OPM wins Pwnie, Google on Android security, DoJ on CFAA: Black Hat 2015 roundup

Black Hat USA is finishing up in Las Vegas. News from its 18th year includes nuclear nightmares, Department of Justice on computer crime and research, Google on the state of Android security and much more.
Written by Violet Blue, Contributor
Black Hat USA 2015
Black Hat Events/UBM

LAS VEGAS - Black Hat USA is finishing its 18th year, after six crowded days of trainings, over 100 briefings, a bustling Expo Hall featuring America's biggest names in information security meeting and greeting over 10,000 attendees.

News from the conference provides a snapshot of domestic infosec business risks, threats and trends -- and while the conference isn't over just yet, there's plenty to read and learn about.

Don't miss our bite-sized photo gallery, which will give you a taste of the atmosphere here at the Mandalay Bay Conference Center, in Las Vegas: Black Hat USA 2015: Bigger than ever, but still hiring.

Dream of Internet freedom dying, Black Hat keynoter says: Director of Civil Liberties at the Stanford Center for Internet and Society tells crowd to push for equality, decentralization, end-to-end encryption to revive promise of global network.

Nuclear nightmare: Industrial control switches need fixing, now: Researchers at Black Hat USA have disclosed critical SCADA/ICS vulnerabilities in switches actively used in industrial control management systems, such as substations, factories, refineries, ports, and other areas of industrial automation.

OPM Wins Pwnie for Most Epic Fail at Black Hat Awards Show: The annual Pwnie Awards at the Black Hat USA conference here celebrate the best security vulnerabilities found by researchers and also ridicule the worst security responses. One of the many categories at the Pwnie Awards is for the Most Epic Fail, with this year's nominees including the Ashley Madison and U.S. Office of Personnel Management (OPM) hacks. OPM came away with this year's Most Epic Fail award, as the hack of its systems resulted in 25.7 million Americans being at risk.

DOJ official draws line between cyber crime, legitimate research: The Computer Fraud and Abuse Act is a pain point for many in the cybersecurity industry, particularly ethical hackers testing systems for research purposes. During a talk at Black Hat 2015, Leonard Bailey, special counsel for national security at the Department of Justice's Computer Crime and Intellectual Property Section, said the government does not want to discourage legitimate research and Justice is working to avoid what Bailey called "a chilling effect" that such prosecutions can have. Justice prosecuted 194 CFAA cases in 2014, a minor fraction of the more than 56,000 total cases filed last year, Bailey pointed out. Even so, he asserted the department's commitment to ensuring the law isn't abused and outlined the kind of activities that are obviously research-oriented and those that will have investigators knocking at your door.

Security experts detail Jeep hacking at Black Hat conference: With both Wi-Fi and cellular access vulnerabilities in the 2014 Jeep Cherokee's internal computer system, hacking the car and changing everything from its radio volume to speed could be done in a matter of seconds, speakers at this week's Black Hat conference in Las Vegas said.

Black Hat 2015: IoT devices can become transmitters to steal data: It's possible to get a printer and other inexpensive network and Internet of Things devices to transmit radio signals that are detectable far enough away that they could be used to steal data from compromised networks, a researcher tells the Black Hat 2015 conference.

Nothing magical about nation-state malware: "Nation-state weapons really are not special or magical - they're just developed in private," researcher Joshua Pitts said while addressing the crowd at Black Hat 2015 in Las Vegas. Pitts offered a demonstration of how he was able to manipulate the OnionDuke malware - attributed to Russian-sponsored groups - to create a new exploit with a much lower detection rate by traditional anti-virus software.

Malwarebytes Labs: Flash Zero-Day Weaponized in Record Time: New research at Black Hat 2015 from Malwarebytes Labs shows that after Hacking Team, an Italian security company specializing in offensive technology, was compromised, their trove of zero days was leaked to the Internet, including several for Adobe's Flash Player. The speed with which attackers are weaponizing zero-day vulnerabilities in the wild has been essentially cut in half.

FireEye: Hackers can remotely steal fingerprints from Android phones: Company FireEye outlined how hackers can allegedly attack your smartphone to steal your fingerprint on a "large scale" -- without anybody noticing.

Google Doubles Down on Android Security at Black Hat: Adrian Ludwig, who runs Android security for Google, delivered an Android Security State of the Union speech at the Black Hat USA conference. In the front row, watching intently as Ludwig spoke, was Joshua Drake, the Zimperium security researcher who last week disclosed the Stagefright vulnerability that impacts 950 million Android phones. Stagefright was a recurring theme throughout Ludwig's session, as he gave credit to Drake for responsible disclosure while still reassuring the Android faithful that security is improving for Android.

Black Hat 2015: Honeypots gather data on gas pump monitoring system attacks: Intrigued by an uptick of interest in supervisory control and data acquisition (SCADA) systems, two senior researchers with Trend Micro set up several honeypots to collect data on attacks against gas pump monitoring systems. For their research, Wilhoit and Hilt created a honeypot - dubbed Gaspot - and deployed it in the U.S., Brazil, U.K., Jordan, Germany, UAE and Russia. The duo said they were spurred to investigate after identifying an attack against the Guardian AST Monitoring System, which is deployed at gas stations to monitor the volume, temperature, water content and more of underground tanks at gas stations.

Dell SecureWorks: 2FA key to defence against cyber espionage groups: Abuse of credentials and watering-hole attacks are main tactics used by cyber espionage group TG-3390 or Emissary Panda, research reveals. Two-factor authentication (2FA) for all remote access services is key to defending against industrial and government cyber espionage groups, according to Dell SecureWorks.

Microsoft raises the bar for its Bug Bounty programs: Microsoft has revised its Bug Bounty schemes with improved rewards, bonuses and the addition of new valid programs.

Editorial standards