Quantcast

Maximum PC

It is currently Mon Jul 28, 2014 7:39 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: The Blackhat Report
PostPosted: Wed Jul 28, 2004 10:25 pm 
iron colbinator
iron colbinator
User avatar

Joined: Tue May 25, 2004 2:25 pm
Posts: 2761
Location: Washington, the state
My husband and I (along with our CTO) are at Blackhat in sunny (and warm!) Las Vegas. Thankfully, the hotel provides an oasis away from the heat... and the people ;)

We arrived last night to check in and found that their system was down. Coincidence? Hmm.... Either way, it meant that we ended up staying in a (supposed) $5000 suite instead of our "default" rooms (our theory is that nobody actually ever pays for it). It's... huge! Not quite penthouse huge, but two floors and about 3 times as large as my 2-bedroom apartment is pretty significant in size. In each bedroom there is a jacuzzi tub, king size bed, sitting areas, and hey, even a bidet in the bathroom. Downstairs, a dining room table, entertainment center with LCD remote, lots of room.

We signed in to the conference this morning, picked up our backpacks (the backpacks at the RSA Conference are better, but they have a bit more money/sponsorship). There were several vendors -- all of the sponsors, basically. BindView, Qualys, ArcSight, FoundStone, NetIQ, Cisco, NetForensics, IntelliTactics, Ernst & Young, several others.

Keynote this morning was about the de-perimiterisation of networks (securing systems as if there is no firewall to protect them), I found it interesting -- it's more about the infinite perimiterisation than removing the perimiter, each system needs to be treated as if it could be placed on the internet at any point in time. Might be a little dramatic -- but some of his points were great.

We split up for some of the tracks, my husband (more of a programmer) targeted some of the more software process-oriented talks, and myself the more application-oriented talks. The first talk I sat in on (with David Litchfield) was in the "0-day attacks" track, which was interesting mostly because the poor guy couldn't even GIVE half of his talk because Oracle hadn't patched the vulnerability yet. It was interesting nonetheless, lots of stuff on PL/SQL and attack methods.

Next, sat in on Jennifer Granick's talk on law and information security response -- what can you do, what can't you do, what crosses the line, what defines the line. It was very interesting, and she's a great speaker. She talked about the 4th amendment, a little on the Patriot Act as it applies to information security, Computer Fraud, and several other legal topics as they relate to things like port scanning, sniffing, reading e-mail, and active defense. There were a ton of questions, too, ranging on everything from P2P/the RIAA to issues surrounding specific cases that she used as examples.

Lunch was pretty decent, I had the veggie lunch but the regular lunch was chicken and rice pilaf. Cheesecake for dessert ;) Free food is always appreciated. They had little free food "intervals" (and free continental breakfast), which I passed on for the most part, but some of the stuff looked decent (muffins, tortilla chips with nacho sauce, coffee, juice).

In the afternoon, I sat in on a conversation about the "Laws of Vulnerabilities" -- discussing the effective "half life" (time it takes for 50% of systems vulnerable to be patched) of vulnerabilities. The presenter had basically 4 laws that could be used to describe how most vulnerabilities work. He was from Qualys (makers of a Vulnerability Assessment tool), which is how he had access to basically 6 million scanned machines. The most interesting bits were that the half life for external facing machines is basically 21 days (down from 40 last year) and for internal facing machines is 62 days (!!). His "challenge" to us was to reduce the internal facing half life further, toward 40 days rather than 60.

Following that, I sat in on a talk with about a million other people about certain exploit framework tools. Part of the beauty about Blackhat is seeing what tools that are sort of "gray" (could be used for pen testing, could be used for evil) exist and where are these tools going. The tool that we viewed demos of and whatnot was quite interesting and extensible as an exploit framework (basically, you tell it "exploit this, send this payload, then run this" and it does the mojo). There were a ton of people here. The presenters seemed young and inexperienced, but their tool looked sweet.

The last talk of the day was on several security tools that can be extended, and how to extend them. The speakers, from Ernst & Young I believe, discussed several tools (nessus, ettercap, hydra, nmap) and how to extend them to apply more correctly to your situation (custom protcols, custom authentication methods, custom vulnerabilities, etc). Great detail, but the downside is that code samples come across as pretty dry without a really interesting concept driving them (the good news is the concept was still pretty interesting).

