Blackhat and More – WSWiR Episode 116

Blackhat Summary,Lots of Patches, and MonsterMind

Times have changed. Cyber attacks have increased 10-fold, causing a ton of information security (infosec) news each week. Can’t keep up with it all? Let me help out. In this weekly video summary, I highlight the biggest information and security news every week.

Last week, I had meant to post a Black Hat video summary, but simply couldn’t find the time during my two week travel schedule. I try to make up for it in this week’s episode. In today’s video, I share a bit about Black Hat, cover the latest security patches, comment on the alleged huge password theft, and highlight Snowden’s latest interview and disclosures. Watch the video for the details.

Also, don’t forget to check out the big reference section below for two weeks of security news links, and some videos from Black Hat. Have a great weekend.

(Episode Runtime: 9:09)

Direct YouTube Link:

Episode References:


— Corey Nachreiner, CISSP (@SecAdept)

Office Patches Mend SharePoint and OneNote

Severity: High


  • These vulnerabilities affect: Microsoft Office related products like OneNote and SharePoint Server
  • How an attacker exploits them: Varies. Typically by enticing users to open or interact with maliciously crafted Office documents
  • Impact: Many. In the worst case, an attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you


Today, Microsoft released two security bulletins that fix a like number of vulnerabilities in OneNote and SharePoint. We summarize these security bulletins below, in order from highest to lowest severity.

  • MS14-048OneNote Code Execution Vulnerability

OneNote is a collaborative, multiuser note taking application that ships with Office. It suffers from an unspecified vulnerability having to do with how it handles specially crafted OneNote files. If an attacker can lure you into opening such a file, she could exploit this flaw to execute code on your computer, with you privileges. As usual, if you are a local administrator, the attacker gains complete control of your PC.

Microsoft rating: Important

  • MS14-050: SharePoint Elevation of Privilege Vulnerability

SharePoint Server is Microsoft’s web and document collaboration and management platform. It suffers from a privilege escalation vulnerability. SharePoint offers an extensibility model that allows you to create apps that can access and use SharePoint resources. However, SharePoint suffers some unspecified flaw that allows specially crafted apps to bypass permission management. In short, by running a specially crafted application, an attacker may be able to access all the SharePoint resources of the currently logged-in user.

Microsoft rating: Important

Solution Path:

Microsoft has released Office and SharePoint-related patches that correct these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network as soon as possible. If you choose, you can also let Windows Update automatically download and install these updates for you.

Keep in mind, however, that we highly recommend you test updates before running them in your production environment; especially updates for critical production servers.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find all of Microsoft’s update links:

For All WatchGuard Users:

We recommend you install Microsoft’s updates to completely protect yourself from these flaws.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

SQL Server Update Fixes XSS and DoS Vulnerability

Severity: Medium


  • These vulnerabilities affect: Most current versions of SQL Server
  • How an attacker exploits it: Various, including enticing someone to click a specially crafted link
  • Impact: In the worst case, an attacker can steal your web cookie, hijack your web session, or essentially take any action you could on the SQL server
  • What to do: Deploy the appropriate SQL Server updates as soon as possible


SQL Server is Microsoft’s popular database server. According to Microsoft’s security bulletin, SQL Server suffers from both a Cross-site Scripting (XSS) and Denial of Service (DoS) vulnerability.

The XSS flaw poses the most risk. The SQL Master Data Services (MDS) component suffers from a Cross-site Scripting (XSS) vulnerability due to its inability to properly encode output. By enticing someone to click a specially crafted link, an attacker could leverage this flaw to inject client-side script into that user’s web browser. This could allow the attacker to steal web cookie, hijack the web session, or essentially take any action that user could on your SQL Server’s associated web site. In some cases, attackers can even leverage XSS attacks to hijack your web browser, and gain unauthorized access to your computer.

The DoS flaw poses less risk, but is worth patching too. Essentially, if an attacker can send specially crafted queries to you SQL server, he could lock it up. However, since most administrator block SQL queries from the Internet, the attacker would have to reside on the local network to launch this attack.

Solution Path:

Microsoft has released SQL Server updates  to correct this vulnerability. You should download, test, and deploy the appropriate update as soon as possible. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s SQL Server bulletin.

As an aside, the Cross-site Scripting (XSS) protection mechanisms built into many modern web browsers, like Internet Explorer (IE) 8 and above, can often prevent these sorts of attacks. We recommend you enable these mechanisms, if you haven’t already.

For All WatchGuard Users:

Since attackers might exploit some of these attacks locally, we recommend you download, test, and apply the SQL Server patches as quickly as possible.


Microsoft has released updates to fix this vulnerability.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

Windows Updates for Media Center, .NET, and LRPC

Severity: Medium


  • These vulnerabilities affect: All current versions of Windows (and related components like .NET Framework)
  • How an attacker exploits them: Multiple vectors of attack, such as enticing you into opening maliciously crafted Office file.
  • Impact: In the worst case, an remote attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches as soon as possible, or let Windows Automatic Update do it for you


Today, Microsoft released five security bulletins describing seven vulnerabilities in Windows and related components, such as the .NET Framework. A remote attacker could exploit the worst of these flaws to potentially gain complete control of your Windows PC. We recommend you download, test, and deploy these critical updates as quickly as possible.

The summary below lists the vulnerabilities, in order from highest to lowest severity.

  • MS14-043:  Windows Media Center Code Execution Flaw

Windows Media Center is the media player and Digital Video Recording (DVR) application that ships with the popular operating system. MCplayer.dll, a component Media Center uses for audio and video playback, suffers from a “use after free” vulnerability. By tricking you into running a specially crafted Office file, a remote attacker could leverage this flaw to execute code on your computer, with your privileges. If you’re a local adminstrator, the attacker could gain complete control of your machine. Note, this flaw mostly affects the latest versions of Windows.

Microsoft rating: Critical

  • MS14-045:  Multiple Kernel-Mode Driver Elevation of Privilege Vulnerabilities

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys), which handles the OS’s device interactions at a kernel level. The Windows kernel-mode driver suffers from three local code execution flaws. The flaws differ technically, but most have to do with the kernel-mode driver improperly handling certain objects, which can result in memory corruptions. Smart attackers can leverage memory corruption flaws to execute code. In a nutshell, if a local attacker can run a specially crafted application, he could leverage most of these flaws to gain complete control of your Windows computers. However, in order to run his malicious program, the attacker first needs to gain local access to your Windows computer, or needs to trick you into running the program yourself, which somewhat lessens the severity of this vulnerability.

Microsoft rating: Important

  • MS14-046:  .NET Framework ASLR Bypass Flaw

The .NET Framework is software framework used by developers to create new Windows and web applications. Address Space Layout Randomization (ASLR) is a memory obfuscation technique that some operating systems use to make it harder for attackers to find specific things in memory, which in turn makes it harder for them to exploit memory corruption flaws. In short, the .NET framework doesn’t use ASLR protection. This means attackers can leverage .NET to bypass Windows’ ASLR protection features. This flaw alone doesn’t allow an attacker to gain access to your Windows computer. Rather, it can help make other memory corruption vulnerabilities easier to exploit. This update fixes the ASLR bypass hole.

Microsoft rating: Important

Local Remote Procedure Call (LRPC) is a protocol Microsoft Windows uses to allow processes to communicate with each other and execute tasks, whether on the same computer or another computer over the network. It suffers from a ASLR bypass vulnerability that has the same scope and impact as the .NET one described above.

Microsoft rating: Important

  • MS14-049:  Windows Installer Service Elevation of Privilege Flaw

As its name suggests, the Windows Installer services is a component that helps you install and configure stuff in Windows. It suffers from a privilege escalation vulnerability involving the way it improperly handles the repair of a previous application. If a local attacker can log into one of your Windows systems and run a specially crafted application, he could exploit this flaw to gain complete control of the system (even if he started out with only Guest privileges). Of course, the attacker would need valid login credentials, which significantly lowers the severity of this issue.

Microsoft rating: Important

Solution Path:

Microsoft has released various updates that correct all of these vulnerabilities. You should download, test, and deploy the appropriate updates throughout your network immediately. If you choose, you can also let Windows Update automatically download and install them for you. As always, you should test your updates before deploying them.

The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:

For All WatchGuard Users:

Though WatchGuard’s XTM appliances offer defenses that can mitigate the risk of some of these flaws (such as blocking Office files), attackers can exploit others locally. Since your gateway XTM appliance can’t protect you against local attacks, we recommend you install Microsoft’s updates to completely protect yourself from these flaws.


Microsoft has released patches correcting these issues.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

What did you think of this alert? Let us know at

Latest IE Patch Corrects 26 Vulnerabilities


  • These vulnerabilities affect: All current versions of Internet Explorer
  • How an attacker exploits it: By enticing one of your users to visit a web page containing malicious content
  • Impact: Various, in the worst case an attacker can execute code on your user’s computer, potentially gaining complete control of it
  • What to do: Deploy the appropriate Internet Explorer patches immediately, or let Windows Automatic Update do it for you


In a security bulletin released as part of Patch Day, Microsoft released an update that fixes a 26 new vulnerabilities in all current versions of Internet Explorer (IE). Microsoft rates the aggregate severity of these new flaws as Critical.

Most of the vulnerabilities described in this alert (24 of the 26) are memory corruption vulnerabilities, which share the same general scope and impact. If an attacker can lure you to a web page containing malicious web code, he can exploit these flaws to execute code on your computer, inheriting your privileges. If you have local administrative privileges, which most Windows users do, the attack could potentially gain full control of your computer

The patch also fixes a pair of privilege escalation vulnerabilities, but the memory corruption flaws alone should convince you to update IE as soon as you can.

Keep in mind, today’s attackers often hijack legitimate web pages and booby-trap them with malicious code. Typically, they do this via hosted web ads or through SQL injection and cross-site scripting (XSS) attacks. Even recognizable and authentic websites could pose a risk to your users if hijacked in this way, and the vulnerabilities described in today’s bulletin are perfect for use in drive-by download attacks.

Solution Path:

You should download, test, and deploy the appropriate IE updates immediately, or let Windows Automatic Update do it for you. You can find links to the various IE updates in the “Affected and Non-Affected Software” section of Microsoft’s April IE security bulletin.

For All WatchGuard Users:

Good News! WatchGuard’s Gateway Antivirus and Intrusion Prevention services can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS signature team has developed signatures that can detect and block some of the memory corruption vulnerabilities described in Microsoft’s alert:

  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4063)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4057)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-4050)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2824)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2823)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2820)
  • WEB-CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2014-2799)

Your XTM appliance should get this new IPS signature update shortly.

Furthermore, our Reputation Enabled Defense (RED) and WebBlocker services can often prevent your users from accidentally visiting malicious (or legitimate but booby-trapped) web sites that contain these sorts of attacks. Nonetheless, we still recommend you install Microsoft’s updates to completely protect yourself from all of these flaws.


Microsoft has released patches to fix these vulnerabilities.


This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).

Black Hat 2014 – Briefing Summary – Day 2

Did any of the briefings from day one sound interesting to you? Do you want to know what happened the next day? If so, check out my day two Black Hat briefing summary below:

BadUSB – On Accessories that Turn Evil

Topic: Infecting USB microcontrollers to create undetectable evil USB devices

Speaker: Karsten Nohl, Sascha Krißler, Jakob Lell

News of this talk came out before the Black Hat conference, and I had mentioned it in my weekly video. It did not disappoint.

In the briefing, Nohl and Lell described how they analyzed the firmware from an off-the-shelf USB microcontroller, and figured out how to load malicious firmware instead. In case you hadn’t heard, every USB devicewhether it’s a storage device or keyboardhas a tiny micro-controller built into it that communicates with your computer, and tells it what the USB device is. In essence, Nohl and Lell figured out how to create a USB micro-controller that lied, and in so doing could do malicious things. For instance, they could create a USB storage device that acted like a keyboard, allowing it to actually launch commands, run code, and even key log.

You might be asking, “Why is this so scary? I already knew USB devices could be malicious.” Well in the past, USB attacks required malicious files on the storage device. The attack would either leverage auto-play issues, or exploit some underlying operation system vulnerability. In either case, security software might find the malicious file and block it. In this case, there are no files on the USB device. By infecting the firmware, that attacker makes it extremely hard for you to detect malicious USB devices.

During the talk, the speakers showed many interesting, and worrisome demos. For instance, a malicious USB key could be programmed to spread to other USB devices plugged into a system (assuming they other device also used the right micro-controller). Nohl and Lell also demonstrated that is is a cross-platform attack. Since all operating systems must communicate with USB devices, they all can succumb to malicious USB firmware.  The pair even showed this particular attack infecting an Android device.

