10:00 AM
to 11:00 AM
FX: Router Exploitation
155 Attendees
Location
Roman Ballroom
Type Infrastructure
Felix 'FX' Lindner
Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimen in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.
Tags Network, Infrastructure
11:15 AM
to 12:30 PM
Aaron LeMasters & Michael Murphy: Rapid Enterprise Triaging
78 Attendees
Location
Roman Ballroom
Type Infrastructure
Aaron LeMasters, Michael Murphy
magine this scenario - routine log analysis uncovers suspicious activity dating back several months, and active beaconing reveals a backdoor channel in an outdated piece of production software on your network. Anti-Virus did not catch it - updated IDS signatures reveal dozens of compromised machines, all buried beneath a hierarchy of domain controllers and NATed subnets across different autonomous organizations throughout a globally distributed network. What do you do without the necessary infrastructure and tools to respond?
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
Large-scale response efforts are expensive, inefficient and dangerous. What is worse, most companies are not typically resourced or prepared to respond. As a result, they are forced to either purchase a service contract or acquire the tools to respond internally. Neither response is a complete solution and often ends in disaster. More importantly, these approaches ignore the persistent threat at hand, and proprietary company data and resources remain exposed throughout the effort. To add insult to injury, you just spent your entire IT security budget for a one-time fix.
Our methodology of rapid enterprise triaging (RETRI) embraces a macro-approach to the Incident Response process. Rather than focusing on individual network segments or hosts, our approach prioritizes broad network isolation to contain the threat and ensures core business functions remain operable. The result is less strain on your IT staff and no downtime for your users.
Additionally, to help alleviate enormous costs of enterprise Incident Response tools, we will be releasing a free tool named Codeword that complements our approach. Codeword is similar in functionality to commercial agent-based forensic tools, but focuses on the needs of management and analysts during rapid triaging. These needs typically include an estimate of the spread of infection; an ability to search hosts for malware with constantly evolving indicators; a thorough evidence-collecting capability; and advanced, seamless reporting. These capabilities are implemented in a server-agent framework. Codeword is composed of several modules: the Handler that administrators use to generate custom MSI installers; the scanner binary contained in the MSI installer which includes a user-mode agent and a kernel-mode driver; and a report viewing component for analysts to easily aggregate and correlate evidence as it is reported from deployed agents. Codeword also boasts advanced rootkit detection and kernel integrity checking capabilities.
1:45 PM
to 3:00 PM
Graeme Neilson: Netscreen of the Dead
46 Attendees
Location
Roman Ballroom
Type Infrastructure
Graeme Neilson
Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
3:15 PM
to 4:30 PM
Dan Kaminsky: Something to do with Network Security?
186 Attendees
Location
Roman Ballroom
4:45 PM
to 6:00 PM
Andrew Fried, Paul Vixie & Christopher Lee: Internet Special Ops
126 Attendees
Location
Roman Ballroom
Type Infrastructure
Andrew Fried, Paul Vixie, Dr. Chris Lee
Today's Internet threats are global in nature. Identifying, enumerating and mitigating these incidents require the collection and analysis of unprecedented amounts of data, which is only possible through data mining techniques. We will provide an overview of what data mining is, and provide several examples of how it is used to identify fast flux botnets and how the same techniques were used to enumerate Conficker.
6:00 PM
to 7:30 AM
Pwnie Awards
112 Attendees
Location
Roman Ballroom
Type Food & Drink
The Pwnie Awards will return for the third consecutive year to the BlackHat USA conference in Las Vegas. The award ceremony will take place during the BlackHat reception on July 29, 2009 and the organizers promise an extravagant show.
