Last week cyber security experts gathered at the Mandalay Bay hotel in Las Vegas for the 9th annual Black Hat conference. While the major media focus was on the connected car vulnerabilities I discussed in a previous post, there were many other important subjects covered. Let’s look at some of the highlights.
Android Fingerprint Sensor Hack
Some smartphones include fingerprint sensors that allow users to swipe their finger instead of entering passwords. FireEye researchers Tao Wei and Yulong Zhang presented evidence that fingerprint readers on many Android devices are vulnerable to attack. The sensors are not locked down, and the files controlling them are easy to hack even on unrooted devices. A clever hacker could install malware on a device and use it to steal the fingerprint of anyone who uses the sensor. Unlike passwords, fingerprints cannot be changed. Once a fingerprint is compromised, it’s compromised for life. Fingerprints are tied to someone’s identity on documents such as passports and police records. Manufacturers of the affected devices have issued patches to resolve the security flaws, but as more devices with fingerprint readers become available we’re sure to see more users affected in the future. More Info Here
Google Talks Android Security
In the wake of the Stagefright security flaw that exposes approximately 950 million Android devices, Android security chief Adrian Ludwig spoke about Google’s plans for fixing the bug. The company will update all its Nexus devices (including those that are WiFi only) and provide security support for all Nexus devices for a minimum of three years. With public confidence shaken, Ludwig also spoke about Android’s existing security features and security analysis for apps offered through the Google Play Store. More Info Here
Defending Against Watering-Hole Attacks
Senior development engineer Aaron Hackworth at Dell SecureWorks detailed the methods and activities of a cyber espionage group based in China. Dubbed TG-3390, this group’s major strategy is to target organizations through web sites and services employees are known to use. The hackers attack the service and redirect traffic to a malicious web site. When someone visits from an IP of interest, the site installs malware on their machine. Once the hackers have access, they attack the domain controller and install keyloggers and back doors on any Microsoft Exchange servers. This allows the group to steal credentials so they can re-enter the network if discovered. Hackworth recommended removing all local administrator rights and switching to two-factor authentication (2FA) on all remote-access services thwarts the hackers’ ability to steal login information and regain access. More Info Here
Stealing Data with IoT Devices
According to Columbia University researcher Ang Cui, printers, Internet of Things (IoT) devices and other inexpensive network-capable devices can be hacked into radio transmitters. This hack uses I/O pins and a connected cable to generate radio waves that a receiver can pick up. Cui demonstrated the hack on an inexpensive printer, using the printer cable as an antenna and picking up the signal on a handheld radio. The most troubling part of this hack is because it works on devices that do not even have WiFi, hackers can target devices on the network that IT personnel may not even consider a vulnerability point. More Info Here
OPM Pwnie Award for Most Epic Fail
In a year of massive data breaches, the government’s Office of Personnel Management managed to take home the least-coveted award at the conference. In June the OPM announced that background check records on 25.7 million current, former and prospective government employees and contractors had been stolen by hackers with close ties to the Chinese government. The hackers managed to stay in the system for over a year, and unnamed sources told ABC news the records of top administration officials and current and former cabinet members were compromised. Not surprisingly, the award went unclaimed. More Info Here
- Stalking threats still very real for TV actress - 10/16/2024
- CrowdStuck thanks to CrowdStrike - 07/25/2024
- AT&T breach too big to ignore - 07/14/2024
Leave a Reply
You must be logged in to post a comment.