Black Hat Europe 2012 Roundup

So I’ve been back from Amsterdam for a couple of days and have been reflecting on what I learnt and who I spoke to at Black Hat. I realise a lot of the really juicy info was exchanged under a verbal NDA so I can’t disclose any of that. I also acknowledge I didn’t speak to everyone in attendance so may have missed the most crucial pieces of information, instead I’ll focus on which speakers I got a chance to talk to and what I took away from it all.

Future Considerations

Apparently small is the new black. We’ve had a rapid miniaturisation of technology and a rapid decline in costs which have made these a great arsenal in any attackers toolkit. Coupled with this, you have the legacy systems being retro-fitted with small communications channels and devices as elaborated on by Don Bailey’s talk “War Texting: Weaponising machine to machine systems.” He illustrated how legacy devices and systems such as cars, water pumps, medical equipment etc. are all being retro-fitted with some wireless capability of some sort. Be it for monitoring purposes or remote control. All of these have increased the attack points and a conscious effort needs to be made by both systems manufacturers and implementers to ensure security is adequately designed. (no prizes for guessing if it is being implemented properly).

Steve Lord took apart a Mifi Router (one of those portable personal hotspots) and demonstrated how they could be re-configured and used for nefarious purposes. Be it simply in your pocket as you walk along a public place, swallowing data, or tossing it over a fence into the range of an office. The possibilities are only limited by your imagination, which, if you’re Steve Lord is virtually limitless.

Similarly you have products such as Teensy as explained by Nikhil Mittal, which are as small as a USB drive and when plugged into your machine it is recognized as a keyboard, effectively defeating any end point protection you may have in place. From here the little Teensy runs off like a face-hugger and pops your box. It may even do this in stealth mode, so you don’t even know about it until an alien bursts out of your hard drive. Couple this with the fact that most organisations still run an M&M perimeter model with a crunchy hard shell and soft inside, once you’re inside the network, you’ve got free reign to do anything. Nikhil went on to explain how he’s had 100% success rate with these devices when conducting penetration tests. They can easily be hidden inside a mouse, a keyboard or even your average garden variety USB stick. Personally, I’d probably conceal it within a USB foam rocket launcher and send it as a present to someone. Who could resist plugging that into their laptop?

Tom Ritter and Jeff Jarmoc in separate talks spoke about the future of security protcols and the issues around SSL/TLS interception proxies and transitive trust. Essentially there are a mixture of issues here. But lumped in are some of the fundamental issues we see in network security including the whole argument around “are CA’s obsolete”. There are some very interesting alternatives being proposed and looked into.

SSL proxies are an interesting breed of product. In effect they are Man In The Middle devices that unwrap your SSL traffic, inspect and then pass it on. The privacy issues aside, there are known issues with the fact that the Proxy could potentially accept bad certificates on your behalf depending on how they are configured. So you could end up visiting a site with a bad cert and be blissfully unaware because the proxy just decided it would make that call on your behalf. Yeah, the network layer is going to continue being a pain. It doesn’t help that it’s one of those areas where there are a lack of qualified technical security analysts or architects. As long as traffic is traversing and some logs are being generated, people seem to be happy.

Finally, I got a chance to catch up with Sheeraj Shah who spoke about HTML5 and the top 10 threats that it faces primarily through stealth attacks and silent exploits. Like anything new, it will probably be a game of cat and mouse for a while before the leaky ship is plugged to an acceptable degree.

So we have a few new technologies to look forward to and lots of small devices to contend with. Nice.

Current stuff

There were some insightful views shared around existing systems. An interesting perspective was given by Rahul Sasi around deficiencies in IVR Security and how they can be leveraged to gain access to internal systems. One of the issues that repeatedly comes up with such systems, is not that they can’t be secured, it’s just that these usually end up being de-scoped for some reason or another, or worse still outsourced leaving a big blind spot in the security view of the organization. It sits in that weird crossover path where telecoms and IT and Security meet like their unwanted love-child… abandoned and left to the elements.

The ultimate authority on PDF’s, Didier Stevens was at blackhat explaining his tools and issues with malicious PDF files. He stated that Adobe reader 10 had made some significant improvements and added a sandbox environment although it was probably better to use another PDF reader such as Sumutra that also disables javascript, being one of the primary attack routes.

Justin Searle gave a workshop on using the Samurai Web Testing Framework. I didn’t attend, but having used Samurai myself from the SANS web application testing course, I can say it is an extremely useful distribution for when it comes to specifically testing web applications. Yes, you have the pen testing distributions like backtrack, but that is more geared towards network security whereas the Samurai guys really have a nice collection of very well organized tools focused on nothing but web applications. Also, it’s so much more cool when you look at your list of virtual machines and you fire up the “samurai”, sounds much cooler than anything else. All I need to do is figure out how to get a big gong to play each time I run it.

One of my favourite workshop topics was delivered by Ken Baylor where he helped everyone understand Botnets a lot better by showing everyone how they could build their own Zeus botnet. A lot of people I spoke to on the day found it a very useful workshop and it drove home the point that there are a lot of things we, as security professionals talk about and try to risk assess without fully understanding. It was interesting to see not only how botnets like Zeus continually adapt which make it difficult to detect and block, but how they are continually utilizing more social engineering methods to gain the trust of their victims.

Common Themes

An underlying theme throughout the event from nearly everyone I spoke to was that people are still neglecting the basics. Rafal Los and Shane MacDougall gave an interesting talk on offensive threat modeling for attackers, where they took the attackers viewpoint to model your threats. It’s an interesting approach and I’m sure a lot of companies should try it to see how it would help them to critique their current threat models (if they have one at all). A lot of the times people are missing the simple steps needed in order to protect themselves. David Litchfield demonstrated how some 5 year old Oracle vulnerabilities are still exploitable today.

Additionally, it was more or less unanimously agreed that user awareness training was not adequate in organisations. There either isn’t a properly managed awareness campaign, or no metrics are gathered by which the effectiveness can be measured. Or campaigns fall into the category of being overly boring (read this 50 page document), or overly patronizing (look at this cartoon of a dog eating a post-it note with your password on it.)

However, collectively, security professionals still aren’t the best equipped to deal with this. As someone said, you need people in security who come from a marketing and psychology background in order to really run an effective awareness campaign.

Conclusion

1. Computing is getting very small, powerful and your toaster will be connected to the internet soon.

2. New technologies are coming which will bring challenges, which is amusing because we still haven’t got to grips with how to secure the old technology yet.

3. Social engineering is here to stay and we still are very poor at engaging and educating our users. So to make ourselves feel better we resort to calling them “stupid”.