Friday, August 03, 2007

Black Hat USA 2007 Round-Up Part 1

I'm waiting in the airport for my flight home after spending 6 days in Las Vegas at Black Hat USA 2007. I last attended in 2003. Put simply I was blown away by the quality of the majority of the talks I saw. I'll summarize the talks and my response.

I spent four days teaching TCP/IP Weapons School in two two-day sessions, to a total of 116 students. I think both classes were well-received. The students were some of the sharper ones I've had in class, which is what I hoped for and expected. The first day of teaching I was lucky enough to share lunch with some of my students and Joanna Rutkowska. We discussed covert channels related difficult detection problems.

The following are thoughts on the first day of briefings. I spent the majority of the day in the application security track.

  • I sat in Richard Clarke's keynote. He emphasized how what he called "visualization exercises" help decision makers envisage digital risk. I described this phenomenon last year in Analog Security Is Threat-Centric and Disaster Stories Help Envisage Risks. Mr. Clarke explained how human-machine interfaces are the next security frontier and how DoD's Net-Centric Warfare (see Thoughts from IATF Meeting depends on the vast number of IP addresses available in IPv6. Unfortunately Mr. Clarke has fallen for the myth that IPv6 will bring greater security and "prioritization," which means we must have it. I debunked these misconceptions held by many executives in Chinese IPv6 in CIO. It struck me that Mr. Clarke mentioned that executives view spending on security as a "cost center" but spending on breach recovery is a "loss center." I wonder where we've heard that before?

  • David Byrne delivered an exceptional talk on the security consequences of anti-DNS pinning. The purpose of his attack is to use Web clients as a conduit for attacking intranet hosts. He demo'd conducting a remote Nessus scan and Metasploit attack of intranet hosts via a "tunnel" of HTTP POSTs and replies passed through a Web browser. David's talk showed that DNS resolutions which result in an Internet hostname resolving first to an Internet host and next to an intranet host can be used as a detection mechanism. A Web server vulnerable to XSS is required, and the presence of Java or other rich content vehicles on the host only exacerbates the problem by providing additional attack vectors.

  • Jeremiah Grossman and Robert Hansen continued to pile on Web application attacks. They showed a variety of ways to exploit Web clients and internet hosts without Javascript. Robert (aka Rsnake of ha.ckers.org said that everyone who links to his site from the intranet Web pages and uses his files for penetration tests leaks data on their company to him.

  • I only saw the last half of Brad Hill's talk because I had lunch with several ex-Foundstoners, but the part I saw was impressive. Brad explained how to exploit XML digital signatures, such as running arbitrary executables (like cmd.exe) from within a signature!

  • Bryan Sullivan and Billy Hoffman rocked, showing how their demo site www.hackervacations.com exemplified the many vulnerabilities in Ajax Web sites. They really made me understand the problem with Ajax: most, if not all in some cases, of Ajax applications are executing on the client. Previously, attacking Web applications centered on providing malicious input to influence the execution of the Web app. Now, attacking Ajax Web applications means malicious clients manipulate every aspect of the program, including variables, order of execution, and control of the server. They showed how to "DoS a plane" by reserving all seats on a flight booking system, and keeping all seats filled by sending an HTTP message every 30 seconds. They showed how to buy a plane seat for $1, or buy all seats for nothing. They accessed hidden administrative functions by directly talking to the remote Web service and dumping the entire database (with zero knowledge of the remote database) with two commands. This emphasized that testing inputs through the Web applications is completely insufficient; all the Web services must now be similarly assessed.

  • Ben Feinstein and Daniel Peck showed a way to crawl and de-obfuscate malicious Javascript. They mentioned an integrity attack whereby malicious eBay sellers used XSS to provide fake positive seller ratings to unsuspecting buyers. The showed how their Caffeine Monkey tool profiles Javascript, providing a fingerprint of current malicious Javascript compared to nonmalicious Javascript. For example, string and object instantiations are very common in malicious Javascript but rare in nonmalicious Javascript. This is essentially the same detection problem we've been wrestling with for years, and it shows that intruders could begin to write their Javascript to resemble normal versions.

  • I ended the day in Hacker Court, where the "Crimson Knight" was tried for cheating the "Masters of Mayhem" online game. As usual Hacker Court was great, especially because Jennifer Granick moved from her traditional role as defense counsel to the new role of prosecutor. She lost her case, but I spoke with her briefly and learned the experience gave her a chance to think like the other side in front of an audience in a simulated trial.


My overall impression from the first day of briefings can be summarized in this manner.

  • Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, "properly configured," not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.

  • Detecting current attacks in "real time" is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by "rich Internet applications" and frameworks. I realized that the "rich" in "RIA" refers to the money intruders will make by exploiting Web clients.

  • The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it's time to face the truth. There is no way to get "ahead of the threat" here.


I realize I've painted a very bleak picture. In my next post (time to board the plane) I will summarize day 2 of the Black Hat Briefings. In the post after that I will provide some defensive strategies and concluding thoughts.

9 comments:

Anonymous said...

Thank you. Sounds very interesting and producive. I'm looking forward to the next post.

Rob said...

Surely the idea of Black Hat and DefCon is to make sure that we know enough to try and stay ahead of the hackers. Just because a few people are smart enough to find these vulnerabilities, just as the average web developer isn't tooled up to defend, the average hacker isn't savvy enough to attack like this either.
Mind you, that's being hopeful, and we can't rely on hope. Security should be about awareness, so speak on...

Anonymous said...

(anon2)

If the idea of BH and DefCon is to spread awareness, why don't they put the talks on the web like eg. Shmoocon and C3?
It's 2007 for heavens sake.

Anonymous said...

To anon2: Maybe if you bothered to use Google you'd easily find a copy of the whitepapers/presentations?

Anonymous said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.
Zamankhan said...

your blog is nice

123 123 said...
This comment has been removed by a blog administrator.
niz said...
This comment has been removed by a blog administrator.