Black Hat USA 2021 Review: Mobile platforms and open source software emerge as major cybersecurity threats

Black Hat USA 2021 is the 24th year of the prestigious cybersecurity event, and the conference is a unique blend of online and offline experiences. Four days of online live virtual training (July 31-August 3) with all instructors available to connect in each course. The two-day themed conference (August 4-5) features briefings, Arsenal, Business Hall and more, offering virtual (online) events and live in-person events in Las Vegas. At this year’s Black Hat Cybersecurity Conference in the United States, from the speeches of on-site participants and the online exchanges from security researchers around the world, mobile platforms and open source software have become the most concerned key cybersecurity issues. Second, DNS-as-a-Service is opening up an open highway for enterprise networks, GPT-3’s advanced text capabilities will be favored by fake message attacks, and finally, attackers are also plagued by ransomware.

In his opening keynote speech, Black Hat founder Jeff Moss summed up the general feeling in the cybersecurity community. The cybersecurity community has withstood the explosion of ransomware attacks, major supply chain attacks, and the development of serious nation-state hacking operations from Russia, China, North Korea, and Iran.

“We just realized we had a punch in the face and we were trying to figure out how to fix it,” Moss said. “It’s been a really stressful couple of years.”

Here are five key points to focus on at this year’s Black Hat conference:

1. Mobile platforms are the next focus for malicious actors

There is growing evidence that threat actors are devoting significant resources to exploiting vulnerabilities in mobile platforms. With approximately 6 billion smartphone users worldwide, this is a very attractive opportunity not to be missed.

Attacks on mobile devices have coincided with an increase in “zero-day exploits,” which are unknown in the security world and therefore not patched.

“Zero-day” exploits are market driven, based on supply and demand. Last year, “zero-day” brokerage Zerodium announced it was suspending its acquisition of Apple’s iOS exploits because of the number of bugs submitted. Last summer, an iPhone zero-day vulnerability allowed cybercriminals to break into the mobile devices of 36 international journalists.

Corellium LLC COO and former analyst at the National Security Administration (GCHQ) Research by Matt Tait shows that the problem is getting worse.

“The ‘zero-day’ vulnerabilities in mobile phone devices are being exploited dramatically,” Tate told attendees. “We’re only seeing a fraction of what’s possible in the world.”

Part of the problem is that the architecture of some mobile platforms creates its own set of problems. Natalie Silvanovich, a security researcher at Google’s Project Zero, analyzed mobile text messaging vulnerabilities and found that one user could turn on another user’s camera or audio without the other’s consent.

She found various vulnerabilities in FaceTime, Signal, Facebook Messenger, JioChat, and Mocha, which have all been reported and fixed.

“It’s quite concerning to have someone else’s camera open and take some pictures without the user’s consent,” Silvanovic said.

2. The open source community needs to pay more attention to security

By its very nature, the open source model is not designed to generate fully secure code. Security can be easily overlooked when you have millions of contributors from all over the world, freely available resources for important software tools, and an ever-changing maintainer.

The problem is, the threat actors know this too, and they’re taking advantage of it. The 2017 Equifax hack exposed the personal information of 147 million people after it exploited a vulnerability in an unpatched open source version of Apache Struts.

Threats involve the tools developers use and where they are stored. It was reported last December that two malicious packages were published to NPM (a code repository used by JavaScript developers to share code blocks). Additionally, an analysis by GitGuardian found that in 2020 alone, 2 million “secret” passwords and credentials were stored in public Git repositories.

“The situation is not getting better, and in addition, the complexity of applications is increasing,” said Jennifer Fernick, senior vice president and global research director at NCC Group. “The number of reported vulnerabilities in open source software is growing every year. Without careful and coordinated Intervene and I think it’s going to get worse.”

3. DNS-as-a-Service is opening up an open highway for enterprise networks

Vulnerabilities in the Domain Name System (DNS) have long been known, but a group of security researchers recently conducted a simple experiment and found more disturbing results.

DNS is an underlying technology behind the open Internet, which facilitates communication between computers on IP networks. DNS services have been expanded across various cloud providers that offer DNSaaS (DNS-as-a-Service) as a managed enterprise networking solution.

Wiz security researchers Shir Tamari and Ami Luttwak discovered the problem. Register a domain name and then use it to hijack a DNSaaS provider’s nameservers, allowing users to eavesdrop on dynamic DNS traffic. Using a hijacked server, researchers eavesdropped on the DNS traffic of 15,000 organizations.

Two of the six major DNSaaS providers have fixed the flaws, Tamari and Luttwak said.

“DNS is the lifeblood of the Internet and one of the most important services,” Luttwak said. “A simple domain registration gave us access to thousands of companies and millions of devices. When we dug deeper, we found that these affected organizations were from Fortune 500 companies and over 100 government agencies.”

4. GPT-3’s advanced text capabilities make fake news attackers salivating

As an advanced project within OpenAI, GPT-3’s ability to generate human-like text is powerful, convincing, and potentially very dangerous, according to two security researchers at Georgetown University.

Note: Generative Pre-trained Transformer 3 (GPT-3) is an autoregressive language model that uses deep learning to generate human-like text. This is the third-generation language prediction model in the GPT-n series developed by OpenAI, an artificial intelligence research laboratory located in San Francisco, USA.

The AI ​​text generator is the largest neural network to date that can return fully understandable passages of writing given a textual cue or sentence. GPT-3 can also generate usable computer code, and even wrote an informative blog post about it. What could go wrong?

OpenAI provides automated language tools for Drew Lohn and Micah Musser, research analysts at Georgetown University’s Center for Security and Emerging Technologies. They had six months to study what kind of damage it would do.

Using different control groups, the researchers tested multiple samples on political or social issues to see if readers could tell the difference between what was written by a human and what a machine had written. When GPT-3 was asked to rewrite two legitimate news stories from the Associated Press into pro-Donald Trump or against the former president, a Panel of experts couldn’t tell the difference.

The researchers point out that GPT-3 is particularly good at generating tweets with very few instructions, and its speed and accuracy make it possible to spread large amounts of information from a single social media account.

“I’m not sure the consequences are being adequately considered as they should be,” Ron said. “There are a lot of potential benefits to these technologies. We need to discuss these kinds of decisions.”

5. Hackers also have a problem with ransomware attacks

Over time, the cybersecurity community has begun to gain a clearer understanding of the methods and operations used by state hackers, as well as their problems.

Security researchers at IBM Corp. X-Force have been analyzing exploits for “IBM Threat Group 18,” which overlaps in cybersecurity with Iran’s cyberwarfare group Charming Kitten. Unlike hacking operations in other countries, ITG18 is very lax about keeping its work out of the public eye, and doesn’t seem particularly concerned about that.

The group has been conducting phishing attacks on pharmaceutical companies, journalists and Iranian dissidents. Last May, IBM researchers discovered a series of training videos released by the group. In addition to providing guidance on how to test access and steal data from compromised accounts, the videos exposed website information related to Iranian phone numbers of group members. These materials show that hackers have had problems solving captcha, like many of us, and provide evidence that they themselves were victims of ransomware attacks due to poor security.

“Over the past 18 months, we have continued to see mistakes in this group,” said IBM Security X-Force analyst Allison Wickoff. “We thought it would be great if we could change the rules to make the opponents we’re dealing with become more human.”

The Links:   NL2432HC22-41K NL10276BC20-07Y POWER-IGBT

Related Posts