Black Hat Briefings, Las Vegas 2006 [Video] Presentations from the security conference

"Have you ever walked into your local Global Mega Super Tech Store and wondered how cheaply you could build a device that could play your digital music, display pictures, and listen to your neighbor's wireless network? Project Cowbird is part of an on-going research project to chart the various predators and prey within the information security landscape into a pseudo-ecology. Project Cowbird demonstrates the reuse of a $30 wireless media adapter as a kismet server. The small form factor of the device, in addition to its abundant hardware features (TV out, PCMCIA slot, prism2 card, 10/100 Ethernet), make the use of this device as a development platform for security tools very intriguing. A brief glimpse into the current and future research of the paper "The Ecology of Information Security" will also be covered. Jonathan Squire is a founding member of the Dow Jones Information Security Group, and is credited with accomplishments that include developing an Information Security model for the enterprise, architecting the security infrastructure for Factiva.com, a Dow Jones and Reuters Company, and architecting a secure, centralized credit card processing solution. Mr. Squire is an active member of the Enterprise Architecture Group within Dow Jones, the group that provides direction of technology initiatives within the enterprise. He is also responsible for providing direction in governance and industry best practices. In his spare time, Jonathan is known to enjoy disassembling any piece of technology that cost more the $20 just to find out what else it can do. This propensity for abusing technology is easily witnessed by viewing the buckets of broken parts strewn throughout his basement as well as the creations that rise from the rubble."

"The Internet industry is currently riding a new wave of investor and consumer excitement, much of which is built upon the promise of "Web 2.0" technologies giving us faster, more exciting, and more useful web applications. One of the fundamentals of "Web 2.0" is known as Asynchronous JavaScript and XML (AJAX), which is an amalgam of techniques developers can use to give their applications the level of interactivity of client-side software with the platform-independence of JavaScript. Unfortunately, there is a dark side to this new technology that has not been properly explored. The tighter integration of client and server code, as well as the invention of much richer downstream protocols that are parsed by the web browser has created new attacks as well as made classic web application attacks more difficult to prevent. We will discuss XSS, Cross-Site Request Forgery (XSRF), parameter tampering and object serialization attacks in AJAX applications, and will publicly release an AJAX-based XSRF attack framework. We will also be releasing a security analysis of several popular AJAX frameworks, including Microsoft Atlas, JSON-RPC and SAJAX. The talk will include live demos against vulnerable web applications, and will be appropriate for attendees with a basic understanding of HTML and JavaScript. Alex Stamos is a founding partner of iSEC Partners, LLC, a strategic digital security organization. Alex is an experienced security engineer and consultant specializing in application security and securing large infrastructures, and has taught multiple classes in network and application security. He is a leading researcher in the field of web application and web services security and has been a featured speaker at top industry conferences such as Black Hat, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley. Zane Lackey is a Security Consultant with iSEC Partners, LLC, a strategic digital security organization. Zane regularly performs application penetration testing and code review engagements for iSEC, and his research interests include web applications and emerging Win32 vulnerability classes. Prior to iSEC, Zane focused on Honeynet research at the University of California, Davis Computer Security Research Lab under noted security researcher Dr. Matt Bishop. "

"In the last 3 years, Bluetooth has gone from geeky protocol to an integral part of our daily life. From cars to phones to laptops to printers, Bluetooth is everywhere. And while the state of the art with respect to Bluetooth attack has been progressing, Bluetooth defense has been lagging. For many vendors, the solution to securing Bluetooth is to simply "turn it off." There are very few tools and techniques that can be used today to secure a Bluetooth interface without resorting to such extreme measures. This talk will examine contemporary Bluetooth threats including attack tools and risk to the user. The meat of this talk will focus on practical techniques that can be employed to lock down Bluetooth on Windows and Linux. Some of these techniques will be configuration changes, some will be proper use of helper applications, and some will be modifications to the Bluez Bluetooth stack designed to make the stack more secure. Finally, we will release the Bluetooth Defense Kit (BTDK), a tool geared towards the end user designed to make Bluetooth security easy to install and maintain on Bluetooth enabled workstations. Ultimately, security tools need to be usable to be useful, and BTDK has been designed with usability in mind. Bruce Potter is the founder of the Shmoo Group of security professionals, a group dedicated to working with the community on security, privacy, and crypto issues. His areas of expertise include wireless security, software assurance, pirate songs, and restoring hopeless vehicles. Mr. Potter has co-authored several books including "802.11 Security" and "Mastering FreeBSD and OpenBSD Security" published by O'Reilly and "Mac OS X Security" by New Riders. Mr. Potter was trained in computer science at the University of Alaska, Fairbanks. Bruce Potter is a Senior Associate with Booz Allen Hamilton."