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:
Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor Response Most Overhyped Bug Best Song Most Epic FAIL Lifetime Achievement award for hackers over 30
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the wider security community in the past year. Nominations are currently accepted in nine award categories:
Best Server-Side Bug Best Client-Side Bug Mass 0wnage Most Innovative Research Lamest Vendor Response Most Overhyped Bug Best Song Most Epic FAIL Lifetime Achievement award for hackers over 30
10:00 AM
to 10:30 AM
Alfredo Ortega: Deactivate the Rootkit
78 Attendees
Location
Roman Ballroom
Type Turbo Talks
Alfredo Ortega, Anibal Sacco
There are three things that you should know about the Rootkit:
1. If you have a notebook, you probably have The Rootkit.
2. You can't erase the Rootkit, but you should know how to deactivate it.
3. Finally, you should know how you (or somebody else) could activate the Rootkit.
1. If you have a notebook, you probably have The Rootkit.
2. You can't erase the Rootkit, but you should know how to deactivate it.
3. Finally, you should know how you (or somebody else) could activate the Rootkit.
10:30 AM
to 11:00 AM
Kevin Stadmeyer: Worst of the Best of the Best
69 Attendees
Location
Roman Ballroom
Type Turbo Talks
Kevin Stadmeyer, Garrett Held
This talk provides an overview of popular, and lesser known but similar sounding awards, and the correlation between them and security vulnerabilities found. The analysis will use publicly available information for statistics and sanitized examples of award-winning products that are clearly vulnerable to common attacks.
11:15 AM
to 11:40 AM
Daniel Raygoza: Automated Malware Similarity Analysis
50 Attendees
Location
Roman Ballroom
Type Turbo Talks
Daniel Raygoza
While it is fairly straightforward for a malware analyst to compare two pieces of malware for code reuse, it is not a simple task to scale to thousands of pieces of code. Many existing automated approaches focus on run-time analysis and critical trait extraction through signatures, but they don't focus on code reuse. Automated code reuse detection can help malware analysts quickly identify previously analyzed code, develop links between malware and its authors, and triage large volumes of incoming data. The tool and approach presented is best suited for groups that often perform in depth analysis of malware samples (including unpacking) and are looking for methods to develop links and reduce duplicated effort.
11:40 AM
to 12:30 PM
Chris Weber: Unraveling Unicode
56 Attendees
Location
Roman Ballroom
Type Turbo Talks
Chris Weber
The complex landscape of Unicode provides many angles for exploiting software and end users. We've known about some of these for years, we've seen buffer overflows exploited because of faulty Unicode handling, and we've seen homograph attacks in URL's. However, the real mysteries remain latent, unapparent to most software developers and even to the security community. I'm going to raise awareness around the interesting attack vectors and new areas of research into Unicode, as well as open people's eyes to the modern Visual Spoofing attacks of today.
This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks. We'll take a close technical look at many of the issues in Unicode software which are not well-known even in the security research community:
* How Unicode characters can be mishandled to take on powerful formatting properties such as white space.
* When unexpected UTF-8 sequences can lead to over-consumption and character deletion which enable attacks such as cross-site scripting and file system manipulation.
* What happened to non-shortest form UTF-8 and UTF-7?
* Why best-fit mappings lurking in common frameworks and API's will enable drastic misbehavior and attacks within your applications, allowing for control over file systems and interpreters/parsers such as HTML.
* When casing operations enable a special character to be converted into something useful for cross-site scripting and other attacks.
* Why normalization operations can enable a Latin Modifier character to be converted into an exploitable HTML greater than sign.
* How normalization and casing operations can expand a single character by up to 18x leading to buffer overflows.
* Why the BOM and Mongolian Vowel Separator are great inputs to use in test cases.
* How Internationalized Domain Names work and why they're still vulnerable to Visual Spoofing attacks today.
This presentation's intention is to educate the audience on categorized security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases, inputs, and practices for finding and avoiding vulnerabilities. I'll also cover the visual security issues relating to script spoofing and the 'confusables'. Internationalized Domain Names have been with us since 2003 yet are less understood in the security community. Internationalized top-level-domains are coming up, as are email addresses. I'll be demonstrating how I can fool end users with lookalikes and homograph attacks in modern browsers with common .COM and .ORG domains.
Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future.
