabilities, including Heartbleed or padding-oracle (CVE-2016-2107) flaws, and is not good security practice, as illustrated by the short time it took to compromise some of these demonstration systems.”
A quick check with High-Tech Bridge's free SSL Server Security Test would have highlighted this HTTPS vulnerability before boxes were deployed in US local elections.
One particular voting machine was found to be running WinXP, autorun enabled and hard-coded WEP Wi-Fi password, as Victor Gevers tweeted:
As a final insult, the researchers discovered that the admin password was..."ABCDE".
FBI Cyber Division Unit Chief Tom Grasso gave a Black Hat talk on the complexities of taking down the Avalanche botnet in an international effort which involved sinkholing more than 800,000 malicious domains after four years of work. He emphasised the key role of international cooperation and private sector contributions too.
While SHA-1 may now represent outdated cryptography to many, one of the BlackHat talks by Elie Bursztein, Google's lead anti-fraud researcher, explained why this is the case. The researcher has spent several years working to create an SHA-1 hash collision, when two different files end up with the same hash. Even in SHA-1 it’s a monumental task, which Bursztein estimates would take 12 million years to simply brute-force one collision using current computing power. But with some extremely ingenious analysis, the team was able to tweak the odds in their favour, until they were able to find a collision using just 110 GPUs for one year - as opposed to the 12,000,000 GPUs required for a brute force attack. The full detail is here.
Fascinatingly, he also pointed out that the only weaponised use of hash collision known to date was in the Iranian ‘Flame’ malware, which used an MD5 hash collision to sign a fake Windows update, but that the technique used in ‘Flame’ used four blocks from the file to create a collision rather than the published methodology, which used two. "So someone, somewhere, well-funded, had developed their own way to create SSL collision," said Bursztein, throwing open the question of who might have had that level of funding to attack Iranian computers.
Bounties pay out?
Researcher James Kettle designed an automated tool to test for flaws in common http networks, testing 50,000 websites simultaneously and earning more than $30,000 in the process. By using techniques including ‘malformed requests and esoteric headers’ he uncovered covert request interception by the UK's largest ISP, a confused Tor backend, and a system that enabled reflected XSS to be escalated into SSRF. His paper is here.
All washed up
Of course, no story about Defcon 2017 would be complete without the proof-of-concept carwash attack, engineered by security researchers Billy Rios and Jonathan Butts. The duo set out to demonstrate the dangers of connecting industrial equipment to the internet by hacking an automatic carwash to ‘attack’ a victim vehicle. They found that more than 150 carwashes in the US are connected, but regularly use default admin passwords - here’s their proof-of-concept video: