Sunday, February 22, 2009

Black Hat DC 2009 Wrap-Up, Day 1

I taught the first edition of TCP/IP Weapons School 2.0 at Black Hat DC 2009 Training in Arlington, VA last week to 31 students. Thanks to Steve Andres from Special Ops Security and Joe Klein from Command Information for helping as teaching assistants, and to Ping Look and the whole Black Hat staff for making the class successful.

I believe the class went well and I am looking forward to teaching at Black Hat Europe 2009 Training in April. Very soon I will post a sample lab from the class on this blog so you can get a feeling for this class, since it is completely new and totally slide-free.

I hope to blog a little more now that the class is done. I spent the vast majority of my free time over the last three months preparing the new class, even completing the coursework three days before the class, printing the books and burning the DVDs myself. I expect preparations for Amsterdam and eventually Las Vegas to be easier.

After my training I attended Black Hat DC 2009 Briefings. Without doubt, Black Hat is the best security conference I attend. Jeff Moss and company consistently put the best players on the field, year after year. Just as I wrote a Black Hat DC 2008 Wrap-Up, I'd like to do the same for 2009. You can access slide decks, and in some cases, video recordings, of the Briefings here.

  • I started the Briefings with Paul Kurtz, who emphasized 1) increased intelligence community (IC) involvement in our industry; 2) explicit cyber weapon development; and 3) defining authority for a "cyber Katrina." The IC needs to contribute attribution to the cyber picture, similar to its role in counter-terrorism actions. Attribution facilitates deterrence, a topic which I will address independently later. If you object to the "militarization of cyber space," Paul's answer is simple: "Too late."

    The US needs a) a strategy to defeat adversaries with cyber weapons; b) a governance model for command and control; c) treaties with allies; d) more open discussion, unlike the CNCI; and e) hack-back authority to trace attacks technically as an alternative or enhancement to IC attribution techniques or to disable malicious systems.

  • Moxie Marlinspike reiterated his SSL Basic Constraints vulnerability (CVE 2002-0862 of 2002.



    He then outlined ways to degrade SSL encryption by modifying traffic that links to HTTPS sites (via his "sslstrip" tool), along with clever ways to abuse International Domain Names (IDN). Steve Andres advised I configure Firefox using about:config -> network.IDN_show_punycode = true to always cause IDN sites to render in Punycode -- e.g. as http://www.xn--mnchhausen-9db.at/ and not http://www.m√ľnchhausen.at/ . I found it interesting that Moxie tested his SSL techniques by running a Tor exit node. See Dan Kaminsky's post for some good commentary.

  • I watched some of Michael Muckin's talk on Windows Vista Security Internals, but I checked out early to meet some friends for lunch away from the conference.

  • I returned to see Joanna Rutkowska and Rafal Wojtczukl continue to abuse Intel. I found Joanna's comment about the wisdom of addressing vulnerabilities in System Management Mode (SMM) by writing a new SMM Transfer Monitor (STM). If the SMM has vulnerabilities that can be monitored by a STM, what ensures the STM doesn't have vulnerabilities that require monitoring? Details are posted on their Invisible Things blog, including a paper, and not just slides.

    I must really praise them for writing a paper on this subject, using full sentences and paragraphs. After attending The Best Single Day Class Ever last year, I have made a point to congratulate anyone who resists the temptation to consider PowerPoint as a legitimate means of communication, especially as their sole means of communication. The next time you doubt your ability to write a paper instead of a PowerPoint slide, remember that Joanna and Rafal aren't even native English speakers, and they managed to describe their work in a paper!

    Their presentation raised interesting issues regarding engaging security researchers. Invisible Things Lab researches two types of security problems: design flaws and implementation flaws. Intel (and other vendors) provide both. Intel wants ITL to sign a NDA before it will share details of its designs. ITL prefers to not be bound by NDA. Clearly, Intel's latest initiative suffers severe design flaws. By not engaging ITL, Intel has wasted many man-months of research and implementation. Was that worth not engaging ITL because they would not sign the NDA? If Intel is serious about security, they need to work around this legal and intellectual property problem. If they only care about security theater, they can pretend to care about security but bring a flawed product to market.

  • I really enjoyed Michael Sutton's talk on vulnerabilities and exposures of persistent Web browser storage. He outlined issues with the four methods listed in this figure.



    I was interested in hearing how one could perform persistent client-side cross-site scripting by inserting malicious Javascript into a user's cookies. An intruder could perform a similar attack, called client-side SQL injection, against the databases maintained by Gears and HTML 5 implementations.

  • I finished day one by attending Adam Laurie's discussion of satellite hacking. I was most impressed by his application of visualization to the problem of deciding what channels were worth observing.


I'll wrap up day two shortly.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.

3 comments:

Jeffrey said...

Thanks for doing this rundown, Richard. Your recap of Paul Kurtz's session in particular just made my night since he basically recapped our Project Grey Goose focus since last August.

I'm also looking forward to reading more about your innovative TCP/IP Weapons School 2.0 course.

harls said...

Richard,
What is a "cyber Katrina"? My vision is lots of kinetic effects occuring simultaneously. The amount of coordination for that would be incredible, probably easier/cheaper to blow stuff up.
Moderate to wide-spread BGP route spoofing could be just as bad for e-commerce. What's your take?

Anonymous said...

Public CNCI briefing by Boeing

http://www.fairfaxchamber.org/clientuploads/FtBelvoirPresentations/FtBelvoir-Alexander.pdf