In the end, this is a very scary attack. It makes it very difficult for us to trust the USB standard. Furthermore, since this is a firmware infection, it’s a perfect mechanism for persistent attacks. You could reformat the malicious USB device all you want, the infected firmware would still remain. The only good news is that the speakers only did this with a very specific 8051 microcontroller. In order to use the attack with other devices, hackers would have to reverse those devices firmwares and find new flaws.

So what can you do about this? Unfortunately, it’s a hard problem to crack. The USB standard is pretty set in stone, and security software like AV can’t detect this attack. One option is to force signing of USB firmware, but that would require industry-wide change, and would only help new USB devices. The one sure tip Nohl and Lell recommended was to have USB manufacturers  disable firmware updates in hardware, so that no one could change the software running on these devices.


Extreme Privilege Escalation on Windows8/UEFI Systems

Topic: Hacking Windows boot security to gain ultimate system privileges

Speaker: Corey Kallenberg, Xeno Kovah, Samuel Cornwell – MITRE

On modern systems, even when an attacker gains administrative or root privileges, he doesn’t have penultimate control. In computing, there are various processor-level security domains, from ring 3 to ring 0. An administrator may have the ultimate privileges in ring 3, but he doesn’t have kernel level ring 0 control. This presentation outlined a technique attackers could use to leverage the Windows secure boot system and gain that penultimate ring 0 control.

Over the years, operating systems like Windows have begun to adhere to more secure boot processes that make it harder for bad guys to infect our computer’s BIOS. A relatively new standard called the Unified Extensible Firmware Interface (UEFI) defines how computer systems should load firmware and the BIOS, and includes security mechanisms like secure boot, signed BIOS, and chipset protections.

Without going into all the details, the speakers at this talk found some vulnerabilities in the Windows UEFI system. UEFI is open source, which meant the researchers could easily audit its code for flaws. To their surprise, they found some, including a few pretty basic integer overflow flaws. That said, exploiting these flaws was no easy feat. UEFI only allows userland processes to communicate with it in a limited fashion. Of course, the researchers eventually found a Windows function (SetFirmwareEnvironmentVariable) that allowed them to manipulated enough inputs to trigger their vulnerabilities. While they still had to get past a few hurdles for their attack to succeed, they did, and were able to take control of the UEFI boot process.

In the end, this means an attacker with administrative privileges could leverage this UEFI flaw to gain full ring 0 control of your computer. This allows the attacker to overwrite your BIOS, even on a secure UEFI system. Attackers could exploit this to brick your system, defeat secure boot, create an undetectable rootkit, subvert your hypervisor, and much more.

The good news is the speakers had informed US-CERT, Intel, and BIOS manufacturers of this issue, and most have fixed it. The bad news is not everyone installs BIOS upgrades often.

Mission MPOSsible

Topic: Hacking mobile point-of-sale (POS) systems

Speaker: Nils and John Butler

This talk focused on vulnerabilities found in many popular mobile POS systems used by consumers and smaller businesses. There are not the enterprise POS systems used by large retailers, rather small cellular devices just meant to take a chip and pin cards, and process the payments online.

The researchers did not share the name of the affected devices (though they hinted strongly at what they were), but they did say that 75% of the solutions for mobile chip and pin processing use this solution. These mPOS devices are small embedded linux machines, running Arm5 processers. The speakers compared them to equipment used in cheap MP3 players.

As embedded linux machines, the devices suffered all the potential security issues you might expect. For instance, they allow both Bluetooth and USB access, which presents attack surface. Via USB, the researchers were able to recover the device’s firmware and analyze it. They also found a vulnerability involving unplugging the USB cable, which allowed them to load malicious firmware.

Nils and Butler also decided to fuzz the EMV library (the chip and pin communication standard) on these devices. During their fuzzing, they discovered a very basic stack buffer overflow—one of the most basic memory corruption issues possible. They then demonstrated how they could exploit this to gain full root control of these devices. Of course, they decided to make their root control fun. Rather than just owning the device, they loaded up a custom made version of the Flappy Bird game, which they called Chippy Pin. Any talk that ends with a mobile POS device playing a video game, is a good presentation in my book.