"Online games are very popular and represent some of the most complex multi-user applications in the world. World of Warcraft® takes center stage with over 5 million players worldwide. In these persistent worlds, your property (think gold and magic swords), is virtual-it exists only as a record in a database. Yet, over $600 million real dollars were spent in 2005 buying and selling these virtual items. Entire warehouses in China are full of sweatshop‚ workers who make a few dollars a month to "farm" virtual gold. In other words, these "virtual" worlds are real economies with outputs greater than some small countries. Being run by software, these worlds are huge targets for cheating. The game play is easily automated through "botting", and many games have bugs that enable items and gold to be duplicated, among other things. The game publishing companies are responding to the cheating threat with bot-detection technologies and large teams of lawyers. Cheaters are striking back by adding rootkits to their botting programs. The war is on. Hoglund discusses how the gaming environment has pushed the envelope for rootkit development and invasive program manipulation. He discusses World of Warcraft in particular, and an anti-cheating technology known as the "Warden". In 2005, Hoglund blew the whistle publically on the Warden client and began developing anti-warden technology. He discusses a botting program known as WoWSharp, including some unreleased rootkit development that was used to make it invisible to the Warden. Hoglund discusses some advanced techniques that involve memory cloaking, hyperspacing threads, shadow branching, and kernel-to-user code injection. Both offensive and defensive techniques are discussed. Software developers working on games would be well advised to attend this talk and people working with malware in general will find the material valuable."

"Traditionally, host-based anomaly detection has dealt with system call sequences, but not with system call arguments. We propose a prototype which is capable of detecting anomalous system calls in an execution flow, thus helping in tracing intrusions. Our tool analyzes each argument of the system call, characterizing its contents and comparing it with a model of the content. It is able to cluster system calls and detect "different uses" of the same syscall in different points of different programs. It is also able to build a Markovian model of the sequence, which is then used to trace and flag anomalies. Stefano Zanero received a Ph.D. degree in Computer Engineering from the Politecnico of Milano technical university, where he is currently spending his post-doc. His current research interests include the development of Intrusion Detection Systems based on unsupervised learning algorithms, security of web applications and computer virology. He has been a speaker at international scientific and technical conferences, and he is the author and co-author of books and articles published in international, peer reviewed journals and conferences. He is a member of the board of the "Journal in Computer Virology", and acts as a reviewer for the "ACM Computing Reviews" and "IEEE Security&Privacy", as well as various primary international conferences. He is a member of the IEEE (Institute of Electrical and Electronics Engineers), the ACM (Association for Computing Machinery), and of ISSA (Information Systems Security Association). He has also been a columnist for Computer World Italy, and has been awarded a journalism award in 2003. Since 2004 he is a partner and CTO of Secure Network, a firm specializing in information security training and consulting, based in Milan."

"Windows Vista comes with redesigned support for WiFi (802.11 wireless). For those of us who live with a laptop in easy reach, it’s going to have an effect on our workday. For users there’s a new UI experience, helpful diagnostics and updated default behaviors. For IT pros who manage Windows clients, there’s improved management via Group Policy and Scripting. For sysadmins & geeks there’s a new command line interface. But behind these more obvious changes there’s a new software stack. A stack designed to be more secure, but also more open and extensible. This talk will take a deep dive into that stack, describe the various components and their interaction and show where developers can create code to modify and extend the client. Want to build a site survey tool, a wireless IDS, or hack your own driver? We’ll show where to plug in. We’ll describe in detail how the behavior of the wireless stack has changed from XP, explain the rational behind this, and show how this is reflected in the user experience. Finally we’ll look at how Microsoft tests WiFi in Windows Vista."

Technology vendors, security researchers, and customers - all sides of the vulnerability disclosure debate agree that working together rather than apart is the best way to secure our information. But how? This working group will bring all parties together in one room to address the issues and develop a beneficial working relationship extending beyond the conference.