There was more free food, beer, etc, involved after that, then we cut out and ate at PF Chang's in the Aladdin. MMM, PF Chang's.

Well, that's Blackhat for today. Very interesting.

(Yes, I am posting this in both forums)


Top
  Profile  
 
 Post subject:
PostPosted: Wed Jul 28, 2004 10:28 pm 
iron colbinator
iron colbinator
User avatar

Joined: Tue May 25, 2004 2:25 pm
Posts: 2761
Location: Washington, the state
PS Blackhat is a security conference, if that isn't obvious:

http://www.blackhat.com


Top
  Profile  
 
 Post subject:
PostPosted: Thu Jul 29, 2004 5:59 am 
INFINITE vCORE
INFINITE vCORE
User avatar

Joined: Mon Jun 14, 2004 6:16 am
Posts: 467
Location: Middletown, DE
You're in vegas huh?

FIND CHEVY'S TEX-MEX RESTAURANT! EAT THERE!

MMMM-KAY?!?!

Awesome food, eaten there twice...


Top
  Profile  
 
 Post subject:
PostPosted: Thu Jul 29, 2004 1:02 pm 
Bitchin' Fast 3D Z8000*
Bitchin' Fast 3D Z8000*
User avatar

Joined: Tue Jun 29, 2004 11:32 pm
Posts: 2555
Location: Somewhere between compilation and linking
Ah good - you posted here. :)


Top
  Profile  
 
 Post subject:
PostPosted: Thu Jul 29, 2004 2:42 pm 
iron colbinator
iron colbinator
User avatar

Joined: Tue May 25, 2004 2:25 pm
Posts: 2761
Location: Washington, the state
defkhan1 wrote:
You're in vegas huh?

FIND CHEVY'S TEX-MEX RESTAURANT! EAT THERE!

MMMM-KAY?!?!

Awesome food, eaten there twice...


Doh! Last night we ate at PF Chang's, and there won't be time to eat anywhere good tonight ;) For anyone who
hasn't eaten at PF Chang's, you have to try it if you like Chinese food. It's much less Americanised than the
usual, and is very well done. MM, tasty.

Chevy's would probably hit the spot tonight... alas, we will probably eat something in the airport (the Vegas
airport is huge though, so that might not be so bad).

Aside: I wish we would have had time to hit up the Borg Invasion at the Hilton, but we were just too swamped
with conference stuff (and then trying to at least relax a little bit). We went to the previous one and it was
pretty entertaining.


Top
  Profile  
 
 Post subject:
PostPosted: Thu Jul 29, 2004 2:43 pm 
iron colbinator
iron colbinator
User avatar

Joined: Tue May 25, 2004 2:25 pm
Posts: 2761
Location: Washington, the state
Gadget wrote:
Ah good - you posted here. :)


I figured some people don't read both. :)


Top
  Profile  
 
 Post subject:
PostPosted: Fri Jul 30, 2004 8:31 am 
iron colbinator
iron colbinator
User avatar

Joined: Tue May 25, 2004 2:25 pm
Posts: 2761
Location: Washington, the state
Well, Blackhat is over, and I did not get a chance to post this yesterday so hopefully everything is still fresh enough in my mind for me to post it today. I'll post some concluding thoughts at the end.

I spent some time on the wireless network -- signal strength was weak no matter where I seemed to be, and it was certainly unsecured ;) They provided some WaveSEC info but I opted for good ol' SSH.

In the morning, I attended a panel on security and privacy. There were a couple people more focused on identity theft, one representative (CSO of Oracle, I believe) was more focused on system security. Some of the things you can get from the internet with fairly little effort are pretty scary (SSNs, criminal history, where you've lived for the last 10 years, calling history). The Oracle gal's point was that it is going to take a public/private partnership (blah blah) to get this going, systems should be treated as infrastructure, etc.

Following that, I attended a talk on "striking back", basically the principle of active repsonses to an attack that range from just blocking the attacker from further access all the way to sending back malicious code of your own. The speaker, from SensePost, was very good, and the talk was very interesting. Basically, he had four "phases" of active response: stopping the attack (blocking at the firewall level), creating noise or confusion (sending to a honeypot, sending their traceroutes all across the world), stopping/killing the tool (sending bad HTML to a HTML-parsing scanner), and killing the attacker's host/network (sending malicious code back over and infecting them). Lots of lines to be drawn (or not drawn), but an interesting subject.

