Monday, March 17, 2008

Black Hat DC 2008 Wrap-Up

Better late than never, I suppose. I taught TCP/IP Weapons School at Black Hat DC 2008 last month, and I also attended two days of briefings (many available in the archives).

The briefings began with Jerry Dixon from Team Cymru, which appears to now offer commercial services related to large scale Internet monitoring and infrastructure issues. Jerry noted several problems hampering security efforts, including lack of a dedicated security operations team (CIRT) and lack of network cognizance. I really like the idea of "cognizance," since one word is always better than the two word version -- "situational awareness." Jerry thought the Federal government's plan to reduce network gateways and monitor traffic at those points made sense.

The image at right is a small snapshot of Team Cymru's Internet Malicious Activity Map. I think visualizations like this are interesting. I was glad to see my class A dark.

Special Agent Andy Fried from the US Treaury Department spoke about his work countering attacks against his agency. He explained that it's impossible to stop everyone, so you have to rely on "aggressive identification and shutdown" of compromised systems.

Chuck Willis from MANDIANT discussed using Cross-Site Request Forgery to create "false evidence" on a person's computer. He said CSRF is usually a problem for server admins, not people browsing the Web. The idea is to force clients to sliently visit incriminating Web sites, thereby adding entries to their browser history, Web cache, and so on. As a simple example he showed (live) how to add a movie to someone's Netflix basket without their involvement. Chuck described how various encoding methods (decimal, dword, hex, octal) can obfuscate URLs, thereby frustrating simple forensic analysis. Including unguessable parameters when designing Web apps is one way to counter CSRF.

Oliver Friedrichs from Symantec previewed some material from his upcoming book Crimeware, some of which is described in this post.

Niteshi Dhanjani and Billy Rios presented how exposed many phishers as relative newbies who are open about their activities and obvious when you know where to look ("fullz", vip-dumps, etc.). I'd like to mention that I love Nitesh's statement in Social Engineering Social Networking Services: A LinkedIn Example:

The job of information security is to make it harder for people to do wrong things.

Nathan McFeters and Rob Carter talked about protocol handler issues in URI handlers, or URIs that link to applications like "aim://". They showed how URIs can be accessed via XSS and many of them suffer buffer overflow vulnerabilities.

I missed Tiller Beauchamp discuss Re-Tracer, or using Dtrace to for reverse engineering. At the same time Chris Tarnovsky from Flylogic Engineering was destroying "security devices" like USB tokens and related "secure chip" technologies. He showed how most vendors security claims are completely bogus. I was astounded by what he could do with several thousand dollars of used equipment, stepping through single instructions on a chip and dumping memory. Brian Chess and Jacob West explained how to instrument code using dynamic taint propagation.

The presentation on Cisco router forensics by Felix Lindner (FX) was awesome -- probably my favorite talk. He discussed TCL backdoors, patched IOS images on the Web, enabled lawful intercept hidden from router admins, and other cool IOS tricks. Most interesting was his description of configuring routers to "write core" and uploading the resulting file to a FTP server for router integrity analysis. His company provides a free service to analyze router dumps. I hope he commercializes it so I can add it to my operations.

David Dagon from Georgia Tech and Chris Davis from Damballa talked about botnets. They described using IP IDs (hello TCP/IP Weapons School) to estimate botnet size. They referenced the 15th Annual Network & Distributed System Security Symposium Proceedings for related work.

Sinan Eren from Immunity described how his team conducts "information operations," which is not DoD IO but systematic, stealthy, long-term compromise for red teaming purposes. His methodology in the case at hand was as follows:

  1. Attack the anti-virus/spam filter on the target company's mail transfer agent.

  2. Hook the AV to grab copies of all email. (Feeling good about that AV scanner now? Hey, it's defense in depth! Add more, you're secure! Not only does it not work 2/3 of the time, it's an avenue to be compromised! Argh.)

  3. Analyze email to understand the target.

  4. Inject forged email into ongoing thread between target and customer. Include malicious attachment.

  5. From target's computer, exploit DNS MSRPC vulnerability in target's PDC.

  6. Grab hashes, exploit other hosts. Find files of interest.

  7. Identify special network segmented from current network but accessed via USB drive.

  8. Modify USBDumper to acquire files when drive is moved from first network to special network.

  9. All interesting data transferred via Immunity's "PINK" C&C channel.


PINK is a proxy-aware, HTTP-based C&C channel that reads and writes to blog sites after conducting Google searches for highly specific text. The bot and master communicate via blog posts and comments. PINK was installed as an Explorer shell extension, which doesn't require admin privileges.

Sinan concluded by recommending we invest in human capital, not security products. Agreed!

No comments: