This Week in Cybercrime: Black Hat USA 2013 Uncovers a Bevy of Exploits

Spy Chief Addresses Hacker Nation

The highlight of this week in cybercrime was the Black Hat USA 2013 conference that took place in Las Vegas. Though dozens of cybersecurity researchers showed up to alert the world to the wide-ranging vulnerabilities that could be exploited by cybercriminals, the top story was the appearance of Gen. Keith Alexander, director of the National Security Agency and chief of U.S. Cyber Command. Alexander was booked to deliver the gathering’s opening keynote address well before Edward Snowden’s revelation’s about the NSA’s PRISM program for collecting phone call metadata. So there was much speculation about whether Alexander would show up, whether he should, and what type of reception he would receive. In video of the talk, recorded by Kaspersky Lab’s Threatpost, the audience,

“was initially cordial and attentive, but soon turned somewhat restive and hostile. While Alexander defended the NSA’s intelligence-gathering efforts and provided examples of how they had led to the disruption of terror attacks in recent years, some people in the audience were uninterested and shouted criticisms and accusations at him.”

What a nice way to get the party started.

Wolves in Sheep's Clothing

Deception is the name of the game for malware creators. But as security firms get better at identifying the sites from which malicious code originates and heading it off at the pass, cybercriminals have employed a bold gambit. In a talk at Black Hat, Michael Sutton, vice president of research at ZScaler, a cloud-based security firm, said that cybercrooks are ever more frequently cloaking their creations by sending them from commercial file hosting sites and cloud services. These sites typically don’t monitor what is being distributed via their networks, and security protocols used by other firms aren’t set up to block code that has legitimate file hosts’ tacit safety endorsement.

“It used to be that [attackers] would set up their own servers,” Sutton told Black Hat attendees. “Then we saw them infecting legitimate third-parties. Now they are using hosting services. They are no longer paying for hosting [malware] and are less likely to get blacklisted.”

According to a Computer World article, “a blog on Zscaler's website lists nearly three-dozen malicious files hosted on the Google Code site, which contains tools for software developers.”

How big a deal is this? In the second quarter of 2013, the IP filtering system that Secure cloud hosting service Firehost reports that in the second quarter of 2013 its IP filtering system blocked 1.3 million unique attacks. Of those, Firehost CEO Chris Drake told the session’s attendees, a significant number originated from IP addresses belonging to cloud services companies.

How Would You Like Your Calls: Dropped or Stolen?

You were at your wit’s end over the number of dropped calls on your cellphone, so you got a femtocell low-power base station to boost the cellphone coverage inside your home or office. But at Black Hat, researchers from iSec Partners showed that the gadgets have boosted cybercriminals’ ability to intercept your calls, text messages and other data.

ISec Partners researchers Tom Ritter and Doug DePerry demonstrated the cellular network break-in using a femtocell from Verizon (though they noted that other carriers’ femtocells are just as vulnerable).

The crowd watched as the duo gained root access to the Linux operating system used in the femotcell via an HDMI port at the base of the system. At that point, they were able to make settings adjustments causing the femtocell to intercept voice and text messages from cell phones connected to the device. Not only did they intercept attendees’ text messages and play back audio of a phone call made by one of the researchers during the talk, they also showed how root access makes it possible to clone other cellphones connected to the femtocell. Uh oh.

The researchers noted that Verizon patched the vulnerability after it was notified. But some other companies’ devices are still susceptible to the hack.

 “High-Tech” Security Easily Thwarted

Millions of people sleep soundly each night, secure in the knowledge that door and window sensors, and motion detectors are unblinking sentries keeping watch over their homes and businesses. But after researchers at Bishop Fox delivered their talk at Black Hat on Wednesday, they might not rest so comfortably. The security experts said that these devices as well as the keypads that consumers use to arm, disarm, and configure security systems can be bypassed easily, and you don’t have to be MacGyver to do it.

Some door sensors, for example, operate using magnetic fields. Introducing a strong magnetic field is enough to trip a lock and gain entry. Once inside, simply aiming an infrared beam at a room’s motion detectors is enough to blind them so they can’t pick up telltale changes in temperature that would otherwise indicate activity. A burglar can ensure that if all else fails, the keypads, many of which communicate via cellular networks, are incapable of alerting the police. A keypad can be easily fooled into connecting to a base station controlled by the crook instead of linking to the real cellular network.

In Other Cybercrime News…

A report from KPBS in San Diego revealed this week that when security blogger and former Washington Post reporter Brian Krebs raised the ire of Russian cybercrooks by exposing their activities and the underlying techniques, the crooks were determined to get revenge. The cybercriminals weren’t satisfied that sending a heavily armed SWAT team to his door with a frantic call to police to report a fake hostage situation was sufficient payback for shining a light on their schemes. So they concocted a coordinated revenge plot aimed at getting Krebs busted for heroin possession. The problem, at least from the hackers’ standpoint, is that Krebs was so tuned in to their networks that he was able to watch the plan—to have the drugs delivered right to his mailbox—in real time. Krebs alerted the FBI about the plot and the fact that the administrator of a cybercrime forum whose dealings he had been repeatedly outed intended to spoof a phone call to local police “from a concerned neighbor.” The KPBS story notes that:

“The hacker, known as "Flycracker," put out this call to his fellow cybercriminals: ‘Guys, it became known recently that Brian Krebs is a heroin addict and he desperately needs the smack, so we have started the ‘Helping Brian Fund’, and shortly we will create a bitcoin wallet called ‘Drugs for Krebs’ which we will use to buy him the purest heroin on the Silk Road ... We will save Brian from the acute heroin withdrawal and the world will get slightly better!’ Basically, "Flycracker" was crowdfunding a drug plant, sort of like an evil bootleg Kickstarter.”

Image: Black Hat