I spent four days teaching TCP/IP Weapons School in two two-day sessions, to a total of 116 students. I think both classes were well-received. The students were some of the sharper ones I've had in class, which is what I hoped for and expected. The first day of teaching I was lucky enough to share lunch with some of my students and Joanna Rutkowska. We discussed covert channels related difficult detection problems.
The following are thoughts on the first day of briefings. I spent the majority of the day in the application security track.
- I sat in Richard Clarke's keynote. He emphasized how what he called "visualization exercises" help decision makers envisage digital risk. I described this phenomenon last year in Analog Security Is Threat-Centric and Disaster Stories Help Envisage Risks. Mr. Clarke explained how human-machine interfaces are the next security frontier and how DoD's Net-Centric Warfare (see Thoughts from IATF Meeting depends on the vast number of IP addresses available in IPv6. Unfortunately Mr. Clarke has fallen for the myth that IPv6 will bring greater security and "prioritization," which means we must have it. I debunked these misconceptions held by many executives in Chinese IPv6 in CIO. It struck me that Mr. Clarke mentioned that executives view spending on security as a "cost center" but spending on breach recovery is a "loss center." I wonder where we've heard that before?
- David Byrne delivered an exceptional talk on the security consequences of anti-DNS pinning. The purpose of his attack is to use Web clients as a conduit for attacking intranet hosts. He demo'd conducting a remote Nessus scan and Metasploit attack of intranet hosts via a "tunnel" of HTTP POSTs and replies passed through a Web browser. David's talk showed that DNS resolutions which result in an Internet hostname resolving first to an Internet host and next to an intranet host can be used as a detection mechanism. A Web server vulnerable to XSS is required, and the presence of Java or other rich content vehicles on the host only exacerbates the problem by providing additional attack vectors.
- I only saw the last half of Brad Hill's talk because I had lunch with several ex-Foundstoners, but the part I saw was impressive. Brad explained how to exploit XML digital signatures, such as running arbitrary executables (like cmd.exe) from within a signature!
- Bryan Sullivan and Billy Hoffman rocked, showing how their demo site www.hackervacations.com exemplified the many vulnerabilities in Ajax Web sites. They really made me understand the problem with Ajax: most, if not all in some cases, of Ajax applications are executing on the client. Previously, attacking Web applications centered on providing malicious input to influence the execution of the Web app. Now, attacking Ajax Web applications means malicious clients manipulate every aspect of the program, including variables, order of execution, and control of the server. They showed how to "DoS a plane" by reserving all seats on a flight booking system, and keeping all seats filled by sending an HTTP message every 30 seconds. They showed how to buy a plane seat for $1, or buy all seats for nothing. They accessed hidden administrative functions by directly talking to the remote Web service and dumping the entire database (with zero knowledge of the remote database) with two commands. This emphasized that testing inputs through the Web applications is completely insufficient; all the Web services must now be similarly assessed.
- I ended the day in Hacker Court, where the "Crimson Knight" was tried for cheating the "Masters of Mayhem" online game. As usual Hacker Court was great, especially because Jennifer Granick moved from her traditional role as defense counsel to the new role of prosecutor. She lost her case, but I spoke with her briefly and learned the experience gave her a chance to think like the other side in front of an audience in a simulated trial.
My overall impression from the first day of briefings can be summarized in this manner.
- Detecting current attacks in "real time" is increasingly difficult, if not impossible. Even if you assume attacks are not obscured by encryption, recognizing and understanding the variety of Web-based attacks shown at Black Hat is almost a lost cause. There is basically no way for defenders to address the expanse of the attack surface exposed by "rich Internet applications" and frameworks. I realized that the "rich" in "RIA" refers to the money intruders will make by exploiting Web clients.
- The average Web developer and security professional will never be able to counter these attacks. Intruders are so far ahead of the defenders with respect to tools and techniques that it is simply not possible to prevent the attacks I saw at Black Hat. This statement will probably offend many people but it's time to face the truth. There is no way to get "ahead of the threat" here.
I realize I've painted a very bleak picture. In my next post (time to board the plane) I will summarize day 2 of the Black Hat Briefings. In the post after that I will provide some defensive strategies and concluding thoughts.