Well, Blackhat is over, and I did not get a chance to post this yesterday so hopefully everything is still fresh enough in my mind for me to post it today. I'll post some concluding thoughts at the end.
I spent some time on the wireless network -- signal strength was weak no matter where I seemed to be, and it was certainly unsecured
They provided some WaveSEC info but I opted for good ol' SSH.
In the morning, I attended a panel on security and privacy. There were a couple people more focused on identity theft, one representative (CSO of Oracle, I believe) was more focused on system security. Some of the things you can get from the internet with fairly little effort are pretty scary (SSNs, criminal history, where you've lived for the last 10 years, calling history). The Oracle gal's point was that it is going to take a public/private partnership (blah blah) to get this going, systems should be treated as infrastructure, etc.
Following that, I attended a talk on "striking back", basically the principle of active repsonses to an attack that range from just blocking the attacker from further access all the way to sending back malicious code of your own. The speaker, from SensePost, was very good, and the talk was very interesting. Basically, he had four "phases" of active response: stopping the attack (blocking at the firewall level), creating noise or confusion (sending to a honeypot, sending their traceroutes all across the world), stopping/killing the tool (sending bad HTML to a HTML-parsing scanner), and killing the attacker's host/network (sending malicious code back over and infecting them). Lots of lines to be drawn (or not drawn), but an interesting subject.
The third session I attended was a discussion on web attacks, how they are difficult to detect with IDS', how better to detect them, etc. Part of the problem with relying on webserver logs is that they are incomplete -- usually they log URIs, IPs, timestamps, but not the actual POST data, HTTP headers, cookies, referer data, and that kind of stuff, where the attacks actually are. This makes it harder with forensic data to go "backwards", without more information. Using an IPS we can "sit between" and use our information to correlate with the webserver data to figure out what really happened. Lots of problems with false positives, but with correlated data there is less risk than one might think.
Lunch was less tasty today than the day before, but it was still good. Free food is almost always better than paying, anyway
Dessert was a sugar laden chocolate cake that I think I am still recovering from. Damn they can pack a lot of sugar in that stuff
We sat with some interesting people at our table, one guy who had just been to the HOPE conference, another guy who sounded like he worked more on the government side, and a couple other more quiet people. Conversation was mostly about the conference and defcon.
After lunch, the first session I sat in on was about Learning IDS'. The presenter was really good for this one, too, and he had some good sound bites that I wrote down. His information on learning IDS algorithms and how that stuff really works was great. Basically they are trying to address the problems with straight up anomaly detection systems (and, for that matter, misuse detection systems) with more information. Again he highlighted the need to use more than one source of input to draw conclusions, and discussed how an intrusion detection system is bigger than just your NIDS or HIDS, it's about your firewall, your security team, and so on (security is a process, not a product, you all know the drill). Their algorithms have shown a 75% improvement in detecting intrusions, but also a 20% increase in false positives (to be expected).
Following that, I sat through three "turbo talks" on various subjects. The first highlighted a tool called "COK", which basically implements different port-knocking techniques. Port knocking is basically a way to get a covert channel by making seemingly random requests that "mean" something to the other end. There were a few methods implemented -- an OTP method (using one time passwords), a DNS request method (using a sequence of DNS requests), and traditional port knocking (making a sequence of requests on several ports). He didn't get a chance to demo his tool, but it sounded quite interesting. If you're at all interested in port knocking, it'll probably be a good thing to play with.
The next turbo talk was a chat with a woman from Symantec, who rattled through some stuff on privacy and what people "think". Most people know they want their data protected, but they just don't take the steps TO protect it. Many people send unencrypted emails with sensitive information in them, don't have their files/disks encrypted, and don't really take the time to make sure that they read license and privacy agreements. This sort of falls back into the old security vs. convenience model -- people want convenience, but this sort of relaxed internet usage could cause you more problems than your convenience is worth. Symantec's researchers did a bunch of studying here, and it was pretty fascinating to see how people responded to their surveys with what seem to be contradicting messages (that's nothing new).
The last turbo talk was similar to the earlier talk on "striking back". Someone from the honeynet project (I believe) was discussing more issues and methods for striking back, the legality of it, suggestions for less aggressive methods, again highlighting a spectrum of possible active responses proportional to the level of the attack. He also discussed the difference between internal and external attacks -- basically, you have full control of internal hosts, but it's also easier to spoof internally at a lower network layer. More interesting stuff here, but mostly more of the same.
The last presentation of the day (and the conference) was about automated responses and host-based IDS/IPS solutions. One of the presenters was from Sana Security, and they had a ton of information on anomaly based systems and how that kind of stuff would work on a host-based level (their example was about interrupting syscalls). On a response level, they talked about active responses that could "gather information" vs. responses that take a more aggressive role. Again, this speaker highlighted the need for some sort of correlated data -- even in their own system, they require a co-stimulator with the anomaly data to prevent them from going only on the anomaly detection itself.
So, some closing thoughts... there were some really good presentations and presenters, but there were also some quite unprepared people, too (thankfully in those cases their tools or information usually spoke for itself). Lots of interesting tools, lots of patterns of discussion -- privacy, a plethora of vulnerabilities and tools, and taking a more active role in defense.
And, I didn't get to go to defcon, we had to come back for some stuff in the office. Maybe next time