Monday, September 04, 2006

Blackhat / DEFCON 2006 Trip Report

At this year's Blackhat and DEFCON conferences I saw demonstrations of a wide variety of emerging threats and attack scenarios that would go undetected on many networks in many organizations. Favorite papers, slides and code available at:

Mandia & Willis gave some interesting talks on the state of incident response complete with war stories. One story had identity data being ransomed by a developer who had secretly coded a backdoor. A second recounted stock trading systems being hijacked, in order to execute buy orders and inflate a stock price, using a session fixation attack.

An entire track was devoted to rootkits and sophisticated methods for escaping detection, such as hiding data in memory and file systems and subverting host firewalls. The rootkit track concluded with a standing room presentation as Joanna Rutkowska presented "blue pill", a rootkit that uses the virtualization technology present in certain 64-bit CPUs to operate below the OS. She also demonstrated a proposed detection evasion technique for intercepting and returning false results to certain timing based detection methods.

Jeremiah Grossman and others showed a functional bot implemented entirely in Javascript running in a browser. The authors showed the program directing a browser running on a host to scan and penetrate its local network.

Subverting Security Technologies
Numerous presentations demonstrated sophisticated methods of evading old and new security technologies. Ofir Arkin showed methods of bypassing network access control systems. "X30n" demonstrated how to compromise an enterprise network using a Blackberry. Martin Rukus discussed mainframe penetration scenarios. "Lin0xx" and Alexander Tereshkin discussed methods of subverting host firewalls. Numerous authors presented methods of hiding data in memory and file systems.

Another track focused on web application vulnerabilities and emerging threats--including worms--in the web application space. Billy Hoffman gave presentations on AJAX vulnerabilities and web application worms. HD Moore and Dan Moniz discussed the state of the art in cross-site scripting (XSS). Ptack & Glodsmith discussed vulnerabilities in common enterprise network and asset management software agents.


What did I take away? After days of sessions, slides, papers and demos, I see the continuation of two broad trends:

First, the battle for the host is being lost. When it is possible to design rootkits that are practically undetectable, the host detection problem goes from being unaffordable to untenable. Going forward, rootkit detection will need to performed at the network layer as much as on the host - and host based defenses will need to evolve to address increasing rootkit sophistication. How many desktop first responders are going to be capable of detecting a virtualized rootkit?

Second, as exploit writers move to the application layer they will find a practically inexhaustible supply of vulnerabilities, probably larger than anything seen to date. As threats evolve and proliferate beyond the ability to track, expect to see information security embrace event
correlation, anomaly detection and behavioral modeling. While specification or signature matching will always have its place, it cannot scale when threats multiply at a geometric rate. The financial world discovered this during the last century as it learned to build fraud control systems on a massive scale. The same evolution must now take place in the information world.

Favorite papers, slides and code available at

No comments: