I’ve seen this posted a few places already.* Dan Kaminsky’s Black Hat talk has been released. It was just last night I was flipping through his slides, but felt like a little was missing on a few pages and left me yearning for the talk. I guess I yearned hard enough as it is now posted!

Audio
Video
Future/current home of Black Hat Audio Visual files

I’ve also seen a few postings* as well about the hacker media archive needing a new home or assistance with bandwidth. Darkoz just posted in the last few days about it. 550 GB+ is a lotta information that should remain available!

* Picked this up from Security4All, but I also see McGrew has posted too! Others as well, but those are the two I saw first.

Amrit Williams has posted his “11 worst ideas in security.” Excellent list and I’ve pulled a few out for my own reactions.

#11 – Security Industry and Market Analysts – Yeah, they say more to the marketing teams of the players in the markets than to anyone actually using or looking to use the products.

#8 – Scan and Patch – I think this one is a challengable position, and could make for nice discussions. He’s right though, it can come down to incessant nagging.

#7 – PKI – It’s a love-hate thing. I love reading articles that talk about implementing PKI to support this-or-that, because I hate so much about how misled such people are. A drink to anyone who has implemented real PKI successfully!

#3 – The Vulnerability Disclosure Debate – Amrit is right, who the crap really cares? In the end, the attackers certainly don’t.

#1 – Security Vendors and the VC’s that love them – It sucks to keep this in mind: “The goal of the security industry is not to secure, the goal of the security industry is to make money.” I think many people create or work in such organizations because they do want to promote security, but yes, in the end the industry and organizational entities themselves are just there to make money (as are some of the hierarchy in such orgs).

Defcon is known for cutting edge talks. This means many tools released or spoken about during the talks aren’t actually on the official Defcon cd; and most have probably been updated since that submission. Ryan Naraine Mubix has made a valiant effort to link to as many tools as possible that were released at Defcon 16. Can also be found at his site.

Curious about what the Defcon 16 CTF is all about? 1@stPlace has some added information posted including this year’s binaries. Yeah, I don’t know what to do with them either since that’s not really a competency of mine, but someone may find them interesting (or me someday!).

It is not new that the TSA/FBI gets shit for their “terrorist watch list” (or no-fly list) in the airline industry. But I read through this article (top story on CNN front page even) out of amusement, which quickly turned to head-shaking, and even a bit of anger by the end of it.

Wow, just get rid of the fucking thing! Not only is it obvious how easy it is to avoid, but it’s not like being denied entry on a plane will thwart anything. So they don’t fly that day. They’ll fly the next day under a slightly different name like the people in the article. What a waste. And then the people who an stop such madness just end up pointing fingers and blaming each other while not actually doing a damn thing.

Such stupid decisions get made with something as big and visible as the gov’t and airline safety. I guess I shouldn’t then be surprised when far smaller groups of people in various organizations make equally bonehead security decisions, eh?*

(* On a side note, I’m becoming more convinced that lots of people in high positions make poor decisions, especially with security, because the people who report to them aren’t entirely honest or maybe unintentionally miscommunicating… one thing I hope to learn sooner than later is to lay things out to such persons, even if their name is on my check and they don’t initially like what I have to say.)

Sometimes you get painful lessons in what “normal” people think about computers and security. Sometime in the last 4-5 days my World of Warcraft guild’s guildmaster had his account broken into. The attacker logged into his account, raided the guild bank and his toon, then did a /gdisband (disbands the guild) among probably other things. Our gm was’t even in town, as he’s away to GenCon. Tough times. (And just as we’ve started our first few weeks of pulls on Illidan).

In correspondence with him subsequent to the event, I find out that he uses the same password/account for many sites and may have used one or two of them while at the con, including our guild forums which do not have SSL. Rut roh. Of course, this only adds risk, but this actual attack could have come from elsewhere for all we know so far.

He has a good idea about running rootkit scans, keylogger scans, and a personal firewall, but beyond those general concepts the thoughts of properly managing accounts, passwords, and operating on potentially hostile networks is a bit foreign.

Here’s another way to look at it: He’s getting to be ok in knowledge of his own computer, but the more boring concepts of security are falling by the wayside. Network knowledge is a whole different ballgame for most people, and deeper knowledge of how one interacts with the Internet is not as useful to most people as how they interact with their actual system.

Could this be fuel to the fire that says passwords suck? I don’t think so. Password, tokens, keys, digital IDs; they all need key management. I think this is fuel on the fire of teaching better key management, i.e. don’t use the same strong password everywhere.

While an annoyance to me, it is a good reminder not to look at normal people like they’re idiots because they don’t know SSL or the threats posed by wow-related webpages, but to have patience and make an attempt to bring them up to speed.

If you haven’t already, force Gmail to always be SSL. Log into your account, click Settings, and at the bottom of the General tab, select ” Always use https.” Click “Save Changes” and it should already redirect you over to SSL. Breathe a little easier.

Subverting http sessions on local networks is certainly a hot, quiet topic for the past year. First (most likely not first, but first for my purposes) was Sidejacking. At Defcon Beale spoke about his tool The Middler doing http fiddling. And now I read about Surf Jacking, which pretty much is an interesting bit of http fiddling.

How do you detect that someone is re-routing LAN traffic? If one knows the expected MAC address of the DHCP/Gateway devices, then one can implement firewall rules or just watch for changing ARPs. If you think someone might be hijacking your http sessions, purposely open an https session with some site and see if their cert is valid. If it is, there’s a decently good chance no one is interested in your traffic. If someone is interested and MITMing you, then the cert should give warnings.

