Thoughts on Black Hat USA 2003
- Phil Zimmerman's keynote was a collection of musings on PGP and a soft sales pitch for PGP Corp., which I didn't mind given I like the product.
- Foundstone booth duty kept me from David Litchfield's talk (.pdf), but I didn't miss much. After the audience requested Dave talk about the recent Microsoft DCOM vulnerability, he spent over 30 minutes in silence shifting his talk from the prepared material to an analysis of the DCOM issue.
- Dan Kaminsky of DoxPara fame gave an another "Stack Black Ops" (.pdf) talk. His latest code (tar.gz) includes some really cool features, such as "bandwidth brokering." He demonstrated accessing Windows executables via his apps page, but I couldn't reproduce his technique. Could it be disabled in newer versions of Internet Explorer?
- At the same time as Dan's talk, Gerardo Richarte of Core Security discussed "Modern Intrusion Practices" (.pdf). His automated assessment and penetration techniques threaten the jobs of consultants everywhere!
- The authors of Ettercap, Marco Valleri and Alberto Ornaghi of AntiFork.org, gave a presentation (.pdf) on the use of their software. One of the neater tricks was modifying binaries on the fly as they passed between client and server. They mentioned Secure ARP (.pdf) as a possible mitigating solution.
- Matthew Franz and Sean Convery of Cisco's Critical Infrastructure Assurance Group and authors of An Attack Tree for the Border Gateway Protocol explained "BGP Vulnerability Testing" (.pdf). They were the most professional and informative speakers I saw all week. I found their mention of "fuzzing" using PROTOS and ISIC interesting, although they had Mike Schiffman (now part of Cisco's CIAG) write custom tools to test BGP. Here is Sean's home page, and here is Matt's site. Incidentally, Matt is the current maintainer of Trinux and wrote tattoo, a traffic analysis toolkit. They spoke on the same subject at NANOG 28, where their slides and a Real Video presentation are archived. NANOG is the North American Network Operators' Group, and many presentations from previous meetings are archived. They were not enthusastic about initiatives like Secure BGP or Secure Origin BGP, since most router problems are caused by insecure routers, not BGP!
- The last event on Wednesday was the Hacker Court. It has its own web page now. Like last year's event, it was entertaining and informative, with a real judge presiding (unlike last year) and a real economist whose theories were profiled on Slashdot.org.
Wednesday night I stayed up until 2 am writing a book proposal, but I managed to wake up in time for a conference call on the Center for Internet Security FreeBSD benchmark. After that, I turned back to Black Hat:
- Bruce Schneier of Counterpane gave Thursday's keynote. (His company has received funding of $7 mil in April 2000, $27 mil in May 2000, $24 mil in November 2000, and $20 mil in January 2003, perhaps showing his model of managed monitoring is unprofitable?) Bruce was very interesting, drawing on ideas from his new book Beyond Fear.
- Ofir Arkin of Sys-Security spoke (.pdf) about Xprobe2, deftly criticizing an audience member who defended nmap's fingerprinting techniques.
- FX of Phenoelit shocked everyone with his discoveries (.pdf) of how to remotely sniff Cisco switches offering UDP echo. Awesome. UPDATE: Here is the code to do remote sniffer on Cisco routers running IOS 11.x and offering UDP echo. Second Update: FX mentioned something James Bamford said, for which I found the source: "The NSA hired people from companies such as Cisco Systems, and these are people who built the Internet infrastructure in the first place, and then they go to work for the NSA and lay out the blueprint for how to tap into the Internet. They reverse-engineer, find out how the system works and work out how to use the information."
- Jan K. Rutkowski spoke (.pdf) about detecting Windows 2000 rootkits. I took a lot of notes since his slides didn't say much. Jan wrote this Phrack article on "execution path analysis" for Linux.
- Greg Hoglund of HBGary.com discussed (.pdf) runtime decompilation of binaries, mainly using his company's software. His company supports two open source projects, Restart, and Speedbreak, which haven't released any files yet. He also mentioned VMADump, part of the BProc application, for dumping memory for analysis.