7 deadly sins: The most dangerous new attack techniques for 2014
SAN FRANCISCO -- In a packed session at the RSA conference Tuesday, three panelists took turns at the podium to provide a look at IT security attacks they are seeing in the wild. They also offered advice on hardening defenses against these seven attack trends.
Ed Skoudis, founder of Counter Hack and a longtime SANS Institute fellow:
1. Bad guys go wireless
Skoudis pointed out that attacks on wireless systems are nothing new. The twist is that the attackers themselves are taking better advantage of wireless as an attack platform, not just as a target.
Examples included RFID scanning hotels or retail environments, looking to grab credit card numbers. Skoudis said Bluetooth attack devices are on the rise, not only because of vulnerabilities in Bluetooth but also because "frequency hopping makes it hard to spot nefarious Bluetooth devices."
Defenses include turning off wireless devices when not in use (which is hard to do consistently and thoroughly)--and using two-way authentication rather than one-way--so the server must authenticate itself to the remote device, not just vice versa.
2. Air gaps are dying
Skoudis drew (nervous) laughter by observing that most "air gaps are neither 'air' nor 'gap'. Instead you should think of them as low-latency connections."
Attacks or failures Skoudis mentioned included some seemingly esoteric academic exercises (e.g. a December 2013 paper on "RSA key extraction via low-bandwidth acoustic cryptanalysis") and more mundane worries such as USB keys being used to bridge the gap, as was speculated to be the case with Stuxnet.
A real-world example: Skoudis related an incident in which a control systems engineer proudly sat at a PC attached to an allegedly air-gapped ICS network. And while demonstrating elements of that network, the engineer plugged his (Wi-Fi and 4G-enabled) iPhone into that PC to charge his phone battery.
Defenses: Skoudis stressed defense-in-depth, including strong (two-factor) authentication, rigorous network segmentation, encryption of data at rest as well as in motion, and continuous monitoring.
3. Hacking the Internet of Things
"Hackers are reverse-engineering the underlying embedded systems" in a wide variety of Internet-connected objects, aka the Internet of Things, Skoudis said. Running through a series of examples--an alleged airplane control system hack in Amsterdam, a 2012 DEFCON talk on hacking the Spanish train system, and a 2013 Charlie Miller DEFCON session on cracking car systems--Skoudis observed "That's planes, trains and automobiles" and cued a picture of John Candy and Steve Martin.
Defensive recommendations start with discovery and inventory of connected systems, rigorous patching and consistent pressure on vendors to ensure products get proper security attention and testing before release. "You're going to have to patch your baby monitor every month," Skoudis joked.
Johannes Ullrich, who runs the SANS Internet Storm Center:
4. Bitcoin attacks
Ullrich observed that custom malware aims to steal Bitcoin cryptographic keys, which then results in the theft of the currency itself. Notably, the Android Bitcoin Wallet used a weak random number generator, creating keys that were particularly vulnerable to 'guessing' and theft.
Ullrich also said that Bitcoin mining has created the most direct form of monetization of compromised systems. A hacker with a network of bots can use all excess CPU cycles on those PCs for Bitcoin mining. This type of malware "can go unnoticed for long periods of time," he said.
5. Point-of-sale malware
While the late 2013 Target breach brought this attack into the spotlight, it's not a new attack--Ullrich said Visa issued a merchant warning several years ago. A common method is to scrape transactional data directly from the POS system's memory, grabbing that data before it is encrypted for network transport.
Ullrich specifically mentioned Dexter/Project Hook malware, which has been in use for more than a year, attacking Windows-based POS systems and exfiltrating data in real-time.
Defenses include standards such as hardened passwords, firewalls and patching; using dedicated POS terminals (not PCs that are also used for off-hours Internet surfing); and encrypting data "as close to the reader as possible."
6. Targeted email interception
This is another attack vector that isn't new, but is rising in popularity, according to Ullrich.
The typical methodology involves "harvesting social networks" looking for employees who deal directly with money, e.g. those with "accounts payable" listed in a professional profile. The next step is to crack webmail accounts for those employees, and then monitor for messages pertaining to specific financial transactions.
The attacker can try to insert himself into the messaging thread--for example, he could send a followup email from a bank employee account to a realtor involved in a large transaction, saying "Just wanted to confirm the details, and also let you know that the account has been changed--send the proceeds of the sale to …" and listing an account controlled by the attacker.
Defenses include hardening email security, using two-factor authentication for webmail accounts, training users on the specifics of this type of attack and implementing processes such as requiring two different employees to verify account changes.
Michael Assante, former CSO of American Electric Power and the North American Electric Reliability Council:
7. Control system hacks
Panel moderator Alan Paller of SANS Institute said Assante was invited to join the panel to provide insight into attacks on control systems, particularly in critical infrastructure.
Assante noted that most of the methods detailed by Skoudis are already being directed against control and SCADA systems. He emphasized that "we're making it too easy" on hackers by extending enterprise Active Directory systems across the gap and using them on control system networks as well.
"The logical segmentation is compromised" by these shared resources, Assante said. Attackers use malware to establish a foothold on the enterprise side, find directory services and steal legitimate login credentials, and then use those to jump to the control systems. Combined with the fact that artifacts of compromise are very hard to identify on low-level SCADA and industrial systems, this gives hackers easy long-term access.
"We have to get better at identifying aberrant user behavior" as part of the defensive equation, Assante said.
Cybersecurity threats against aviation systems on the rise
Banks should brace for massive DDoS attacks this year, warns Ovum
IT leaders indifferent to unknown threats generated by mobile, cloud technology
Mathematical model may predict the next Stuxnet
Fixing infosec 3: An ounce of prevention (Q&A with CISO Jay Leek)
W. Edwards Deming hates your approach to IT security [on FierceCIO]