Old hacks never die, they just attack new systems
As the world becomes increasingly dependent on information technology and digital communications, persistent vulnerabilities — some of which have been known for 50 years — continue to expose the world’s networks and applications to attacks.
“In 2009, the most notable trend is the continued use of existing attack techniques despite the security industry’s awareness of these vulnerabilities,” concluded a Global Security Report that Trustwave released at the Black Hat Federal Briefings in Washington.
Nicholas Percoco, senior vice president of Trustwave’s SpiderLabs, said enterprise administrators are overlooking basic security threats while chasing the newest vulnerabilities. Meanwhile, attackers are taking advantage of the tried-and-true vulnerabilities in addition to the latest zero-day flaws.
Gregory Schaffer, assistant secretary of cybersecurity and communications at the Homeland Security Department, said at the conference that information security should be part of basic enterprise policies, but that message has not yet been heard by top executives.
“We have moved into a space where cybersecurity is central to all business functions,” he said in his keynote address. “But some of the issues we talked about a dozen years ago we are still talking about today. We haven’t made our point to those who don’t do this for a living.”
Security experts from a dozen countries gathered at the conference to immerse themselves in the bits and bytes of the latest research by engineers, analysts and hackers who deconstruct and probe for weak points in software and hardware.
While networks and applications remain vulnerable to old exploits, the latest hardware security devices also will yield their secrets to a determined attacker.
Using an electron microscope to operate at the nanometer scale and Adobe Photoshop to plan his attack, security engineer Christopher Tarnovsky was able to reverse-engineer the family of chips from Infineon Technologies AG, which includes its Trusted Platform Module implementation; gain access to the chip’s data bus; and listen to unencrypted code.
It took him six months of work and the effort would cost an estimated $200,000 to do commercially, said Tarnovsky, who runs Flylogic Engineering and specializes in analyzing semiconductor security. But in the end, “I can get any piece of information stored on the chip,” he told his Black Hat audience.