"Wireless stealth was somewhat expensive some years ago as we were required to use proprietary radios and so on… Thanks to increasingly flexible low-cost 802.11 chipsets we are now able to encode any MAC layer proprietary protocol over 2.4 GHz/5 GHz bands! This could mean stealth to everybody at low-cost! This presentation will focus on two techniques to achieve a good level of stealth: * a userland technique exploiting a covert channel over valid 802.11 frames; * a driverland technique exploiting some 802.11 protocol tweaks. These techniques are somewhat weird! That’s one reason they resist the action of scanners and wireless IDS! The tools that will be released are proof-of-concepts and may be improved both in terms of features and code cleanups!"

There is a growing need to develop improved methods for discovering vulnerabilities in closed-source software. The tools and techniques used to automate searching for these vulnerabilities are either incomplete or non-existent. Fuzz-testing is a common technique used in the discovery process but does not provide a complete analysis of all the vulnerabilities which may exist. Other techniques, such as API hooking, are used to monitor insecure imported functions while leaving inlined functions still waiting to be found. LEVI is a new vulnerability auditing tool (Windows NT Family) which addresses both of these issues by using a code integration-based technique to monitor both imported and inlined functions. Using this approach provides a more complete analysis of the vulnerabilities hidden within closed-source software.

"To be able to defend against IT security attacks, one has to understand the attack patterns and henceforth the vulnerabilities of the attached devices. But, for an in-depth risk analysis, pure technical knowledge of the properties of a vulnerability is not sufficient: one has to understand how vulnerabilities, exploitation, remediation, and distribution of information thereof is handled by the industry and the networking community. In the research, we examined how vulnerabilities are handled in large-scale by analyzing 80,000+ security advisories published since 1995. This huge amount of information enables us to identify and quantify the performance of the security and software industry. We discover trends and discuss their implications. Based on the findings, we finally propose a measure for the global risk exposure. Content may be reviewed after the start of the conference."

"Social networking sites such as MySpace have recently been the target of XSS attacks, most notably the "samy is my hero" incident in late 2005. XSS affects a wide variety of sites and back end web technologies, but there are perhaps no more interesting targets than massively popular sites with viral user acquisition growth curves, which allow for exponential XSS worm propagation, as seen in samy's hack. Combine the power of reaching a wide and ever-widening audience with browser exploits (based on the most common browsers with such a broad "normal person" user base) that can affect more than just the browser as we saw with WMF, a insertion and infection method based on transparent XSS, and payloads which can themselves round-trip the exploit code back into the same or other vulnerable sites, and you have a self-healing distributed worm propagation platform with extremely accelerated infection vectors. We investigate the possibilities using MySpace and other popular sites as case studies, along with the potential posed by both WMF and The Metasploit Project's recently-released browser fuzzing tool, Hamachi, to own a site with self-replicating XSS containing a malicious browser-exploiting payload which itself will modify the browser to auto-exploit other sites, all transparent to the user. On top of this one could layer any additional functionality, some loud, some quiet, such as DDoS bots, keyloggers, other viral payloads, and more. Dan Moniz is a independent security consultant, and is also a member of The Shmoo Group, a world-recognized affiliation of information security professionals. Mr. Moniz has spoken at a number of conferences, including Defcon, ShmooCon, and The Intelligence Summit, in addition to private audiences at Fortune 50 companies and universities. In 2003 he testified in front of California State Senate in a hearing on the issues of RFID technology, privacy, and state legislation. In the past, he has held positions with a variety of high tech companies and organizations, including Alexa Internet (an Amazon.com company), Electronic Frontier Foundation, Cloudmark, OpenCola, and Viasec. HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed the vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects."

"Printers, scanners, and copiers still have a reputation of being embedded systems or appliances; dumb machines that perform a specific, repetitive function. Today's devices are far different than their predecessors, but still do not receive the same level of security scrutiny as servers, workstations, routers, or even switches. The goal of this talk is to change the way we look at these devices, and leave the audience with a better awareness of the security implications of having these devices in their environments. Although the concepts in this talk can apply to many different devices, the primary focus will be on vulnerabilities, exploitation, and defense of the new Xerox WorkCentre product line. Previously undisclosed vulnerabilities will be released, along with exploit code that turns a dumb printer, copier, or scanner into a network attack drone. Steps administrators can take to harden these devices will also be covered. Brendan O'Connor is a security engineer from the Midwest. He worked in security for a communications company for four years before switching to the financial sector in 2004. Brendan currently works in Information Security for a major financial services company, where his duties include vulnerability research, security architecture, and application security. He has several multi-letter acronyms after his name, drinks too much coffee, and plays an unhealthy amount of Warcraft."

