Tuesday, August 16, 2011

2011 Conference Adventures

This post recounts my adventures at, and probably tells you more than you ever wanted to know about, Blackhat and DEFCON 2011, as I saw them.

There are eight sections: Client Sides; Coding & Testing; "Cyber" (for lack of a better word);Embedded Systems; Forensics; Mobile; Networking; and Virtualization.

Client Sides

Alex Stamos and co. from iSec did a pretty thorough job of putting to rest whatever lingering delusions of invincibility we Mac users have left. They found that while current stand-alone Macs are more or less on par with Windows 7 in security, Mac OS X client/server protocols have design and authentication flaws that can be exploited by a variety of attacks, are susceptible to credential harvesting, and don’t stand much chance in a network foothold situation. “They're pretty good for [protecting from] remote exploitation,” Stamos said. “[But] once you install OS X server you're toast.” Stamos also noted that forensic tools for Macs are at present largely nonexistent. Their talk was covered by ITworld.

I missed Weapons of Targeted Attack: Modern Document Exploit Techniques by Tsai and Pan, who said "If you have installed all Microsoft Office patches and there are no 0 day vulnerabilities, will it be safe to open a Word or Excel document? The answer is no."' What a surprise. I plan to review the presentation docs and video. Datamation wrote about this talk. I also plan to read Playing in the Reader X Sandbox.

Coding & Testing

Four researchers presented a new web application testing tool with simple fuzzing capabilities named RAFT - Response Analysis and Further Testing Tool - available here and there is a wiki here. Willis and Britton presented one of the more detailed treatments of static analysis tools I have seen. No vendors named, but still interesting.

Microsoft announced a $200K ‘Blue Hat Prize” designed to “inspire researchers to focus their talents on defensive technologies” and “encourage researchers to think about ways to defeat entire classes of bugs." The program’s first wish list item is "a novel runtime technology to defend against memory safety vulnerabilities". This was covered by techtarget and threatpost.

The program received a mixed reception and produced some heated twittering. Microsoft seem to be seen as “the man” in the software security world and consequently seem to receive a negative reaction from part of the community no matter what they do. I had an interesting conversation with some Microsoft folks during lunch on day one and talk turned to why we need to embed SWFs in Office documents at a time when so many organizations are overrun with client side exploits. One of the softies pointed put that if they had not allowed vendors to embed things like SWF code wherever they want, including Office docs, they could be beaten with the antitrust stick – something that had not occurred to me. On my reading list is

“Cyber” (for lack of a better word)

Cofer Black, former director of CIA's Counterterrorist Center, gave the day one keynote (he's the one on the photo) and used the increasingly popular “Code War” phrase to describe the current state of affairs in international cyberconflict. Black mentioned the 2010 Stuxnet worm, saying, "I am here to tell you, and you can quote me, the Stuxnet attack is the Rubicon of our future … physical destruction of a national resource is huge." He recounted lessons learned during the evolution of counterterrorism programs, as policymakers struggled to understand the rapidly evolving landscape of asymmetric threats, and drew parallels to today's urgent need to understand and meet the emerging cyber threatspace. The post-Cold War “CBRN” (Chemical, Bacteriological, Radiological, Nuclear) threat landscape, he said, has changed to become “KBC”, (Kinetic, Bacteriological, Cyber).His keynote was covered by Techtarget and SecurityWeek.

Peter “Mudge” Zatko gave an very entertaining keynote and announced a DARPA program to fund original research and development by hacker spaces, saying he wants to encourage the next l0pht to quit their day jobs and do security research full-time. The program is called Cyber Fast Track and will fund between 20 and 100 projects annually. Anything with military applications will be considered; of particular interest are projects with potential to “reduce attack surface or reverse current asymmetries”. The program went online the morning of the keynote. The announcement was covered by eWeek, Reuters, and SC Magazine.

Embedded Systems

Dillon Beresford presented 18 findings in the Siemens industrial controllers which run all sorts of terribly important machines across the planet. Findings included remotely exploitable administrative control and denial-of-service vulns, hard coded superuser passwords and one easter egg. Siemens and the Industrial Control Sector CERT (ICS CERT) are preparing to release a patch for at least some of the vulns. This talk was covered by threatpost and wired.


Litchfield gave an excellent talk continuing his extensive work in Oracle database security and forensics which I plan to review again when the DVD arrives. His talk was covered by Darkreading. Russinovich gave his workshop on Zero Day Malware Cleaning With the Sysinternals Tools. I talked with Mark and he confirmed there is no method of observing the PID for an ICMP endpoint under Windows as the TDI layers simply don't report ICMP data. The only method for authoritatively determining a particular ICMP endpoint is with a debugger attached to the sending process. ICMP is not the most popular C&C mechanism but makes for an effective covert channel on many networks as it tends to be ignored and is relatively hard, compared to TCP/UDP, for first responders and forensics analysts to trace to a PID. I will update a post on this from days of yore when I started seeing ICMP based C&C channels.

