Earlier this year, I changed my career focus from manageability and virtualization enabling to security technology enabling with a focus on the business client. Being a relative newbie in the security realm, I thought it would be a good idea to get a wider perspective of what’s happening in the real world with regard to real threats, attacks, technologies, etc. What better place to get this perspective than attend BlackHat USA 2010 and DEF CON 18 in Las Vegas. Here’s my breakdown the most interesting sessions, thoughts, and experiences I had at these conferences.
What better way to learn than hands on from actual security researchers. As my first ever BlackHat training, I attended “Virtualization (In)Security” taught by Rafal Wojtczuk of Invisible Things Lab. Other than being fairly expensive, I thought it was a great technical introduction to VMM security exploits (Xen 3.x was used to demonstrate) and how they might be mitigated through hardware mechanisms. My main take-away from the two day hands-on training was how seemingly separate exploits can be combined to multiply their impact too completely and totally own a system. If you have the means, I recommend this course to anyone new to working with VMM security.
Overall, I thought the show was great! The briefings where some of the most informative and high quality sessions I have ever attended at any tradeshow. Event organization was also top notch and attendees had enough time to get from one session to another. This event had a decidedly professional and corporate feel to it and I honestly expected to see more hacker types, but I guess the steep registration fee probably kept some from attending. As well, it was interesting to me that such a large security conference only had two days of sessions. So much to see and learn and so little time. There were numerous occasions where I had to choose between two sessions that I really wanted to attend. But, in the end, a colleague ended up buying the audio recordings for the show so when I get some free time I can go back and revisit those sessions.
Here are some of the more interesting briefings I attended:
Malware Freak Show 2010: The Client-Side Boogaloo – presented by Nicholas J. Percoco and Jibran Ilyas
This session is exactly why I came to BlackHat. It gave me a good understanding of some of the tricky, nasty, and clever malware that exists out there. The presenters did a great job explaining some of the more interesting (consulting) cases they ran into over the course of the last year. The most interesting one for me being the case of a memory rootkit that sniffed system memory for credit card information and then encrypted and FTP’d the details back to a rogue server. Basically every credit card swipe from a popular Miami sports bar was being logged, collected and eventually used by some criminal entity.
Malware Attribution: Tracking Cyber Spies and Digital Criminals – presented by Greg Hoglund
Interesting talk on how to track cyber criminals and malware variants through tool marks (generated by compilers and other tools) and fingerprints (like code fragments of known malware) lifted from the malware binaries themselves. Check out his free fingerprinting tool here.
Jackpotting Automated Teller Machines Redux – presented by Barnaby Jack
This session was hyped months before the actual BlackHat Briefings since it was supposed to be part of BlackHat 2009 but was canceled at the last minute. To my surprise it more than lived up to the hype. The presenter systematically showed how he was able to Jackpot an ATM as shown in the picture below. In short, he basically wrote a rootkit as part of modified ATM firmware and developed two different attack vectors to deploy the rootkit; one physical and one over-the-wire. The physical attack was based on the fact that just about anybody could buy a key over the internet that allows physical access to the ATM's computer system. Once physical access was available, one could just insert a USB stick to update the ATMs firmware with the rootkit. The over-the-wire attack was based on the fact that a few ATM vendors allowed remote firmware updates to take place as a default setting. Once his modified rootkit and FW were in place, he owned the ATM and could command it to do several things like change the denomination values (give out $100’s instead of $1’s), skim users ATM card information, and of course jackpot the machine of all its cash.
How I Met Your Girlfriend –presented by Samy Kamkar
By far the most entertaining session I attended was How I Met Your Girlfriend. In short, it chronicled Kamkar’s desire to meet a woman on Facebook who was dating someone else on Facebook. His scheme was to pose as the boyfriend and get the woman to break up with him (by sending nasty messages to her) and then he could legitimately move in. During the session he outlined several attacks, but the most interesting one was how he systematically broke down the PHP session-id (160bits) to the point he was able to brute-force the final few bits of the actual session-id used by the boyfriend when he was logged in. With the session-id in hand, he could now hijack the PHP session and commence with his scheme to get the girl to break off her existing relationship. The details of the PHP session hack can be found here.
DEF CON 18
I wasn’t really sure what to expect at DEF CON. When I arrived with my electronic badge in hand, I immediately saw a long line in the lobby of The Riv’s conference center. I’m glad I didn’t blindly wait until I got to the front; it turned out to be the conference schwag line. I could hardly believe that people would actually line up for this, but as I later understood, this was a CON and not a conference. DEF CON is a gathering of enthusiasts! Whether you were are a White Hat, Black Hat, Fed, or just an IT geek, it didn’t really matter. Everyone had one thing in common; a passionate interest in all aspects of cyber security.
As I pulled up a wall and waited in line for the ballrooms to open I talked with a veteran con-go’er who gave me some great advice. In a nut shell, he said there is an overwhelming amount of stuff to do so don’t try to tackle it all or you’ll burn out. He continued to say that a good strategy was to try to achieve a balance by attending 3-4 sessions, socialize with many, spend some time in the ‘villages’, compete in a contest, and attend a few parties/events each day. Sounded like reasonable advice to me, but sometimes very hard to follow. Anyway, I found myself being sucked into many of the talks due to the diversity of topics, and to my surprise, their high quality nature. I won’t get into the details of each session I attended, but a few that I really enjoyed were: “Making of the DEF CON Badge”, “Tales from the Crypto”, “Practical Cellphone Spying”, “My Life as a Spyware Developer”, and most of the SkyTalks. Check out the DC 18 Archive page here to download the slides and whitepapers. Besides the sessions, there were a ton of other activities going simultaneously like the Lock Picking Village (where you can learn the art of picking all sorts of devices), Hardware Hackers Village (learn how to do or compete in hardware hacking / pen testing), the Vendor area (t-shirts, lock picks, other hacking tools, etc), and the contest area. And, if you just had to get away from it all, there was a chill-out area where you could kick-back with your beverage of choice and some DJ beats. All of this and a very cool electronic badge were yours for only $140 (or $40 if you attended Black Hat). Unbelievable! So, if you are OK with very large crowds, cramped conditions, waiting in line, love to people watch, and have an interest in all things security (especially breaking it) then I highly recommend that you attend DEF CON next year.
Please feel free to comment on your experiences attending these Security CONferences.