The third session I attended was a discussion on web attacks, how they are difficult to detect with IDS', how better to detect them, etc. Part of the problem with relying on webserver logs is that they are incomplete -- usually they log URIs, IPs, timestamps, but not the actual POST data, HTTP headers, cookies, referer data, and that kind of stuff, where the attacks actually are. This makes it harder with forensic data to go "backwards", without more information. Using an IPS we can "sit between" and use our information to correlate with the webserver data to figure out what really happened. Lots of problems with false positives, but with correlated data there is less risk than one might think.

Lunch was less tasty today than the day before, but it was still good. Free food is almost always better than paying, anyway ;) Dessert was a sugar laden chocolate cake that I think I am still recovering from. Damn they can pack a lot of sugar in that stuff ;) We sat with some interesting people at our table, one guy who had just been to the HOPE conference, another guy who sounded like he worked more on the government side, and a couple other more quiet people. Conversation was mostly about the conference and defcon. :)

After lunch, the first session I sat in on was about Learning IDS'. The presenter was really good for this one, too, and he had some good sound bites that I wrote down. His information on learning IDS algorithms and how that stuff really works was great. Basically they are trying to address the problems with straight up anomaly detection systems (and, for that matter, misuse detection systems) with more information. Again he highlighted the need to use more than one source of input to draw conclusions, and discussed how an intrusion detection system is bigger than just your NIDS or HIDS, it's about your firewall, your security team, and so on (security is a process, not a product, you all know the drill). Their algorithms have shown a 75% improvement in detecting intrusions, but also a 20% increase in false positives (to be expected).

Following that, I sat through three "turbo talks" on various subjects. The first highlighted a tool called "COK", which basically implements different port-knocking techniques. Port knocking is basically a way to get a covert channel by making seemingly random requests that "mean" something to the other end. There were a few methods implemented -- an OTP method (using one time passwords), a DNS request method (using a sequence of DNS requests), and traditional port knocking (making a sequence of requests on several ports). He didn't get a chance to demo his tool, but it sounded quite interesting. If you're at all interested in port knocking, it'll probably be a good thing to play with.

The next turbo talk was a chat with a woman from Symantec, who rattled through some stuff on privacy and what people "think". Most people know they want their data protected, but they just don't take the steps TO protect it. Many people send unencrypted emails with sensitive information in them, don't have their files/disks encrypted, and don't really take the time to make sure that they read license and privacy agreements. This sort of falls back into the old security vs. convenience model -- people want convenience, but this sort of relaxed internet usage could cause you more problems than your convenience is worth. Symantec's researchers did a bunch of studying here, and it was pretty fascinating to see how people responded to their surveys with what seem to be contradicting messages (that's nothing new).

The last turbo talk was similar to the earlier talk on "striking back". Someone from the honeynet project (I believe) was discussing more issues and methods for striking back, the legality of it, suggestions for less aggressive methods, again highlighting a spectrum of possible active responses proportional to the level of the attack. He also discussed the difference between internal and external attacks -- basically, you have full control of internal hosts, but it's also easier to spoof internally at a lower network layer. More interesting stuff here, but mostly more of the same.

The last presentation of the day (and the conference) was about automated responses and host-based IDS/IPS solutions. One of the presenters was from Sana Security, and they had a ton of information on anomaly based systems and how that kind of stuff would work on a host-based level (their example was about interrupting syscalls). On a response level, they talked about active responses that could "gather information" vs. responses that take a more aggressive role. Again, this speaker highlighted the need for some sort of correlated data -- even in their own system, they require a co-stimulator with the anomaly data to prevent them from going only on the anomaly detection itself.

So, some closing thoughts... there were some really good presentations and presenters, but there were also some quite unprepared people, too (thankfully in those cases their tools or information usually spoke for itself). Lots of interesting tools, lots of patterns of discussion -- privacy, a plethora of vulnerabilities and tools, and taking a more active role in defense.

And, I didn't get to go to defcon, we had to come back for some stuff in the office. Maybe next time :)


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group