News briefs: The latest from Black Hat and DefCon, Verizon and more
The late Barnaby Jack presents at Black Hat 2010.
»The security community, along with family and friends of renowned researcher Barnaby Jack, were stunned to learn of the 35-year-old's death only a week before he was set to give a highly anticipated talk on hacking pacemakers at last month's Black Hat conference. Jack was well known for his cutting-edge research and previous Black Hat demos, such as his hack of two ATMs.
»The security industry gathered in Las Vegas last month for two major hacker conferences, Black Hat and DefCon. Researchers presented a slew of noteworthy exploits including ones that allowed them to hacks cars, insulin pumps, phone SIM cards, Samsung SmartTVs and iPhones via malicious chargers. During a keynote address, Gen. Keith Alexander, the director of the National Security Agency, defended the fed's mass surveillance and bulk data collection programs that were called to light by whistleblower Edward Snowden. Government presence was met with some disdain at this year's DefCon, as organizers asked the feds not to attend for the first time in its two decade-long history.
»A subgroup of the U.S. Department of Homeland Security warned companies that the energy sector has increasingly been targeted by brute-force attacks. According to a newsletter from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), hackers using some 50 IP addresses attempted to infiltrate the process control networks belonging to natural gas companies. In most cases, attackers used watering-hole attacks, SQL injection or spear phishes. In June, Tom Cochran, the chief technology officer of Atlantic Media, demonstrated how vulnerable employees are to phishing ruses. After blasting out a faux phishing email to all 450 email addresses in the company directory, he found that roughly 120 employees clicked the spurious link, and about 120 more went so far as to open the email, though they never clicked the link.
»Verizon and BlackBerry were called out for major vulnerabilities affecting their mobile users. Two researchers at iSEC Partners found a way to rig the Verizon Wireless Network Extender – a mini-cellphone tower that is also called femtocell – to monitor how people are using their Verizon mobile phones. Meanwhile, Risk Based Security notified federal authorities that BlackBerry had yet to address a purported security flaw that allows it to send users' email credentials in cleartext to its developer, Canada-based Research in Motion (RIM). According to Risk Based Security, the data is sent without BlackBerry users' knowledge when they enter their POP or IMAP email address into the standard BlackBerry 10 email client called Discovery Service.
»Researchers discovered difficult-to-remove ransomware that is capable of infecting Apple's Safari users as opposed to those running Windows machines, who are usually the targets of such scams. Security firm Malwarebytes found that a strain of the Mac OS X threat, could essentially take a victim's computer hostage until they pay a certain fee to unlock it. Victims are further swayed to pay the ransom as hijacked browsers deliver a message policing illegal activity and claiming to be from the FBI. In an ironic twist of events, a 21-year-old man in Virginia, Jay Riley, fell for a similar scam and turned himself in to law enforcement for possessing child porn.
Photo of Barnaby Jack courtesy of Black Hat USA