Monday, October 22, 2007

Blackhat 2007 Favorites

Here is the short version; the web is the new playground; "web 2.0" has serious issues; threat models are becoming sophisticated enough they're actually hard to follow in some cases; we're losing the fight against malware; security products themselves are increasingly targeted and used to compromise networks they are supposed to protect.

These talks were my favorites, organized by broad subject:


Belani and Jones gave a real-world incident talk containing three very interesting case studies including a case where of non-public information including credit card transaction data was compromised. This case was never solved and may have been a wireless penetration or possibly an inside job.

Web Based Threats

Bolzoni_and_Zambon demonstrated an anomaly based intrusion detection system for web applications; this is an idea I had found myself advocating earlier in the year.

Byre’s talk “Intranet Invasion With Anti-DNS Pinning” covers a threat model so complex it is actually hard to follow. Essentially a browser hijacking technique for compromising a browser and / or desktop with some potential perhaps as a Javascript / HTTP control channel for a botnet.

Chenette_and_Joseph presented a tool for detecting zero day exploits, particularly browser heap spray exploits. See also Sotirov’s talk “Heap Feng Shui in JavaScript”.

Grossman & Hansen continued last year’s foray into browser hijacking techniques.

Gutesman, Futoransky and Waissbein presented a novel method of securing web applications.

Brad Hill gave an in-depth presentation on message oriented security as implemented in XML and WS-Security and the state of the art in XML attacks.

Hoffman and Terrill discussed the state of the art in web based worms and possible future directions such worms might take in order to become more virulent.

Dan Kaminsky gave a must-read multi-subject tour of his very interesting research in his usual style; this year focusing on vulnerabilities in the web application space.

Sullivan and Hoffman discussed Ajax design flaws and threat models.


Butler_and_Kendall discussed the use of DLL injection by malware to avoid detection and demonstrated methods of kernel mode injection techniques in the win32 space as well as memory analysis forensic detection techniques.

Nick Harbour of Mandiant discussed anti-forensics techniques used by malware and presented a UNIX equivalent to the Nebbtt’s Shuttle method of launching a win32 executable from a memory buffer.

Mikko Hypponen presented the state of the art in cell phone malware.

Wysopal and Eng discussed the state of the art in insertion and detection of backdoors.

Mark Yason discussed the state of the art in malware anti-reversing techniques.

Other Topics

Jim Hoaglund from Symantec presented the results of an in-depth analysis of the Vista network attack surface. He also discussed security implications of Teredo, an IPv6-over-IPv4 tunneling protocol which gives a vista host a globally routable IPv6 address. No practical inspection mechanism exists for Teredo traffic; the security implications are significant as any malicious traffic using the Teredo protocol may well go undetected.

David Litchfield presented a case study in Oracle database forensic analysis.

Palmer, Newsham and Stamos discussed weaknesses and evasion techniques in commercial forensics tools.

Mike Perry presented some interesting threat models and defensive techniques for users of the tor network.

Roecher and Thumann discussed the Cisco NAC protocol.

Rutkowska and Tereshkin continued last year’s discussion of Vista kernel compromise and virtualization based malware including a bluepill implementation supporting nested virtualization.

Bruce Schneier gave a keynote talk called “The Psychology of Security” – a must read examination of how the human mind thinks about risk.

Thermos presented some new VoIP protocol attacks.


No comments: