by John Brandon

Black Hat, Defcon Security Horror Stories Show Enterprise Vulnerabilities

Sep 12, 20125 mins
FirewallsIntrusion Detection SoftwarePhishing

Java hacks, VPN hacks, firewall hacks and even hotel room key hacks. Nothing is safe anymore, judging from an analysis of presentations at Black Hat and Defcon this summer. The lesson for enterprise CIOs? Be afraid. Be very afraid.

A raging computer virus can wreak havoc on your network. One innocuous video surveillance camera in the parking lot outside your corporate campus can be a gateway for destruction. A code snippet from a seemingly harmless, decades-old Microsoft database utility can leave the door open for hackers.

Knowing the latest security threats is half the battle in keeping an enterprise security breach off the front pages of your local newspaper. At this summer’s Black Hat and Defcon conferences in Las Vegas, experts recounted several emerging threats that could comprise intellectual property, reveal corporate secrets or run wild on corporate networks.

Black Hat

Java Zero-Day Exploits Spreading Like Wildfire

The Java zero-day exploit linked to the Nitro hacker group in Asia is the biggest story to come out of Black Hat, according to Anup Ghosh, CEO and founder of security software company Invincea. The Java code uses a spear-phishing technique, which targets specific companies and is a common nation-state tactic. Hackers link multiple Java zero-day attacks in the browser; Ghosh estimates there are at least 100 known sites hosting the exploit now. It is also now included in the well-known BlackHole toolkit that cybercriminals use to distribut their wares.

Black Hat News: Java Vulnerabilities Increasingly Targeted By Attackers

“Java exploits are cross-platform. Oracle has reportedly known about the flaw since April but isn’t scheduled to release a patch until [its] regular patch cycle in October,” Ghosh says. “The number of users that are vulnerable is extremely large.”

Large security pundits, he says, are advising people to uninstall Java. Ghosh disagrees with this approach. “Uninstalling Java or disabling functionality in general is not the right solution. Start with Java, then what next? Flash, JavaScript, HTML5, the browser, the Web?”

Network Card Backdoor Access

One emerging threat has to do with the hardware products you buy. Steve Weis, co-founder of security consultancy PrivateCore, says a network card could be programmed with a backdoor that a hacker can use to gain access to your company network. This physical-level access can circumvent any security precautions you have at a software layer. Experts at the conference even named specific vendors and card models, which for security reasons won’t be listed here. For a large enterprise, the solution is to audit your vendor supply chain thoroughly, he says.

Cheap Hack for Outdated VPN Software

One interesting exploit not directly related to a gap in security infrastructure is a trend that makes a known hack much easier. Security experts have known for years about the MS-CHAPv2 exploit. This VPN system from 1999 predates existing encryption technology and has known weaknesses but remains in use. Normally, cracking this vulnerability requires expert hacking skills and intensive compute power.

More Black Hat News: Vulnerabilities in Payment Terminals Demonstrated At Black Hat

However, Joe Levy, the CTO of security company Solera Networks, points out that a tool released at Defcon called ChapCrack can crack this vulnerability within 24 hours for $200.

Advanced Evasion Techniques to Bypass Firewalls

One of the most troubling developments in hacking is called an advanced evasion technique (AET). Technically, this is not a new exploit or attack, but it is a way to circumvent existing security practices, says Richard Benigno, a senior vice president at Stonesoft Americas, a network security company.

Using AET, an attacker breaks apart an exploit into pieces, bypasses a firewall and then reassembles the code to create the attack. Benigno says this technique is rare, since the hacker has to write complex code designed for a specific attack, but the threat is on the rise. One tool released at Black Hat, for example, contains 150 ways to bypass Web application firewalls.

Social Engineering to Steal Data in Minutes

At Defcon, Chris Hadnagy, who runs the site, set up an event in which a “contestant” called an enterprise and said he was from the IT department. The caller created a story about how the IT staffer was at his son’s birthday party but needed some information to get some work done over the weekend. After 10 minutes, the contestant was able to find out a variety of things, such as who handles the Dumpster service for the company and operating system the company uses. The enterprise employee even visited a fictitious corporate website.

Analysis: Big-Name Companies Easy Target for Social Engineers

“All of this was an exercise, but, at the end of the day, these are similar attacks to what is being done by malicious social engineers to get information out of their victims,” Hadnagy says.

Hotel Door Lock Bypass

Here’s a security threat causing concern in the travel industry. According to Chet Wisniewski, a senior security advisor at Sophos, an endpoint security company, one researcher explained how he used a handheld computer to unlock hotel door locks. The researcher estimates that about 4 million locks in use today are easy targets for this type of break-in, which reads a lock’s decryption key, accesses the lock’s firmware and triggers an open command, all in a matter of seconds&mash;and the firm that makes these locks want hotels to pay for the security fix.

Black Hat attendees also heard about exploits related to near-field communication (NFC), a wireless protocol used in high-end phones like the Google Galaxy Nexus for financial transactions. There was even talk of how there are hacks to invade air traffic control systems and video surveillance cameras, although those discussions seem to persist every year with nary a successful demonstration to show for it.

John Brandon is a former IT manager at a Fortune 100 company who now writes about technology. He has written more than 2,500 articles in the past 10 years. You can follow him on Twitter @jmbrandonbb. Follow everything from on Twitter @CIOonline, on Facebook, and on Google +.