"Usually, a personal firewall and an antivirus monitor are the only tools run by a user to protect the system from any malware threat with any level of sophistication. This level significantly increases when malware authors add kernel mode rootkit components to their code in order to avoid easy detection. As rootkit technologies become more and more popular, we can clearly see that many AV vendors begin to integrate anti-rootkit code into their products. However, the firewall evolution is not so obvious. Firewall vendors widely advertise their enhancements to the protection against user mode code injections and similar tricks, which are used by almost any malware out there to bypass more simple firewalls, keeping much less attention to the kernel mode threats. In fact, just a few vendors evolve their kernel mode traffic filter techniques to pose an obstacle for a possible kernel rootkit. This presentation will focus on the attacks which may be performed by an NT kernel rootkit to bypass a personal firewall in its core component: the traffic hooking engine. Starting from the brief overview of the entire NT network subsystem, the talk will demonstrate both simple and advanced methods firewalls use to hook in-out traffic. Every firewall trick will be examined in details, and an antidote will be offered to each. It will also be shown that it is possible for a rootkit to operate at a lower level than current firewalls by using only DKOM techniques. The presentation will be accompanied by a live demo of the proof of concept rootkit which is able to bypass even the most advanced personal firewalls available on the market. Finally, a possible solution for hardening firewalls against discussed attacks will be presented. Alexander Tereshkin specializes in the NT kernel mode coding, focusing on the network interaction. He is interested in rootkit technology in its both offensive and defensive sides. He has worked on various projects that required comprehensive knowledge of Ke, Mm, Ps NT kernel subsystems as well as NDIS internals. His x86 code analyzing engines are used in a few commercial products. In addition to his day work, Alex likes to reverse engineer malware samples. He is also a contributor to rootkit.com."

"Technologies emerge on a regular basis with new promises of better security. This is more or less true. However we know there are still weaknesses and that 100% security is not realistic. Therefore the real need when deploying a new security device is to know its limits. IPS are part of those new technologies. They are oversold by marketing speeches and promises of an absolute security. Guess what? This is not exactly the truth.... The purpose of this speech is not to discredit IPS but to help in understanding the limits of technologies that are involved. We will particularly focus on the following subjects: * conceptual weaknesses and ways to detect "transparent" inline equipments * signatures issues * hardware architecture limitations and common jokes * performance vs security necessary trade-off and consequences * behavioral, heuristics, neuronal stuff etc. reality and limitations Through examples, proofs of concept and test beds results we should provide a broad view of IPS reality, what you can expect from them now and what they will never do for you. Renaud Bidou has been working in the field of IT security for about 10 years. He first performed consulting missions for telcos, pen-tests and post-mortem audits, and designed several security architectures. In 2000 he built the first operational Security Operation Center in France which quickly became the 4th French CERT and member of the FIRST. He then joined Radware as the security expert for Europe, handling high severity security cases. In the mean time Renaud is an active member of the rstack team and the French Honeynet Project which studies on honeynet containment, honeypot farms and network traffic analysis. He regularly publishes research articles in the French security magazine MISC and teaches in several universities in France."

"All applications and operating systems have coding errors and we have seen technical advances both in attack and mitigation sophistication as more security vulnerabilities are exploiting defects related to application and OS memory and heap usage. Starting with W2k3 and XP/SP2, Windows incorporated technologies to reduce the reliability of such attacks. The heap manager in Windows Vista pushes the innovation much further in this area. This talk will describe the challenges the heap team faced and the technical details of the changes coming in Windows Vista. Adrian Marinescu, development lead in the Windows Kernel group, has been with Microsoft Corporation since 1998. He joined then to work on few core components such as user-mode memory management, kernel object management and the kernel inter-process communication mechanism. In the heap management area, Adrian designed and implemented the Low Fragmentation Heap, a highly scalable addition to the Windows Heap Manager, and he currently focuses on techniques of reducing the reliability of certain well known heap exploits."