I hope you found this quick summary of the Black Hat briefings interesting and potentially useful. If anything, it should give you an idea of some of the types of attacks you might see in the future. As usual, I found the Black Hat briefings fascinating, even though I was only able to attend a fraction of the talks. If you ever find yourself in Las Vegas late July or early August, I recommend giving Black Hat and DEF CON a try. — Corey Nachreiner, CISSP (@SecAdept)






Nine Microsoft Security Bulletins Coming Tomorrow; Two Critical

Is it just me, or are the months flying by this year? It’s already time for yet another Microsoft Patch Day. According to their advanced notification post for August, Microsoft will release nine security bulletins tomorrow, two with a Critical severity rating. The bulletins will include updates to fix flaws in Windows, Internet Explorer, Office, the .NET Framework, SQL server, and other Microsoft Server Software. You can find a little more color about the upcoming patches at Microsoft’s Security Response Center blog.

In short, if you are a Microsoft administrator, you should prepare yourself for a busy day of patching. I’ll post more details about these updates tomorrow, as they come out. However, I am traveling this week to attend a show, so my posts may not go live as quickly as normal. Be sure to keep you eye on their summary post tomorrow, if you’d like to get the details early. — Corey Nachreiner, CISSP (@SecAdept)

It’s Time to Change Passwords Again; 1.2B Stolen

If you follow me on Twitter (@SecAdept), you probably noticed me mention last week’s huge credential leak. If not, take note as it’s probably time to change your passwords again.

Last week, The New York times released a story about Russian hackers sitting on a dump of over 1.2 billion stolen credentials (usernames and passwords)… Yes, that’s billion with a b.

The New York Times based their story on information from Hold Security, a research firm that helped track the Adobe and Target breaches. According to a blog post, Hold Security’s researchers identified a Russian cyber gang (who they call CyberVor) sitting on a dump of 4.5 billion credentials; 1.2B actually being unique. They say the group also has over 500 million unique email addresses. This huge repository of data wasn’t the result of a single attack, rather a long term botnet campaign that allegedly leveraged SQL injection (SQLi) attacks to steal this information from over 420,000 vulnerable web sites.

Other than that, not much is publicly known about this campaign of credential thefts. In fact, some find this news somewhat suspicious, since Hold Security hasn’t shared all the relevant details yet. For instance, they haven’t said whether or not the stolen credentials are hashed, which would at least impose a small roadblock on those trying to leverage them. They also haven’t shared any physical data about this leak, at least publicly. Furthermore, they seem to be charging for a subscription service to tell you whether or not you are affected. That said, Hold Security is a well-known and respected group that even has the backing of Brian Krebs. Lying about a breach of this magnitude would be business suicide.

So the obvious question is, what should you do? It’s pretty simple actuallyif not a bit irritating. Change all your passwords! I know it’s a pain in the butt, but if this is true, bad guys probably have access to at least one of your passwords. You should use this as an excuse to change your password on every important site. I highly recommend using a different password on every site, and using a password vault to help you create and remember all these strong passwords.

One last aside. A few folks have asked me if they should get new credit cards. So far, there have been no reports that these Russian hackers are sitting on any credit card details. So currently, there is no need for any panic there. If news of credit card leaks comes out, your credit card company will likely inform you if you’re affected. — Corey Nachreiner, CISSP (@SecAdept)

Black Hat 2014 – Briefing Summary – Day 1

If you’ve never been to Black Hat, the week long security conference is separated into two parts; a four day (optional) period for technical training courses, followed by two days of security briefings, where researchers share their latest discoveries and vulnerabilities. While the trainings I’ve attended have been excellent, most of the week’s security headlines get generated from the new research shared at the Black Hat briefings (and from DEF CON, later in the week).

In hopes of giving you a virtual Black Hat experience, I’ll summarize the more interesting talks I attended over the past two days, giving you the highlights. Let’s start with briefing day one.

Cybersecurity as Realpolitk

Topic: General state of information security and the Internet

Speaker: Dan Geer

This talk began with a short introduction by Jeff Moss (@TheDarkTangent), the founder of Black Hat and DEF CON, who mostly commented on the disparity between security and complexity. We need to start simplifying overly complex systems if we have any hope of securing them.


Dan Geer is a well-known computer security expert, who has warned about potential computer and network dangers long before it was popular to do so. In this talk, Geer covered a wide-range of topics, sharing his thoughts on ten subjects relevant to information security. With so many topics to cover, I can’t summarize it all, but I can share some highlights:


  • Freedom, security, convenience… CHOOSE TWO.
  • The CDC is effective at stopping pandemics because they force mandatory disease reporting, have expert away teams, and analyze historical data. Infosec experts should do the same. Perhaps there should be mandatory breach reporting for big incidents, and voluntary, anonymous reporting for small hack incidents.
  • On Net Neutrality: ISPs should have only two choices. Either they can charge what they want for services, but be liable for the content on their wires, or they are protected from liability and don’t inspect content at all.
  • On strike back: Don’t do it (as much as I can understand the desire to).
  • Embedded systems require remote management, or an finite lifetime (because without updates their vulnerability grows over time)
  • US Gov. should pay 10x the price of anyone else to corner the 0day market, and then help vendors fix the issue to quickly decrease the amount of 0day that any attacker can use. I disagree with Geer a bit. While I think it’s a nice idea, I don’t have confidence the US Gov. would share the info with vendors, rather than sit on the exploits for use in their own operations.
  • On Privacy: We have the right to be forgotten.
  • Internet voting: Nope!


Geer covered many other topics, but that at least gives you a quick taste of his talk.


Cellular Exploitation on a Global Scale: The Rise and Fall of the Control Protocol

Topic: Attacking mobile phones using the Carriers management protocol

Speaker: Matthew Solnik & Marc Blanchou


This talk had a ton of potential, but fell flat due to execution issues. In a nutshell, the presentation highlighted the Over-the-Air (OTA) remote management tools that mobile carriers built into phones on their network, and how attackers could exploit these built-in tools to hijack your phone, launching man-in-the-middle (MitM) attacks, or even executing remote code on your phones.


The presentation included a ton of technical information, which was interesting to fellow researchers, but it was presented in a dry, hard to follow manner. Worse yet, the actual demo at the end, which could have saved the whole talk, failed before it even started. That said, it still covered a very interesting and relevant topic, and I hope phone carriers read Solnik and Blanchou’s slides and research.


A Survey of Remote Automotive Attack Surface

Topic: Which cars are the most vulnerable?

Speaker: Charlie Miller & Chris Valasek


Even knowing this talk wouldn’t include any new research, I attended it just because Miller & Valasak are such charismatic speakers—and they didn’t disappoint. Last year, this research pair made a splash by demonstrating hacks against a Toyota Prius and Ford Escape. Despite getting tons of media attention, their talk was turned down by Black Hat last year. This year, Black Hat seemed to be making up for that flub, but Miller and Valasek didn’t really have any new technical or hands-on research to present.


Rather, in this presentation the duo mostly explored the potential of a remote attack surface against cars, and also enumerated a bunch of different cars using online information, measuring how vulnerable they think various models are.


As far as the remote attack surface, Miller and Valasek didn’t uncover anything new, or do any real tests, but instead shared research from others, such as the UW’s attack on tire pressure sensors, etc… They also discussed how built-in Bluetooth, Radio data systems, cellular, Wi-Fi, and car apps all present remote attack service. However, they didn’t uncover or share any new vulnerability or prove one exists.

Next they described how they measured the vulnerability level of various cars from many manufacturers. Essentially, they got mechanic accounts to all these manufacturers and used the mechanical technical docs to figure out which systems a certain model car used. The more remote systems a car presents, and the closer those systems connections are to other mechanics on the car, and the more vulnerable it is. They also brought up the idea of “cyberphysical” systems, such as cars that have self-parking or proximity detection and response. These “drive-by-wire” cars allow digital systems to actually turn the wheel or brake, so obviously they present a lot of real-world risk.


In the end, the talk was a lot of fun to listen to, but didn’t add a whole lot new to the car hacking conversation. They did say they are releasing a big paper covering the most vulnerable cars they found sometime at the end of the week. So go check it out if you’re interested.


