BlackHat and DefCon are over, and vendors are breathing sighs of relief (or, digging trenches). Let’s look at this week’s top news, according to us.
In the database world, we have two stories (a fail and a win):
– Oracle’s CSO floated a vaguely threatening blog post concerning external researchers searching for bugs in Oracle software. For most software, this is a violation of the End User License Agreement (EULA), although well-respected vendors ignore this violation when it comes to security researchers reporting security issues in their software. This is noteworthy because Oracle has made inroads into certain control systems verticals as the database of choice. Oracle quickly removed the post (which may still be read here) and issued a statement that the CSOs attitude concerning 3rd-party testing is not in line with Oracle itself. This is hard to swallow. The opinion of a corporate executive certainly has an effect on how a company acts, otherwise the worker is truly not a ‘Chief’.
– As a foil to Oracle’s failure, OSISoft has released an alert with bug fixes to their PI Historian. Some 56 security issues were identified and fixed in OSISoft software. OSISoft currently leads the ICS space in self-reporting security issues and publicizing its internal security efforts.
A handful of vehicle hacking stories follow the Vegas cons:
– Charlie Miller and Chris Valasek have finalized their whitepaper on their Chrysler UConnect hack. The paper details what remotely exploits were discovered against the device, as well as how they loaded their custom firmware onto the vehicle’s Head Unit. It is worth reading for manufacturer internal red teams, as it shows how good ‘street fighter’ hacking works against embedded systems where system documentation is limited.
– At the Usenix Security Symposium, researchers fractured the security of automotive vehicle security systems which use Megamos cryptography. These were originally supposed to be published in 2013, but the researchers were prevented from publishing then due to a court order. Researchers effectively broke the cryptography to the point that only 200k key guesses needed to be made. From start to finish, they could unlock and drive off with a vehicle in 30 minutes.
– Another Usenix story: Earlier in the week, at woot15, security researchers from the University of San Diego attacked more insurance dongles. One of the dongles that this team tested had an OS with a much larger attack surface than Progressive’s dongle. Researchers used this to compromise the brakes of a Corvette.
Moving in to network infrastructure, a spooky story comes to us from the world’s largest switch manufacturer:
– Cisco published a security bulletin concerning in-the-wild switch rootkits being deployed on its managed switches. Labs published an article only two months ago on rootkitting a popular industrial ethernet switch. Cisco appears to not digitally sign the firmwares for their switches nor for their switch boot loaders, making attacks against this basic network infrastructure possible.