BlackHat USA 2008 – Day 2 Review

Published: August 7th, 2008

Today was the second and final day of the BlackHat USA Briefings. A lot of great content was presented today. Much like yesterday we’ve included some highlevel comments on the various presentations that Tadd and I attended. We will be attending Defcon over the weekend and tying that into one final posting next week. What follows is our summary.

Keynote: Rod Beckstrom, Director of the National Cyber Security Center (NCSC)
Shame. I got up early for this. Perhaps all the US history was lost on me. Rod’s trip through American history did underline something I’ve been saying a long time. Today’s security problems are no different than the security problems 200 years ago. Sure the technology has changed, but it’s the same game. His view of the economics of security was interesting also. Have you heard of the prison’s dilemma? An interesting game and has some very interesting implications on cyber diplomacy.

Satan is on my friend list.
Shawn Moyer and Nathan Hamiel demonstrated that in the social networking world, the only thing safe from a rogue myspace (or other OpenSocial app) is the myspace server. User accounts are not so fortunate.
As was demonstrated in yesterday’s Gmalware talk any powerful API can be made to perform mischief.
The technical caveats of social networking sites take a back seat to the “social engineering ++” aspects; this was rather sobering. By creating a false LinkedIn account, the presenters were able to gather email addresses, phone numbers and received correspondence (some of which was business related) from more than fifty colleagues, friends and family members of the individual they impersonated. A false Twitter account yielded similar results. Shawn and Nathan will be at SecTor with all new research.

Visual Forensic Analysis and Reverse Engineering of Binary Data
Greg Conti and Erik Dean presented a good find for reverse engineers and forensic investigators. This was the release and live demonstration of 2 open source tools for visual analysis of file structures; more than just another hex editor.

REST for the Wicked
Bryan Sul of the Microsoft Security team looks at why SOAP is not simple, and why REST is righteous.
An analysis of the workings of REST was presented, followed by a good discussion on how to break it and make it do bad things. A good chunk of time was devoted to discussing the threat presented by cross site referral fraud. A pleasant surprise in this talk was that after covering some of the major weaknesses of REST Bryan actually walked through a number of ways to defend it from attack.
Worthwhile for web service people who aren’t too keen on SOAP.

How to Impress Girls with Browser Memory Protection Bypasses
Alexander Sotirov and Mark Dowd began their talk with a bang: a live exploit of IE7 on Vista. This was followed by an analysis of the existing memory protection mechanisms in Vista and Server 2008 as well as technical details on how they can be defeated. A solid technical presentation that definitely started off on the right foot. Not sure if it will make women swoon though.

Taking the Hype Out of HyperVisor
Tal Garfinkel didn’t really present anything brand new here, but he did debunk some common myths and help explain how the number of lines of code in the HyperVisor doesn’t exactly change the attack surface in any way. Good content in his deck and worth another read.

Subverting the Xen Hypervisor
My opinion? This talk was completely over-hyped. This was the “live demonstration of compromising the Xen hypervisor”. A demonstration with root access on an x86 (32bit) platform is rather uninteresting.

Hacking and Injecting Federal Trojans

Now this was a fascinating talk. I suppose it should be obvious. Essentially, law enforcement is building and deploying malware. Purpose built for the collection of remote forensic evidence. Load a Trojan on the suspect’s computer and then monitor whatever you need to. Capture crypto keys, passwords, emails, and well, you get the picture. A lot of great stuff in this talk, but I learned something VERY SCARY. Did you know that when your computer does automatic updates, it will run anything?? I mean ANYTHING, think malware that is digitally signed. Put an inline proxy into play, or use the current DNS exploit, and you can start distributing your own Windows Updates that people will download and install. Best news? Your antivirus won’t help you. All mainstream antivirus products do not scan anything coming through on WindowsUpdate for fear of false positives. What a great way to deliver malware. If you’re thinking “oh, but the person has to sign it” – think about the fact that any cert issued in the last year by OpenSSL is broken and you can sign your malware with someone else’s certificate. The other bad news? The only mainstream web browser that currently checks for certificate revocation is IE7, and that is only when it is run on Vista.

Get Rich or Die Trying – Making Money on the Web, the Black Hat Way
The boys from WhiteHat Security put on a good show with what amounts to a wide variety of theft of service attacks. Want products shipped to your house without paying for it? How about making money on the stock market? Big money in ad affiliate payments? All using techniques not entirely illegal. Ethics really do get in the way of making money.

Methods for Understanding Targeted Attacks with Office Documents
Some ridiculous number of machines run current Windows patches but not current Office patches. Simply opening an infected office document can launch a rootkit or Trojan on your machine, all without you having any indication at all. The document you expect is still presented to you, so you really won’t know you just got ‘0wn3d’. Bruce Dang showed how to analyze these attacks, but the really short version is stay patched!

Wrap Up
All in all a very good BlackHat event this year. Content was much more diverse than past years, so there was always an interesting talk going on no matter what your personal interest was. Tadd and I work for a Microsoft Infrastructure consulting services firm (CMS Consulting Inc) and so our review of the event covers the talks most relevant to us. But if you were a reversing engineer, application writer or tester, hardware hacker, researcher, there was someone going on for you too. There were a number of TASK members in attendance covering those talks and those will be covered at the TASK event on August 27th. Hope to see you there.

Tadd Axon and Brian Bourne

Related Download
Designing for enterprise automation Sponsor: IBM
Designing for enterprise automation

Register Now