Black Hat Europe is a series of highly technical security conferences that gathers professionals, researchers, and leaders of the infosec industry. Below are some of my thoughts about the interesting discussions I attended, which include a compelling talk by Trend Micro threat researcher Kyle Wilhoit about ICS/SCADA.

Day 1

My colleague Kyle and I joined the first session of the full-day vehicle networks workshop. Robert Leale of www.canbushack.com gave a nice introduction to controller area network (CAN) bus and other bus systems by, in which he gave basic information on the types of networks found in modern vehicles. I went to the next talk, “Let’s Play – Applanting” by Ajit Hatti, the co-founder of “null -Open security community,” where he described an attack to silently install an app in a user’s device (this has already been fixed by Google). As it turns out, a lot of people in India use their smartphones for online banking.

“XML out-of-band data retrieval” from Alexey Osipov and Timur Yunusov, which I attended later, showed how to retrieve data from an internal machine and network using several web applications.

Because I own a Huawei USB UMTS/4G stick, I went to the talk “Huawei – From China with Love” from Nikita Tarakanov and Oleg Kupreev. From the discussion, I gathered that the software (available for Windows and Mac) seems to be a mess, security-wise.

One of the better conferences of the day, Tobias Jeske presented the results of his research about floating car data from smartphones, based from Google Navigation and Waze. For his research, he reversed engineered the protocols with an MiTM proxy and source code and later explained to us the several possible attacks that can be launched.

Day 2

The first talk for the day was “The Sandbox Roulette”, which we can summarize as “for an application sandbox (Sandboxie, Chrome, Adobe X) the weakest link is the Windows kernel. An hypervisor sandbox is more secure than an application sandbox.”

Read the rest of this entry »

A new wave of spammed emails with malicious attachments can be seen on the Internet. An email that promises cigarettes at very low prices comes with a password-protected archive that contains TROJ_YABE.BJ.

Usually passwords are used to ensure the recipient gets exactly what the sender sent and to ensure nobody else accessed it. In this case everybody receives the same password, so all the security is gone. But this might trick users to believe the attachment is safe. This way of social engineering bypasses security by faking security.

The email is send in the name of “Zigaretten GmbH” and the subject line – among others – is
“Rauchen ist jetzt billiger ab 1 Euro”. The text just lies when it says something like: “your personal archive password is: angebot”

We would suggest to temporarily block mails that come with an attachment named for example “Angebot.rar”, “Ausverkauf.rar” or “Preis.rar” and From display name is “Zigaretten GmbH”, if you run security solutions like IMSS. As usual, don’t open any attachments from untrusted sources or sources you simply don’t know.

A new WORM_NUWAR.CQ variant (filename: postcard.exe, 50,648 bytes) is spreading since yesterday night. This worm is detected since CPR 4.250.01. Once again, faked bills with the subject “KD Webshop Bestellung ” are seeded. Attached is the file “rechnung.exe” (file size: 8.522 bytes), which is detected by IntelliTrap as PAK_Generic.001. Detection will be available in the upcoming CPR as TROJ_YABE.BK. Faked “1&1″ bills are seeded, too. Attachment name is “rechnung.zip.exe” (file size: 7.016 bytes), which will be detected as TROJ_YABE.BL. As usual, don’t click on .exe files, and, if possible block .exe files in general on your email server or gateway.

Since 31/01 late afternoon, faked eMails appearing to be from the BKA (Germany’s Federal Criminal Police Office) are being spammed within Germany. The subject of such eMails are “Ermittlungsverfahren Nr. [number]“, where [number] is a random number. The email attachment is an EXE-file (e.g. 2981956.exe), which is detected as TROJ_DLOADER.KHZ. This trojan downloads another malware, which is detected as TSPY_BZUB.GK. If you receive such an email, just delete it. As a general advise for a corporate environment please block all .exe or .com files, if possible. The BKA issued a PR on this issue. If you assume your computer is already infected, you’re welcome to use our free online-scanner HouseCall.