SAS Day Two: Kaspersky Showcases Company, Industry Talent

PUNTA CANA – The second day of Kaspersky Lab’s Security Analysts Summit was organized into three tracks, which were great for the conference attendees, but also means this article will necessarily overlook some very important topics and fail to give attention to some very worthy presenters. That said, here are the consumer-oriented highlights:

The day opened with “After Zeus Banking Malware,” a briefing on the future of banking malware by Sergey Golovanov, a malware expert on Kaspersky’s Global Research and Analysis Team. For years, the Zeus trojan has been the gold standard among banking malware. In many respects it remains so. For sure, there have been other threats, but each has paled in comparison to Zeus in terms of longevity and distribution and – ultimately – effectiveness. This, Golovanov claims, may be about to change. Attackers are developing new ways to steal user banking credentials and trojans like Carberp 2.0, Neverquest, Lurk, and Shiz may emerge to dethrone Zeus.

At the very same time in the very next room, Twitter’s Charlie Miller and IOActive’s Chris Valasek presented their well-known car-hacking demonstration. It was – as always – a wonderful briefing, but we’ve covered it here thoroughly. The only really new element to their demo was the suggestion that antivirus-style detection could pick up on anomalies in the network communication between onboard computers. The traffic traveling along these onboard networks is actually very predictable, the researchers said. In fact, in order to make their hacked cars do anything at all, the researchers had to flood them with more data packets than any normal car would send. Thus, picking up on variations from the norm and blocking them could potentially provide a robust defense against car hacking attempts in the future. For more on that you can listen to this brief podcast with Miller and Valasek or read this more thorough article posted by our friends at Threatpost.

Kaspersky Lab’s security experts Fabio Assolini and Santiago Pontiroli briefed their audience on a banking scheme so transcendent that is actually steals money from offline users. The duo explained that one of the most popular ways for business and individuals to pay bills in Brazil is with “Boletos.” These are apparently special invoice documents issued by banks and businesses that are used not only to pay bills but also more broadly to pay for goods and services. With a little hacking and a lot of social engineering, Brazilian cybercriminals are finding ways of mimicking the barcodes and other unique identifiers that tie one Boleto to one individual or bank account. Once they have  these Boletos, which they can simply print, they can then transfer money out of their victim’s accounts and into their own. In reality, this sort of attack – which of course affects on and offline consumers alike – is as similar to centuries-old forgery attacks as it is to any modern, online bank account theft. It’s also similar to tax return scams that crop up this time of year in the United States.

Billy Rios, the director of vulnerability research and threat intelligence at Qualys, demonstrated that he could inject code into and mimic the information output by some of the most iconic airport security systems, essentially spoofing the systems used by the Transportation Security Agency and other airport protectors to detect prohibited items. He described the exploits as embarrassingly simple. We have a full report on this research coming soon, and we will provide a link here just as soon as it is published.

Golovanov then returned to the stage with Kaspersky Lab virus analyst Kirill Kruglov. They gave a demonstration on just how vulnerable cash machines and point-of-sale terminals are to attack. The central problem with these devices, the pair explained, is that beneath the plastic casing and PIN pads are old, out of date, and often un-patched operating systems. The primary culprit is – as always – Windows XP, for which there are an uncountable number of known and exploitable vulnerabilities. Tillman Werner of CrowdStroke took this to the next level in his talk, saying that attackers have turned ATM robbing into a multi-million dollar business with a combination of specially crafted malware and insider knowledge.

Rios returned to the stage as well with his colleague Terry McCorkle. The pair’s presentation, “Owning Buildings for Fun and Profit,” was a nearly perfect microcosm for the entire critical infrastructure (in)security track, demonstrating just exactly how digital vulnerabilities can be exploited to cause real-world damage. More specifically, the Qualys researchers showed that physical building security systems and other endpoint machines can be owned and used to manipulate video surveillance and access control systems (read: door locks) and even to cause damage to industrial equipment.