This talk will include demonstrations of several uncommon vulnerabilities/attack vectors, and will also include a tool release to assist in finding these issues. A separate Spoof-detection component will also be released to demonstrate how we can defend users against Visual Spoofing attacks. We'll take a close technical look at many of the issues in Unicode software which are not well-known even in the security research community:
* How Unicode characters can be mishandled to take on powerful formatting properties such as white space.
* When unexpected UTF-8 sequences can lead to over-consumption and character deletion which enable attacks such as cross-site scripting and file system manipulation.
* What happened to non-shortest form UTF-8 and UTF-7?
* Why best-fit mappings lurking in common frameworks and API's will enable drastic misbehavior and attacks within your applications, allowing for control over file systems and interpreters/parsers such as HTML.
* When casing operations enable a special character to be converted into something useful for cross-site scripting and other attacks.
* Why normalization operations can enable a Latin Modifier character to be converted into an exploitable HTML greater than sign.
* How normalization and casing operations can expand a single character by up to 18x leading to buffer overflows.
* Why the BOM and Mongolian Vowel Separator are great inputs to use in test cases.
* How Internationalized Domain Names work and why they're still vulnerable to Visual Spoofing attacks today.
This presentation's intention is to educate the audience on categorized security issues around Unicode and Internationalized software in a clear and structured way, while giving real-world test cases, inputs, and practices for finding and avoiding vulnerabilities. I'll also cover the visual security issues relating to script spoofing and the 'confusables'. Internationalized Domain Names have been with us since 2003 yet are less understood in the security community. Internationalized top-level-domains are coming up, as are email addresses. I'll be demonstrating how I can fool end users with lookalikes and homograph attacks in modern browsers with common .COM and .ORG domains.
Unicode is a universal character encoding providing the basis for processing, storage, and interchange of text data in any language in all modern software. Unicode replaces the myriad of historical character sets and encodings which have proven cumbersome and difficult for interoperability. With Unicode we get a single unified model for representing characters in almost any language past, present, and even future.
1:45 PM
to 2:10 PM
Bryan Sullivan: Defensive Rewriting
60 Attendees
Location
Roman Ballroom
Type Turbo Talks
Bryan Sullivan
Attacks like cross-site scripting (XSS), cross-site request forgery (XSRF), and open-redirect phishing are routinely propagated through malicious hyperlinks sent in e-mail messages. We could mitigate much of the risk of these vulnerabilities by frequently changing our URLs, not once every 200 years like Tim Berners-Lee suggests, but once every 10 minutes. Attackers would no longer be able to exploit application vulnerabilities by mass e-mailing poisoned hyperlinks because the links would be broken and invalid by the time the messages reached their intended victims.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
This presentation will explore the possibilities of using various forms of URL rewriting techniques as defensive measures against XSS, XSRF and any other known or 0-day attack methods that use email as a propagation vector. I will release source and binaries for an ASP.NET rewriting module and will demonstrate source/pseudocode to accomplish the same functionality for other platforms.
2:10 PM
to 2:35 PM
Rachel Engel: Gizmo
68 Attendees
Location
Roman Ballroom
Type Turbo Talks
Rachel Engel
Gizmo is a free new open source web proxy designed to be lightweight, speedy, and responsive. When someone is performing a web pentest, they want a tool that lets them edit and search through requests quickly. The tool should let them search through and edit requests without slowing down web traffic or taking up the user's attention with heavyweight user interfaces. Gizmo was created with this in mind. The user interface is focused on the keyboard so that once the initial (very small) learning curve is over, the user can operate gizmo without their hands leaving the keyboard. A great deal of effort was also spent ensuring that gizmo proxies traffic snappily enough that a user's web browsing experience isn't hampered. The presentation will be focused on a presentation of the featureset of gizmo, and a demonstration of how snappy and responsive web proxies can be.
2:45 PM
to 3:05 PM
Tony Flick: Hacking the Smart Grid
109 Attendees
Location
Roman Ballroom
Type Turbo Talks
Tony Flick
The city of Miami and several commercial partners plan to rollout a "smart grid" citywide electrical infrastructure by the year 2011. This rollout proceeds on the heels of news that foreign agents have infiltrated our existing electrical infrastructure and that recent penetration tests have uncovered numerous vulnerabilities in the proposed technologies. Simultaneously, the National Institute for Standards in Technology (NIST) has recently released a roadmap for producing Smart Grid standards. In this Turbo Talk, I will discuss the flaws with the current guidelines and map them to the criticisms of similar regulatory mandates, including the Payment Card Industry Data Security Standard (PCI DSS), that rely heavily on organizations policing themselves.
3:15 PM
to 3:40 PM
Marc Bevand: MD5 Chosen
53 Attendees
Location
Roman Ballroom
Type Turbo Talks
Marc Bevand
In December 2008, an MD5 chosen-prefix collision attack was performed on a PlayStation 3 cluster to create a rogue CA certificate. A new implementation of this attack has been researched and developped to run an order of magnitude faster and more efficiently on video card GPUs, which now makes the attack practical to anybody. Software techniques to achieve the breakthrough performance gain will be demonstrated.
3:40 PM
to 4:05 PM
Steve Ocepek: Long-Life Sessions
69 Attendees
Location
Roman Ballroom
Type Turbo Talks
Steve Ocepek
Whether it's a credit card sniffer, a chatty web application, or unauthorized remote control software, long-lived network sessions are frequently being used to establish bi-directional conduits into and out of our networks. Unlike traditional "pull" oriented sessions, long-life sessions create channels that last anywhere from several minutes to several days. This behavior is not inherently bad, but since each connection represents a direct path into a network resource, being able to scrutinize these pathways would certainly even the odds a bit.
This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.
This discussion will present ways of classifying long-life sessions, decisions that need to made around their use, and methods for detection and disconnection. While some current tools can get us part of the way there, a new approach will be presented in the form of a proof-of-concept utility called "ackack." This program, initially being released at Black Hat 2009, can be used with a switch monitor session to apply ARIN-based white/blacklists to long-life incoming and outgoing sessions. Detecting LogMeIn, botnets, and phone-home malware suddenly becomes feasible, as well as incoming server exploits that, for instance, drop the intruder into a shell. The goal of this software is to demonstrate the plausibility of controlling long-life sessions and encourage hardware vendors to implement this functionality. It might also make the world a better place, which would be kinda cool too.
4:05 PM
to 4:30 PM
Peter Guerra: How Economics and Information Security Affects Cyber Crime
98 Attendees
Location
Roman Ballroom
Type Turbo Talks
Peter Guerra
This turbo talk will explore the links between US law, international cybercrime, malware proliferation, and the economics of botnets. During this time, I will present research into the impact the current worldwide economic crisis has had on cybercrime and the impact on security professionals. I will also use economics to link cybercrime activity to emerging markets countries (Brazil, Russia, India, and China) and show research into how the CAN-SPAM act created economic incentives for an increase in botnets, spam, malware, and phishing attacks.
4:45 PM
to 5:10 PM
Michael Brooks: BitTorrent hacks
94 Attendees
Location
Roman Ballroom
Type Turbo Talks
Michael Brooks, David Aslanian
This is the journey of two pirates hacking BitTorrent. This talk will cover ways of abusing the BitTorrent protocol, finding vulnerabilities in BitTorrent clients and exploiting them. We will also cover counter measures to these attacks.
5:10 PM
to 5:35 PM
Mikko Hypponen: The Conficker Mystery
170 Attendees
Location
Roman Ballroom
Type Turbo Talks
Mikko Hypponen
Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. Apparently written in Ukraine, this worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
5:35 PM
to 6:00 PM
Muhaimin Dzulfakar: Advanced MySQL Exploitation
111 Attendees
Location
Roman Ballroom
Type Turbo Talks
Muhaimin Dzulfakar
This talk focuses on how MySQL SQL injection vulnerabilities can be used to gain remote code execution on the LAMP and WAMP environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.
