Mobile and Web security will be major topics at Black Hat

Security researchers will disclose new vulnerabilities affecting mobile and Web technologies at security conference

Security researchers are expected to disclose new vulnerabilities in near field communication (NFC), mobile baseband firmware, HTML5 and Web application firewalls next week at the Black Hat USA 2012 security conference.

Marking its 15th year, thousands of security enthusiasts and IT professionals flock to the annual Las Vegas conference to watch some of the industry's top researchers present their latest findings.

With the rise of smartphones during the last few years, mobile technologies have become a major focus of security research -- and for good reason. Many of today's mobile phones are actually mini computers that store a wealth of sensitive data and this makes them attractive targets for attackers.

Some smartphone vendors have implemented NFC technology to enable contactless mobile payments. Users only have to wave their phones over NFC-capable devices to complete a transaction.

Renowned Apple hacker Charlie Miller, who works as a principal research consultant at security consulting firm Accuvant, has investigated the security of current NFC implementations and found ways in which the technology could be abused to force some mobile phones to parse files and open Web pages without user approval.

In some cases, attackers can take complete control of the phone through NFC, enabling them to steal photos and contacts, send text messages and make calls. Miller will present his findings in what is probably one of the most anticipated talks at this year's U.S. edition of the conference.

In another mobile security presentation, University of Luxembourg researcher Ralf-Philipp Weinmann will discuss attacks against baseband processors -- the phone microprocessors responsible for communicating with cellular networks.

Last year, Weinmann demonstrated how vulnerabilities in the firmware of baseband processors can be exploited to turn mobile phones into remote spying devices after tricking them into communicating with a rogue GSM base station -- a scaled-down version of a cell phone tower. The base station had been set up using off-the-shelf hardware and open source software.

This year, Weinmann plans to show that rogue base stations are not even necessary to pull off such attacks, because some baseband vulnerabilities can be exploited over IP-based (Internet Protocol) connections.

If some components of the carrier network are configured in a certain way, a large number of smartphones can be attacked simultaneously, Weinmann said in the description of his presentation.

Mobile malware is viewed as a growing threat, particularly on the Android platform. To protect Android users and prevent malicious applications from being uploaded to Google Play, Google created an automated malware scanning service called Bouncer.

At Black Hat, Nicholas Percoco and Sean Schulte, security researchers from Trustwave, will reveal a technique that allowed them to evade Bouncer's detection and keep a malicious app on Google Play for several weeks.

The initial app uploaded to Google Play was benign, but subsequent updates added malicious functionality to it, Percoco said. The end result was an app capable of stealing photos and contacts, forcing phones to visit websites and even launch denial-of-service attacks.

Percoco would not discuss the technique in detail ahead of the Black Hat presentation, but noted that it doesn't require any user interaction. The malicious app is no longer available for download on Google Play and no users were affected during the tests, Percoco said.

Web attacks and vulnerabilities in new Web technologies will also be the subject of several Black Hat presentations this year.

Cybercriminals are increasingly relying on so-called drive-by download attacks to infect computers with malware by exploiting known vulnerabilities in widespread browser plug-ins like Java, Flash Player or Adobe Reader.

Jason Jones, a security researcher with HP DVLabs, Hewlett-Packard's vulnerability research arm, is scheduled to present an analysis of some of the most commonly used Web exploit toolkits, like Blackhole or Phoenix.

Some of the trends observed by Jones in Web exploit toolkit development this year include an increased reliance on Java exploits and faster integration of exploits for new vulnerabilities.

In the past, Web exploit toolkits targeted vulnerabilities for which patches had been available for over six months or even a year. However, their creators are now integrating exploits for vulnerabilities that are a couple of months old or even unpatched by vendors, Jones said.

As far as website defenses go, webmasters use Web application firewalls (WAFs) to detect and block known attack techniques like SQL injection, directory traversal and others.

Ivan Ristic, director of engineering at security vendor Qualys and the original author of the popular ModSecurity Web application firewall, will discuss protocol-level evasion techniques that could allow attackers to bypass WAFs.

Ristic will release a tool containing around 150 tests that can be used to determine if a Web application firewall is vulnerable to the evasion techniques he developed and researched.

Ristic hopes that website administrators will use the tool to test their WAF products and report whatever vulnerabilities they find to vendors. The tool's goal is not to empower attackers, but to spark a more open discussion about protocol-level evasion between WAF vendors, their customers and security researchers, Ristic said.

The security of new Web technologies, like those found in HTML5 -- a standard that empowers developers to build innovative Web apps and services -- will also be discussed at Black Hat, which happens on Wednesday and Thursday.

Shreeraj Shah, founder of application security vendor Blueinfy, will have a presentation about how HTML5 technologies can enable stealth attacks and silent exploits.

In addition, Qualys software engineers Sergey Shekyan and Vaagn Toukharian will discuss possible attacks scenarios with WebSockets, an HTML5 technology that enhances communication capabilities between browsers and Web servers.

One of the biggest problems with WebSockets is that most firewalls and network-layer security systems are not capable of inspecting such traffic at the moment, Shekyan and Toukharian said. This means that information stealing malware can use WebSockets to communicate with its command and control servers without being detected.

In addition to mobile and Web security, Black Hat presentations will also cover security issues and attack techniques affecting industrial control systems, smart meters and embedded devices.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?