Sunday, February 22, 2009

Black Hat DC 2009 Wrap-Up, Day 2

This is a follow-up to Black Hat DC 2009 Wrap-Up, Day 1.

  • I started day two with Dan Kaminsky. I really enjoyed his talk. I am not sure how much of it was presented last year, since I missed his presentation in Las Vegas. However, I found his comparison of DNS vs SSL infrastructures illuminating. The root name servers are stable, dependable, centrally coordinated, and guaranteed to be around in ten years. We know what root name servers to trust, and we can add new hosts to our domains without requesting permission from a central authority. Contrast that with certificate authorities. They have problems, cannot all be trusted, and come and go as their owning companies change. We do not always know what CAs to trust, but we must continuously consult them whenever we change infrastructure.

    Dan asked "are we blaming business people when really our engineering is poor?" I thought that was a really interesting question. Imagine that instead of being a security engineer, you're a housing engineer. Which of the following display poor engineering?



    It should be clear that you can't answer that question just by looking at the product of the engineering process. You have to consider a variety of constraints, external factors, and so on. The fact that so much of the Internet is broken says nothing about engineering, because engineering is seldom done for engineering's sake: engineering always servers another master, often a business mission.

  • After Dan I saw Prajakta Jagdale explain problems with applications code in Flash. I should not have been surprised to see Flash .swf files containing hardcoded usernames and passwords. Didn't we talk about this 10 years ago for generic Web pages? Show me any new feature-rich programming environment and you can probably find the same generic design and implementation flaws of a decade ago.

  • I watched some of Paul Wouters' talk on defending DNS, but the poor guy was really sick and the talk was boring. I had to leave early for a work call anyway.

  • Earl Zmijewski from Renesys gave one of my two favorite talks of the conference. He explains how to detect BGP Man-in-the-Middle attacks, described in this Renesys blog post. Earl's investigative method was impressive, and the majority of his talk involved describing how he developed a methodology to identify potential BGP MITM attacks. One clue appears in the diagram below, where it is unusual for a low-level player like Pilosoft to appear to be carrying traffic between two bigger players.



    Earl emphasized that routing is based on trust. There is really no way to validate that routes received via BGP are legitimate. (Note: With 270,000 routes in the global BGP tables, there are 45,000 updates per minute on a slow day. On Monday when AS 47868 decided to torpedo the Internet, updates arrived at 4 million per minute.) Individual BGP-speaking routers don't really need to know entire paths to route; paths are really used to drop routes via loop detection. (Path lengths are used to select routes, however.)

    The key to identifying BGP MITM is to realize that although the vast majority of the Internet will be fooled by an artificial route during a BGP MITM attack, a legitimate path must be maintained in order for the attacker to get intercepted traffic to its ultimate intended destinaton. By comparing routes seen across the Internet for a victim AS with routes seen by the legitimate path, one can identify BGP MITM attacks. You can look for other hints, like violations of the valley property shown below.



    I recommend reading the blog post and linked slides for more information.

  • David Litchfield's talk on Oracle forensics was interesting. Oracle is like a file system unto itself, so you can bring the same mindset to analyzing the variety of files Oracle uses during operation. This evidence is present by default.

  • I concluded the Briefings with Peter Silberman from Mandiant. His blog post describes his talk, which involved converting Snort signatures into strings for searching memory on victim systems. This technique can be used to discover remnants of attacks in system memory, or evidence of malware still resident in memory. His implementation relies on XPath if one wishes to write new signatures, and I am not familiar with that system now.


Overall I found the talks very informative and balanced across a variety of issues, from the CPU level all the way up to BGP.

Looking ahead, the Black Hat Europe 2009 speakers list looks much different, and I hope to be able to see at least some of the talks after I teach there.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for the best rates.

No comments: