BlackHat USA 2011, Day 1

I spent last week in Las Vegas, for BlackHat USA 2011 and DefCon 19 — my annual security conference pilgrimage. Overall impression: the quality of the actual presentations was below-average this year, but it was still an educational experience, a good professional networking event, and probably the most fun I’ve had at DefCon so far.

Since work wouldn’t allow me to book travel until July 1st, I had to stay across the street from BlackHat, at the Flamingo. It’s an okay place, though my room’s wired Internet and one of the lamps was broken, as well as something else unimportant that I have now forgotten. But it’s as close to Caesars as you can get without actually being in Caesars. Next year I’ll book a room in Caesars’ Palace Tower (particularly ideal, since its elevator actually goes straight to the conference center) six months ahead of time, and just cancel it if work decides not to send me to the conference — the deposit is refundable, so I won’t be out anything.

BlackHat’s had the usual (for the last few years) dull government keynote speaker (Ambassador Cofer Black this year, who said “cyber” about 100 times, as only government speakers ever do) for the first day. I spent a bit of time at a WiFi Penetration Testing Workshop, followed by a very interesting talk on Google Chrome OS. The gist of it is that in Chrome OS, since the browser is the operating system, a cross-site scripting exploit (which is very common and very easy) becomes the equivalent of administrative remote code execution on a conventional OS like Windows or MacOS. Since an XSS can call Chrome OS’s APIs, clicking one malicious link can give an attacker full access to all data for all applications on the system. While I don’t use Chrome OS (and, frankly, neither does anyone else), rumors that Windows 8 will support DHTML-based applications (like all of Chrome OS’s apps are) make me hope that the Windows 8 team is considering exploits like this.

Next was Dan Kaminsky’s talk, Black Ops of TCP/IP 2011. While it sure beat last year’s Kaminsky talk (“Hey, let’s talk about DNSSEC! By the way, did I mention I started a new company that makes DNSSEC tools?”), the description was rather misleading — he spent a third of the talk talking about BitCoins (short-short version: the BitCoin system does not scale well, and unless used verycarefully is not anonymous), then talked a bit about various sequence-number prediction vulnerabilities (well, sort-of-vulnerabilities), and showed off a tool (“nooter”) that can detect non-neutral networks (i.e. networks, like your ISP, that may be favoring some companies over others for extra cash rather than providing you a straightforward Internet connection.) The nooter tool was kind of clever, though, and it really would detect non-neutral ISPs, which is a valuable public service even if, well, not all that interesting.

I missed a talk on femtocells that I’ll have to catch on video, as it sounds interesting. Femtocells are the cell-network extension terminals you can get put in your house if you have terrible cell reception, but since this amounts to the cell phone company giving you physical control of an extension of their network, they’re apparently eminently hackable. But instead, I went to a talk on post-exploitation forensics with Metasploit. He made a module for Meterpreter that allows you, the attacker, to remotely mount a block device from a compromised victim machine. As a result, you can actually access the disk as if it were local, even to the point of using forensic imaging tools like EnCase on it. It’s slow, of course, but this brings capabilities to every hacker that… well, that the FBI and NSA have probably been doing to people for several years now.

I skipped the talk on bit-squatting, because I felt the description essentially encapsulated all there was to say about the topic. Due to quantum mechanics, thermodynamics, and other inescapable laws of physics, computers make one-bit errors pretty frequently. If you register a domain that is 1 bit off from a real domain, occasionally (very occasionally) someone who types in the real domain name perfectly fine will get sent to your domain instead. So if you are running a high-sensitivity business site, you might want to register all the valid 1-bit-off versions of your domain name, too, to keep malicious people from squatting it. It’s just typo-squatting with binary. From talking to people who went to the talk, they pretty much agreed that this could have been a 10-minute talk instead of 75.

Instead, I hit Aerial Cyber-Apocalypse. These people bought a cheap Army target drone, replaced the engine with electric, and added WiFi, GSM, and Bluetooth sniffers to it. The result: a tiny UAV, with GPS-guided autopilot, that can fly autonomously, circle an area, and eavesdrop on all the wireless networks and Bluetooth devices there, as well as hijacking nearby cell phones. Plus you can connect to the UAV via 900MHz radio and actually launch proactive attacks over the WiFi. Suddenly wireless networks inside a walled or fenced compound aren’t so safe. Though what this really made me think is “So, less than $2000 will make you a little aircraft, capable of carrying 20-50 pounds, that’s GPS guided and can take off, fly for over an hour, and land on its own on a 40-foot runway without any external control. Why exactly do drug smugglers build manned submarines instead of building these things by the dozen? 20-50 pounds of coke is not insignificant.”

Also during the day, Microsoft announced a $200,000 prize for development of the best new mitigation technology of the year. This is actually kind of neat — companies pay bug bounties all the time, but a prize not for finding something wrong but for finding a way to prevent exploits is new. They’re looking for things like StackGuard, DEP, and ASLR that have really made modern OSs much harder to exploit than older versions (well, except MacOS, which falls over if you blow on it.) On one hand, $200,000 is a lot of money, but on the other hand, you’d think someone who developed something like this would make a lot more money just starting a company to sell it instead of handing it to MS for a prize. Anticipating this, the terms of the contest say that collecting the prize gives MS the non-exclusive right to use the technology if they wish — including building a version of it into Windows if they think it appropriate — but does not sign over the IP to Microsoft. You retain ownership.

The evening’s Pwnie Awards included a well-deserved lifetime achievement award, and some very amusing award categories — all five nominees for “Most Epic Fail” were divisions of Sony, and the award for “Epic 0wnage” had nominees of Anonymous for the HBGary hack, LulzSec for hacking everyone, Bradley Manning, and Stuxnet. “Worst Vendor Response” went quite deservedly to RSA, for essentially losing the keys to the kingdom and then trying to cover it up, resulting in the Chinese breaking into Lockheed Martin.

For the evening, I went to the private Qualys reception at Yellowtail restaurant in the Bellagio and ate some sushi, while chatting with someone visiting from Germany. I then moved over to McAfee’s party atop Chateau at the Paris, where I spent a lot of time talking to security pros, as well as reminiscing about 1990s games with someone in a DOOM shirt (it said “IDDQD” and “IDKFA” on it.) Alas, I spent a little too much time there, as by the time I left to head to the WhiteHat Security/Accuvant Labs party (they had Crystal Method playing) at PURE, the club was full and they weren’t letting anyone else in, even those like me with invitations. So I took a taxi over to the Palms to drop into the Rapid7 party. Rapid7 (owners of the fantastic, indispensable, and free Metasploit tool) threw by far the best BlackHat party I’ve ever been to — normally these are fairly dull events (95% male, mostly standing around trying to talk over the music), but this was an actual party — I mean, people were actually dancing on the dance floor, which is unheard-of for a BlackHat party. Admittedly, part of what made it good was that Moon (the club on top of the Palms) is an incredible space — top of a skyscraper, roof open to the sky, balconies overlooking the Strip and the city on all sides, multiple levels so that there was both a “loud” area and a “quiet” (relatively) area so that both talkers & partiers could have a good time, etc. Still, it was a good time and pretty impressive for a vendor party. And thus ended Day 1.

attacks, crypto, mitigations, products

If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.