Government as Malware Authors: The Next Generation

Topic: Exploring evidence that governments are writing malware

Speaker: Mikko Hypponen


I’ve always liked Hypponen’s engaging presentation style, and recently had the pleasure to dine with and present along side him at WatchCom’s Paranoia conference in Norway. If you’ve seen his TED talk, you probably have heard his views on the Snowden NSA leaks and governments involvement in Stuxnet and other advanced attacks. This presentation was essentially more of the same, other than he also shared a little government hacking history from F-Secure’s perspective; showing and sharing some spear phishing attachment examples they’d collected as early as 2003. He also covered the some of the latest phishing attachment tricks like the right-to-left unicode trick I mentioned in one of my weekly videos. It was an interesting talk that I’d recommend to anyone, but one I’d essentially seen before.


Pulling the Curtain on Airport Security

Topic: Vulnerabilities in TSA scanning equipments

Speaker: Billy Rios


This was a great talk; one of the best I saw. Billy Rios is a soft-spoken, but wicked smart security researcher who’s found many flaws in embedded devices. This time he researched some of the scanning equipment used by the TSA in airports. First, here are some interesting TSA stats:


  • TSA employees around 50,000 people at 400 airports in the US.
  • They spend $7.39 billion a year.
  • They are REQUIRED to spend $250 million on new screening gear.
  • We (as taxed citizens) pay for all this, so should consider its efficacy and usefulness important.


In any case, Rios found and bought a bunch of scanning equipment on Ebay that the TSA uses. He then reversed it and found a lot of very basic, low-hanging vulnerabilities… Circa 1990 security flaws like hard-coded service credentials and the like. He tested devices like x-ray scanners, fingerprint time clocks, and itemizers (the systems that sniff for drugs). I won’t go into all the details, but he basically found pretty big, often remotely exploitable issues in all these embedded systems.


His take-aways? First, if you use embedded devices you should audit them for risks and vulnerabilities. Second, you should trust, but always verify.


Breaking the Security of Physical Devices.

Topic: Radio signal reversing, and embedded device security

Speaker: Dr. Silvio Cesare


At a high-level, this talk was very similar to the last one, in that Dr. Cesare targeted embedded devices. He gathered together various, common home automation systems consumers might get at Home Depot or Target. Things like an analog baby monitor, various types of home alarm systems, and even the keyless entry fobs we use to unlock our cars. Then he showed how to defeat all these systems by analyzing and reversing their radio signals. Once the signal was reverse, he could either eaves drop or launch various key replay attacks.


If you are into radio signal tech and security, this was a very interesting talk. He shared how you could use cheap software defined radio equipment to do the capture and analysis, and even shared how to get relatively cheap spectrum analyzers. He also shared how to demodulate various types of radio signals, whether AM or PWM, and covered details on how you might crack rolling key codes. It was very interesting stuff, but very technical, and mostly for those into radio frequency hacking.


So that’s it for day one. As you can see, Black Hat briefings cover a wide gamut of interesting infosec related topics. You always learn something new, and it’s great just to hang out around people who are as passionate about the topic as you. I’ll return tomorrow with my summary of the day two briefings.

— Corey Nachreiner, CISSP (@SecAdept)






Good News! You Might Get Your Cryptolocker Encrypted Files Back

You probably remember Cryptolocker; a very nasty piece of ransomware that successfully encrypted files on many computers, and made its authors millions in ransom.  If not, you can learn more about it here. Though it wasn’t horribly advanced, it did use industry standard public/private key encryption, making it almost impossible for good guys to actually crack the encryption and get your files back.

However, there’s some great news on that front!

This week, FireEye and Fox-IT published a site called If you share your email address, and one of your Cryptolocker infected files with this site, they will email you the private key and a tool that can decrypt all your Cryptolocker files. If you were one of the folks that didn’t have a good backup, you finally have an option to recover files other than just paying the criminals (never a good idea).

So how did FireEye and Fox-IT accomplish this? Essentially, by gaining control of, and taking down Cryptolocker’s command and control (C&C) infrastructure (where the criminals stored all their private keys). If you’d like to know more about it, I suggest checking out FireEye’s blog post.

This is awesome work, and hopefully a big relief to anyone that still has Cryptolocker infections. That said, there are many Cryptolocker copycats and variants. This takedown has gained access to a specific group’s C&C servers and keys, but not all ransomware variants. There is a chance this tool won’t decrypt the files for every Cryptolocker variant, and it surely won’t help with the copycats.

In any case, it’s great to see a score for the good guys.

— Corey Nachreiner, CISSP (@SecAdept)


Get every new post delivered to your Inbox.

Join 7,581 other followers