BlackHat USA 2008 – Day 1 Review

Welcome to our first Security Insider posting from the BlackHat conference here in Las Vegas. My colleague Tadd Axon and I will be doing our best over the next few days to post some highlights of the conference. For those of you not familiar with the event, BlackHat takes a deep look at emerging threats and security research. If you want a good close look into the future, this is the place to be.

For the purpose of these posts in the next few days, we’ll post some high-level summaries of the talks we attend. This isn’t anything close to a full list of everything that’s going on here, just what we’ve personally attended. For a more complete wrap up of both the BlackHat and Defcon events, be sure to attend this month’s TASK event. At the TASK event, all the various TASK members here in Vegas this week will be sharing highlights in more detail. As always TASK is free, check it out. You will also be able to catch some of these speakers when they come to SecTor this year.

So today represents the first day of the conference, and therefore the day that it’s easiest to wake up early for. Tonight many vendors will host many parties making tomorrow a much more difficult day to focus. Here is what we attended.

Keynote: Complexity in Computer Security

While statistics and metrics are used to calculate risk and exposure, how valid are these numbers?
Ian Angell of the London School of Economics ruthlessly vivisects the myth of objective valuation in risk assessments.
The primary argument is that human interaction with information systems adds additional complexity that cannot always be accurately measured, that the total cost of technology accrues from here to eternity.
He augments the argument with Niklas Luhmann’s “Fallacy of Residual Category” – the whole is exponentially greater than the sum of its parts and that focusing on each component in isolation blinds the observer to the complexity of the system as a whole.
Interesting to be sure, but how to address the issue is something Prof. Angell does not delve into.

Nmap: Scanning the Internet
Fyodor has been scanning millions of random hosts and using the results of this research to optimize NMAP’s performance.
Some of the enhancements that have resulted from this have been:
• Services scan has been pared down to the 1000 (from in excess of 1700) most common ports per protocol found in the wild
• Fast scan now probes the 100 most common ports found in the wild (down from 1300)
Fyodor also offered some advice for how to get most out of your recon:
combining scans in one sweep yield more results at once than running single options – it may take longer, but you will have a better picture the target

Bad Sushi: Beating Phishers at Their Own Game
If you read the media, phishers are an elite group with increasingly advanced attacks. Nitesh Dhanjani and Billy K Rios quickly debunk this. They started doing some research into how sophisticated Phisher’s really are. Turns out, they don’t even make the level of a script kiddie. They do have a very broad eco-system though and have some strength in numbers. Though it turns out phishers spend a lot of time frauding other phishers. The really worrisome part of the whole presentation is that because most phishers are so unsophisticated, all the information that they phish is easily access by many more people.

BlackOps 2008: DNS Goodness
The big talk of the day. Even wall street wrote about the DNS vulnerability. Dan shared some of the efforts that went into coordinating fix and then explained all the various ways it could be used. Some of which had not been leaked yet.
Two big points here: systems without reliance on DNS are surpassing scarce.
No vulnerability exists in isolation – exploiting DNS cache poisoning in conjunction with any number of existing vulnerabilities can lead to fiendishly effective Man in the Middle attacks and severe “0wnage”. Nothing is safe. Dan even discussed many attacks against SSL.

Protocols and Encryption of the Storm Botnet
File under: Know your enemy.
Joe Stewart served up an excellent dissection of the Storm botnet from an examination of the roles each node in the botnet and an analysis of the communication between nodes at the packet level. Worthwhile for malware hunters and designers.

The Four Horsemen of the Virtualization Security Apocalypse
I had no idea that there was a whole industry selling “Virtual Appliances”. If it’s news to you, then here’s the short scoop – basically a pre-configured OS and some software to route and inspect traffic between virtual machines. While it appears VMWare is doing some really cool stuff with VMSafe, it also appears that many vendors are busy selling snake oil to protect your virtual machines. I love snake oil salesmen. Even if you are silly enough to think it improves your security, it turns out that performance sucks incredibly and your high availability solutions get broken.

Xploiting Google Gadgets: GMalware and Beyond
Google’s Gadget APIs offer a great deal of power and functionality to developers; not unsurprisingly this power can be abused – Cross Site Referral Fraud and XSS possibilities abound.
Properly misused, this framework offers the malicious developer a vector to deliver a botnet client, steal credentials and perform any manner of mischief.
When stacked with the DNS cache poisoning exploits in the wild, a malicious gadget could become hellishly effective.
What I am left wondering after this presentation is how similar frameworks *cough* Facebook Apps *cough* may be vulnerable to the same types of abuse.

Malware Detection through Network Flow Analysis
Anyone that’s seen Bruce Potter speaks knows how easily he ends up ranting on unrelated tangents. We tolerate it because he’s amusing, relevant and damn well absolutely right. Rants aside, it turns out the Shmoo group is back disturbing the peace with a new tool release called Psyche that allows you to collect and analyze NetFlow data in a useful in relevant way that should compete with expensive tools. Only like all Shmoo releases, this will be free. You’ll be surprised how much you can learn about your network and what’s happening on it with NetFlow data (which allow your routers probably support already, or you can add an opensource sensor for). In other news, ShmooCon 2009 dates were announced. The good news? I won’t have to explain to my wife why I have to spend Valentines Day with a bunch of hackers instead of her. (Hard enough to explain why I spend my wedding anniversary at BlackHat).

Til Day 2,
Tadd Axon & Brian Bourne

Related Download
The Fast Path to Software-Defined Networks Sponsor: F5 Networks
The Fast Path to Software-Defined Networks
Download this white paper to learn how new partnerships are pioneering ways to ensure that they can transfer knowledge to enterprise IT staff.
Register Now