10 Companies To Be Probed By Hackers At Black Hat 2014

Researchers To Uncover Hidden Technology Dangers

Researchers will demonstrate attacks against a wide variety of systems, from complex industrial control system software to modern, "smart" thermostats, at the 2014 Black Hat Briefings this week. The annual two-day conference will showcase technical research that identifies dangerous software vulnerabilities, complex implementation weaknesses, common misconfigurations that expose sensitive data or could be used by attackers to perform a variety of malicious activities, such as stealing passwords or hijacking accounts on popular cloud services. These 10 companies make products or develop technologies impacted by the new research expected to be released this week.

Google

The breadth of Google's reach extends far beyond its search engine capabilities, which had been exploited at previous Black Hat conferences. Google Glass was released in May for $1,500 following a public debate about privacy concerns over the wearable camera. Researchers from the University of Massachusetts Lowell and the University of Victoria are expected to present analytics capabilities that turn the debate about Google Glass privacy to security. Their Black Hat talk demonstrates how images collected from the camera on Google Glass could be used to identify passcodes. The researchers claim their technique can recognize passcodes from 10 feet away with 90 percent accuracy. Meanwhile, Google Android security also is being heavily scrutinized. Researchers at Bluebox Security will demonstrate a new dangerous flaw called Fake ID, which was disclosed to Google in January. In another presentation, researchers at FireEye will present a targeted attack technique that exploits ad libraries in certain mobile apps from Google Play Store.

Oracle

U.K.-based Researcher David Litchfield has been demonstrating serious vulnerabilities in database management systems for more than a decade and has taken special interest in the security of Oracle database servers. This week, Litchfield plans to expose a weakness in Oracle’s data redaction service, a feature introduced in Oracle 12c that prevents sensitive data from being exposed. Litchfield said the service is vulnerable to a number of attacks, enabling criminals to bypass it and elevate system privileges.

Rackspace Hosting

A Yahoo security expert and researcher will explore the security of OpenStack. The popular open source cloud computing platform founded by Rackspace Hosting and NASA enables organizations, including solution providers, to offer cloud computing resources. Anders Beitnes will present a session on the dangers associated with having a centralized management cluster and how to harden clusters to prevent an attack and take appropriate steps when an attack is detected.

Microsoft

Microsoft software is constantly being scrutinized by security researchers, and at this year’s Black Hat Briefings a security researcher will present a technique to target a Windows 8.1 Kernel weakness. Nikita Tarakanov, an independent security researcher, will give a technical presentation on exploiting a pool allocator process to gain control of a PC, including reading and writing in system memory and hijacking execution flow. In another Black Hat presentation, two researchers will show how Microsoft Active Directory can be targeted by exploiting its implementation of the Kerberos authentication protocol.

Cisco Systems

Weaknesses in Cisco Unified Communications services will be tested in a Black Hat presentation uncovering hacking techniques against implementations that use Cisco’s hosted collaboration suite and VoIP solutions. Fatih Ozavci, a security researcher and senior consultant at Sense of Security, plans to demonstrate the Viproy Penetration Tool, which can be used to conduct VoIP attacks, including eavesdropping on communications, ID spoofing and crashing mobile clients. In another Black Hat presentation, two researchers will release a tool that can attack notebooks and phones that use Cisco EnergyWise and cause them to shut down.

Apple

Researchers from the Georgia Institute of Technology will disclose how the latest version of Apple iOS can be jailbroken by exploiting incomplete patches issued by Apple. The research team said the vulnerabilities can be used to create new attacks and ultimately gain complete root access to the latest iPhone, iPads and iPods. Several new vulnerabilities also will be detailed during their Black Hat presentation this week. In another presentation, Alban Diquet, a researcher at Data Theorem, will present his analysis of a new multipeer connectivity feature in iOS 7 and release a new tool that can identify potential weaknesses in its implementation.

Chevrolet, Ford, General Motors

The automotive industry will be heavily scrutinized in a must-see Black Hat presentation this week, in which two prominent researchers will explore whether certain car manufacturers are more susceptible to remote attack than others. Charlie Miller, a vulnerability expert and security engineer at Twitter, and Christopher Valasek, an embedded systems security expert and director of security intelligence at IOActive, plan to present analysis of data from a large number of manufacturers to determine if automotive network security is improving and predict what future automotive attacks might look like.

Citrix Systems

Citrix Systems and other virtual desktop infrastructure makers will be put to the test when a security researcher demonstrates a malicious application that can scrape data from a client’s screen. The proof-of-concept attack is efficient and works on common VDI platforms, according to Daniel Brodie, a senior researcher at Lacoon Mobile Security. Brodie and Michael Shaulov, co-founder and CEO of Lacoon, say the attack can be automated, rendering many VDI platforms ineffective in providing a secure workspace container.

Amazon Web Services

A security researcher will explore the common misconfigurations and implementation failures often detected in web applications on Amazon Web Services and how attackers can use them to view sensitive data and steal account credentials, or hijack an account and the applications associated with it. Andres Riancho, application security researcher and founder of Bonsai Information Security, will use cloud vulnerabilities to take complete control of an AWS account and release a tool that can uncover account credentials from metadata files and create new users.

Nest Thermostats

The Nest smart thermostat may come under fire when researchers from the University of Central Florida and a senior security researcher at Cimation present a proof-of-concept attack that could bypass the firmware protections built into the Nest device software. This may be another eye-opener for Google, which announced in January that it would acquire Nest in a $3.2 billion deal. Yier Jin, assistant professor at the University of Central Florida; Grant Hernandez, undergraduate security researcher at the University of Central Florida; and Daniel Buentello, senior security researcher at Cimation, will use a USB stick to demonstrate the hacking technique that they said could give remote attackers the ability to monitor user behavior, add rogue services on the local network and do additional damage.