I missed, but plan to review, these forensics talks:


One of the most discussed aspects of DEFCON, Blackhat’s sister conference, was that 3/4G and CDMA transmissions were reportedly being intercepted using some sort of modded femtocell device. The conference made an announcement on the morning of day two that some number of rogue cells were in operation and the effects seemed to be observable.

Most phones were observed to frequently lose and reacquire 3G signal; some users reported suspicious application activity. Some of my colleagues saw evidence of forced encryption downgrading – one indicator an intercepting femtocell device is in operation - as well as attempts at code execution in their blackberry logs. I checked with one person who did forensics on a blackberry after the con who told me, “from what I can tell they were probably only able to get a run-time agent going at random intervals, but because of code signing integrated on BB's OS boot and because I kept restarting the device while I was at the con, they never got a persistent foot hold from what I can tell”.

A seclist post claimed that some number of droids had been compromised. At the time of this writing, there are no confirmed cases I know of although I don’t expect to see many droid owners or conference attendees make public comments about how their phones were powned. The seclist post made no mention of iphones. The non-jailbroken iphone would seem to be a fairly hard target but the lack of forensics or even basic logging capabilities makes it hard to determine what, if anything, has happened to an iphone on a hostile network.

All of this raises the prospect that there are may be any number of compromised smartphones returning from the field and connecting to corporate networks. Given the difficulty in doing basic forensics on a smartphone under vendor lockdown, I don’t see how first responders can feasibly do any sort of detection, forensics or even monitoring of these devices. Smartphones not under lockdown can be easier to do forensics, and conduct incident response, on but also seem to be more vulnerable and less likely to survive a hostile network. I'm wondering if we are going to eventually decide that the best and most cost-effective plan going forward is for field personnel to leave the smartphones behind and use a disposable cell when in high-risk environments.

I missed the Veracode panel, Owing Your Phone at Every Layer, as I was trying to follow Ptack and Tracy's fairly advanced train of thought as they showed how to break encryption "Hollywood style" in Cryto for Pentesters. I will see the Veracode panel when the DVD arrives. A talk was given on femtocells again this year. Hacking Androids for Profit was pulled at the eleventh hour for reasons that are not entirely clear. I also plan to read Belenko’s Overcoming iOS Data Protection to Re-enable iPhone Forensic. On the subject of iphones:


I saw Marlinspike give a thoughtful talk on “SSL and the Future of Authenticity” where he recounted tracking down and interviewing one of the original inventors of SSL and listening to some of his more intriguing comments like” oh, authenticity..was a bit of a hand wave; we threw that in towards the end”. Marlinspike said that certificate authority incidents like Comodegate are more common than is generally thought and made a case for systemically rethinking the way trust is managed by consumers of the CA system. He introduced an alternative approach he calls “trust agility”. The video recording is on the archives page and Marlinspike recounts the substance in his blog.

Kaminsky spoke highly of bitcoin’s security, saying “entire classes of bugs are just absent”. He also released a tool named “N00ter”, or neutral router, for detection of traffic shaping in order to detect subtle tinkering with net neutrality. This was covered by Forbes and Techtarget.

Kaminsky also described continuing work on getting through consumer routers using UPNP. He referenced similar work by Garcia presented at DEFCON.

Ivan Ristic presented SSL research indicating a majority of sites actually implement SSL incorrectly.

IBM announced a new method for making wireless networks resistant to passive sniffing and man-in-the-middle attacks using certificates, which would seem like something we might have thought of doing already. Their talk was covered by threatpost.


This year again featured a novel virtual machine breakout or guest escape, this time in KVM. The exploit, name “virtunoid” is on github at the time of this writing. I saw this talk live and watched as Elhage demo’d the exploit packaged in a small initrd volume for delivery as the exploit disconnects the real-time clock in the guest which tends to make it rather unstable as you might imagine. Doing this from a minimal initrd environment tends to be more reliable. The guest stops, but does not panic, and Elhage told me he believes the guest, with a bit of work, could be fixed up sufficiently to allow it to continue to run.

The vuln is essentially a use-after-free bug; CVE-2011-1751, a missing check in the qemu-kvm userspace driver for the KVM Linux Kernel-mode Virtual Machine. The author cites the CVE: “It was found that the PIIX4 Power Management emulation layer in qemu-kvm did not properly check for hot plug eligibility during device removals. A privileged guest user could use this aw to crash the guest or, possibly, execute arbitrary code on the host.” The exploit succeeds in executing code on the host after a fairly complex attack and exploitation path. The slides and whitepaper are worth a read.

Detection of this sort of thing will probably need to take place outside a guest which fails during an exploit. Failure of a guest, particularly one booting from a strange minimal initrd, would be suspicious most of the time but could be challenging to block in real-time. One detection possibility is the second look tool: I plan to ask them about this.

No comments: