Ever heard of Black Hat?
For those business professionals who haven’t heard of one of the world’s most important cybersecurity conferences, (it was held in D.C. last week, and will be held again in Las Vegas in August), they’d better start. Security conferences such as Black Hat, Defcon, and others are ground zero for the hacking community. These conferences are where new hacking threats and “zero day” exploits are revealed to the world before they wind up in our inboxes.
Black Hat is always an eye-opening experience. It boggles the mind to see all the new ways that the security community has discovered to break into businesses, computer networks, devices and private information.
Although there were over two dozen scary new threats unveiled at this year’s event in D.C., here are the six risks most pertinent for chief security officers, chief technology officers and anyone who is responsible for the security of a network:
•Fake Phone Networks: It is now possible for hackers to create fake phone networks for AT&T (T) and T-Mobile devices. This is a potentially serious new security threat that could impact up to 90% of all cell phone users worldwide. This new attack, presented by Ralf-Philipp Weinmann, exploits a GSM cellphone or smartphone’s “baseband processor” to take over control of the victim’s phone.
•Hacking Your Phone to Hack Your Computer: For the past two years, security experts, including myself, have warned about the looming risks to smartphones. Because these devices are essentially “mini-computers,” they have become an important new attack vector for criminals and professional hackers.
One of the latest threats is particularly deadly--it first hacks the victim’s smartphone, then infects the person’s computer as soon as they connect the two via a USB cord. These attacks could be used to spread malicious codes or steal sensitive data. The research was presented by Angelos Stavrou and Zhaohui Wang from George Mason University.
•Denial of Service Against Your Desktop: Most business professionals know what a denial of service (DoS) attack is, particularly following the Wikileaks “Operation Payback” attacks. A DoS attack overwhelms a Web site with traffic so that no one else can use it. Well, now imagine how this would affect the average business if hackers did the same thing for applications.
Imagine the disruption to business operations if hackers could shut down applications like Outlook, Word, Adobe Reader and more. Researchers Tom Brennan and Ryan Barnett revealed that this type of attack is possible for Web-based applications, and it might also work for applications that rely on a Web-interface.
•Cloud-Based Warfare: We are still in the early stages of harnessing the economic and technological potential of “the cloud," but it is already becoming clear that the cloud will be a power not just for good, but also for evil.
On the one hand, the cloud lets businesses benefit from better Web-based services, it also enables researchers to harness the computational power of a shared network of computers to solve massive algorithms. But researcher Thomas Roth has discovered that this same computational power can now also be harnessed by criminals to hack simple password algorithms for such things as Wi-Fi networks, Intranets, e-mail, etc.
• Breaking Open Your Android Phone: As a further reminder that smartphones aren’t immune to hackers, researcher Itzhak Avraham found a new way to hack Android devices.
Since Google is now positioning Android devices for the enterprise market, this news should be of interest to the business community. According to Avraham’s research, attackers can exploit holes in a widely used Android application to take control of these smartphones.
•Stealing Corporate Secrets Through Weak Systems: Hackers can steal sensitive information from businesses by attacking systems that are assumed to be protected.
For example: Customer Relationship Management (CRM), Supplier Relationship Management (SRM) and Enterprise Resource Planning (ERP) systems, which typically have low-levels of security and are attached and trusted by other secure systems like SCADA and banking workstations. The research was presented by Val Smith and Alexander Polyakov.
Digital security is a constantly evolving field. New risks emerge almost daily and systems that were once secure are regularly undermined by newly discovered backdoors, programming flaws and creative attacks. It’s critical for the business world to stay abreast of these developments, before they are used to target enterprise networks, corporate databases and even individual smartphones.
Michael Gregg, CISSP, CISA, CISM, is an ethical hacker, author of several IT security training books and a consultant to Fortune 500s, U.S. government and the military. He is the COO of Houston-based Superior Solutions, and is hired by private companies and government agencies to hack their computer networks - in order to prevent malicious hackers from doing so.