WORMS, ANDROID VULNERABILITIES AND CYER DEFENSE METHODS AT HITBSecConf2011KUL

12 October 2011, Kuala Lumpur – Over 1000 Security professionals, technical decision makers and IT buffs from around the region were treated to a buffet of ground-breaking security updates, defense methods and latest vulnerabilities from 37 international speakers at the Hack In The Box Security Conference 2011 today. These new exploits affect the spectrum of enterprises and end users alike.

“HITBSecConf’s main focus is on new and ground-breaking attack and defense methods that have not been seen or discussed in public before - common network, software and device security flaws and fixes in today’s highly connected world,” said Dhillon Andrew Kannabhiran, Founder/Chief Executive Officer, Hack in The Box.

Hack in the Box Security Conference (HITBSecConf), Asia’s largest and most popular network security conference, is in its ninth consecutive year in Malaysia. It has routinely brought together some of the world’s most well-recognized mainstream and underground (blackhat) security specialists for hands-on technical trainings and research presentations.

Hacking Android For Profit
Riley Hassell, Founder, Privateer Labs, wowed the crowd in his Hacking Androids for Profit presentation as he divulged the inner working of Android apps and the risks millions of mobile users face when installing and using apps from the marketplace.

“Writing mobile applications have become a cinch, with tons of books and internet sites offering helpful guides and advice. However, the security validation process for applications to be put up on marketplaces are sorely lacking - which has led to a rising number of vulnerabilities and threats unbeknown to the user,” Hassell said.

Hassell discussed the threats to Android users as well as countermeasures they can take to protect themselves from these ever evolving threats. He provided recommendations to each of these threats that even the most basic Android user can follow to greatly reduce their chances of becoming the victim to attack.

He cited that “app phishing”, which allows a hacker to intercept the usernames and passwords supplied to popular apps, is expected to be increasingly popular in the coming months against the back of the ubiquity of Android phones. For example, Hassell demonstrated an app that masqueraded as Skype to gain access to a users Skype account.

Hassell and his colleagues at Privateer labs discovered vulnerabilities in Android Operating System (OS) components which allow hackers to disable anti-virus applications. In some cases the same vulnerabilities may even be used to compromise the anti-virus app themselves.

He also provided identification of new classes of vulnerabilities, that while seen in other platforms are new to Android. These include SQL injection, XML injection, and package namespace squatting. Hassell also discussed new issues specific to Android that allow hackers to target the web interfaces of popular apps.

To wrap up his presentation he discussed how Google account linking and SSL MITM risks can be leveraged by an attacker to install Android apps on remote victim phones. Hassell proved that compromising a single Google service is at times all an attacker needs to push an attacker supplied app to the service account owner's Android phone.

SAPocalypse: Rise of a new worm
Alexander Polyakov, Chief Technology Officer at ERPScan revealed a new worm created in their research lab recently in St Petersburg, Russia. It is designed to spread using a critical authentication bypass vulnerability in the SAP NetWeaver J2EE Engine. The SAPocalypse worm poses a high severity impact to enterprise customers.

“Many SAP clients still don’t understand that even if one technical vulnerability which is overlooked or unpatched, it can have dire impact to their company,” Polyakov said. There are more than 1500 SAPnotes released to-date detailing vulnerabilities in SAP products.

The worm, when released, is able to detect vulnerable SAP servers and then exploits them using a vulnerability in the J2EE engine. It then uploads a payload into the server via the internet. As the server is usually connected using trusted links to other servers hosted internally, the worm's payload can obtain credentials for trusted connections and connects itself to the internal linked servers to download critical information including financial information, human resources and material management, inventory and other such data. It can also harness information about linked connections from the internal server and spread this to other servers. And if there are no linked connections, the worm uses default usernames and passwords in its attempt to connect to other systems.

“Once lodged into the server, the worm is hard to detect and can sit idle for years even if the vulnerability is patched. All the attacker needs to do is send a command to all servers for getting any kind of critical corporate data he needs, whenever he needs it. The hacker can also overwrite bank account numbers and manipulate money transfers,” he continued.

Governments and citizens be aware
Dr. Kenneth Geers, the U.S. Naval Criminal Investigative Service (NCIS) Cyber Subject Matter Expert compared and contrasted the national security implications of Wikileaks – the new pen, and Stuxnet – the new sword. Geers also expounded on Cyberwar defense strategies using a model to ascertain the recommended approaches – both technical and operational – to preserve a country’s border against attack.

Meanwhile, Jennifer Granick, Attorney at ZwillGen and Richard Thime, Founder of ThiemeWorks are expected to also address national privacy and security concerns in their keynotes respectively.

HackWEEKDAY, Malaysia’s first weekday hackathon drew the interest of 30 high profile developers. Results of the 24-hour hackathon which kicked off at 13:37 (GMT+8) today will be announced 24‐hours later. “The developers are working on open source security tools including the Xandora.net Project, Dilligence, Maltego and Mozilla Firefox plugins and the competition is intense,” said Kannabhiran.

HITB2011KUL also featured an all new Capture The Flag - Weapons of Mass Destruction game, an updated Lock Picking Village with a focus on impressioning, and a new Hackerspaces ‘Playground’ for those looking to get into hardware and electronics hacking. The playground will feature LEGO robotics, microcontrolers, LEDs, lasers, RFID toys, hardware sniffing and other cool technologies”, said Kannabhiran.