Black Hat Here’s a quick summary of some important infosec happenings from inside and outside the Black Hat USA conference in Las Vegas on Thursday.
Apple embiggens bug-bounty program
Apple’s security engineering boss Ivan Krstić told Black Hat attendees that Cupertino is expanding its bug-bounty program in various ways. For instance, it will now cover macOS, WatchOS, and Apple TV, whereas previously it was only interested in coughing up cash for details of iOS vulnerabilities.
All researchers can now in theory, take part, too, rather than a select elite few. And the maximum payout for an exploit chain that can achieve a total and automatic iPhone takeover – no user interaction required, kernel-level, and persistent, and requiring just a victim’s cellphone number – will be upped to $1m from $200,000. There’s also $500,000 awaiting you if you can pwn an iPhone over the network without any user interaction.
Developer-mode iPhones that grant access to the firmware and operating system, to make finding low-level holes easier, will be given to selected infosec gurus to probe. There will also be a 50 per cent bonus on bounties for bugs reported in pre-release software before it is unleashed on the public.
Check Point continues beef with WhatsApp
Around this time last year, Check Point revealed it was possible to slyly manipulate messages in private and group WhatsApp conversations. At the time, the chat app’s maker Facebook didn’t think it was too big a deal, and it still doesn’t: according to Check Point’s reps at Black Hat this Thursday, the weaknesses remain largely unfixed.
A miscreant could send a private message to a group chat participant that, confusingly, appeared as a public message was addressed by WhatsApp, we’re told. However, Check Point claimed this week it “found that it is still possible to manipulate quoted messages and spread misinformation from what appear to be trusted sources.”
Basically, it’s possible to tamper with quoted messages in replies, which could trick people into thinking the quoted person sent a text they didn’t actually send.
Facebook’s having none of it, though. In a statement to the media, the antisocial network said: “It is false to suggest there is a vulnerability with the security we provide on WhatsApp.
“The scenario described here is merely the mobile equivalent of altering replies in an email thread to make it look like something a person didn’t write.”
Windows process injection research
Eggheads at infosec biz SafeBreach claim they have unearthed at least 20 ways miscreants on a computer can inject malicious code into legit processes on Windows to further compromise the box. That’s up from the six or seven methods most white and black hats seem to be aware of for Microsoft’s operating system.
These so-called process injection attacks are useful for commandeering privileged applications, and transforming them into powerful malware that can snoop on users and steal data. It’s also a neat way to evade antivirus tools because the victim process is typically trusted and is not expected to turn rogue.
“It allows the malware to establish a long-term presence in the target machine while reducing the likelihood of getting detected or quarantined,” is how Amit Klein, veep of security research at SafeBreach, put it to The Register. He spoke to us ahead of his talk with Itzik Kotler at this week’s Black Hat conference in Las Vegas. The pair are due to give the same talk at DEF CON in Sin City on Friday.
“If the malware can move to an Office or system or mail process, any process that is benign, that is well-known or signed, then the malware stands a much better chance of propagating,” Klein continued.
The hope is that, by understanding and documenting how different process injection attacks work – the techniques were gleaned from all sorts of sources, including proof-of-concept code – antivirus makers will be better able to spot process injection as it happens, while developers will be better able to harden applications and take measures to keep malware from altering their processes.