For an enterprise, what do you do? Well, I think the only valuable recourse is to make every laptop VPN into the mothership and browse through it using more trusted services. A user can also inspect cookies to make sure they are encrypted, and try their best to ensure that SSL persists. Even watching wire traffic for weird ARPs can help.

The downside of all of this? It’s not easy being informed and secure. I wouldn’t expect any of my users to understand any of this, let alone actually practice it. This is why I think endpoints and especially public local networks are a dangerous hunting ground right now. These are advanced topics, and the only way to combat such advanced topics are long-term education and technological controls (like bumpers in the gutters of bowling lanes).

If you want a copy of the Defcon 16 attendee cd, i-hacked.com has posted the ISO of it. It includes all the presentations, some tools and supporting materials for those talks, and information about the Defcon badge.

These are some of the favorite talks I saw at Defcon.

Bruce Potter: Malware Detection through Network Flow Analysis
As expected, Bruce brings a lot of passion and “no fear” opinions to his presentations, which are much-needed as the industry spreads out and becomes more stuffy mature. Bruce spoke to using network flow analysis for finding intruders or suspicious activity. This was a Black Hat talk that ran right to the end of the session, and one question I would have posed to Bruce is how he would deal with Skype and how it makes connections to all sorts of otherwise suspicious endpoints with the P2P component. Really, if there is one talk I would hit at any con, I think a Bruce Potter talk would be it. The guy rocks.

Jay Beale: Owning the Users with Agent in the Middle
Jay didn’t even get to the real meat of his presentation, only scratched the surface of his tool The Middler, and didn’t get into subverting the automatic software installation process. Jay seems like one of those guys who can go on for hours if you just get his geek brain going. I dig that mentality! This talk alone should make one fear open networks (i.e. networks you don’t own) much more. I’m not even sure The Middler will be released (I’m skeptical since it is very powerful-sounding), but it should be something like a cross between ettercap and Hamster and a web proxy. It will reroute traffic through the host box, and allow all sorts of twiddling of the HTTP traffic in between the victim and web server, including persisting non-SSL session and javascript injection into pages.

Panel (Mogull, Pesce, Maynor, Hoff): All your Sploits (and Servers) are belong to us
This “panel talk” was really three smaller presentations in one, with some added humor by Hoff as he commendeered one screen to post heckles. Honestly, this “talk” gets props for several reasons. 1) BEER ON STAGE! Come on, there needs to be more beer on stage; I think I only saw 3 talks with beer; it’s Defcon! 2) It was opened with a Spot-the-Fed session. 3) While distracting from the talks, the heckling and interruptions by Maynor/Hoff really fit the atmosphere of Defcon. 4) The talk content was definitely interesting as well.

Movie Night With DT: Hackers Are People Too and Appleseed: Ex Machina
Ok, this was not necessarily a presentation, but rather two movies. The first was by a second-generation Defcon attendee who took video shots and interviews at Defcon 15 to help teach the world that hackers are not evil criminals you hide your children from. The second movie, Appleseed, is one I’ve never seen before and was awesome to see on screen. While the room was large, the screens small, and the sound system sub-par, I enjoyed it since I sat in the second row right next to the speakers.

Taylor Banks & Carric: Pen-Testing is Dead, Long live the Pen Test
Carric and Taylor look the part of the old-school guard of pen-testers; basically with piercings and facial hair and attitude that fit what Defcon is all about. They both went over some of the history of pen-testing and why the pen-test from 8 years ago is dead, but new pen-testing with actual methodologies has been born. I really like their speaking style, and their stance on things like certs and self-taught knowledge and the repeatability of a pen-test (this fits with my life/hard science background). Another abbreviated Black Hat talk, and if I can get my hands on their preso vid from there, I’ll happily pirate watch it.

Schuyler Towne and Jon King: How to make friends & influence Lock Manufacturers
I’ve been dabbling in lock-picking for a while now, and as such this and the Tobias talk really helped fill in a lot of information for me. Schuyler talked about the lock-picking industry and how to properly work with lock vendors if you happen to find a weakness in their locks. I really appreciate that he made a distinction between software and physical lock full disclosure. Software is easy to update, but actual locks almost never get updated or replaced, and it is costly to have someone use a kit on a lock to upgrade it. Not only that, but locks do protect some amazingly sensitive and dangerous stuff, unlike most software. Jon King talked about breaking into Medeco M3 locks and he successfully did a demonstration on stage. What I took away from his talk, however, is that he’s only been doing this hobby for about 3 years, yet has been able to make some huge discoveries.

Marc Weber Tobias: Open in 30 Seconds: Cracking One of the Most Secure Locks in America
Tobias and company went into detail about breaking into more locks, and the various ways to defeat protection mechanisms and bypass others. He also stressed key control, which is important and not something I have actively heard before. It’s a no-brainer, but a no-brainer that still makes a lightbulb ding on after hearing it once.

Nelson Murilo & Luiz “effffn” Eduardo: Beholder: New WiFi Monitor Tool
Unfortunately, Murilo’s English was not so good, but I really dig what his tool, Beholder, wants to do. It really should not be hard to monitor a wireless network for various “stuff” and I think his tool is a great addition to any wireless implementation, especially for networks on a budget.

Valsmith & Colin Ames: MetaPost-Exploitation
This talk got a bit old-school because “the old stuff still works!” They talked about hiding your presence after actually gaining root on a box, and using it to attack others or just hiding your tracks. While this got old-school and was interesting, it still surprises me few people talk about hiding files in ADS.

David Maynor & Robert Graham: Bringing Sexy Back: Breaking in with Style
While a bit lacking in cohesiveness, I like their humor and respect their knowledge. I’m not sure I agree that we should arm everyone with guns a toolbar which does a quick vuln scan on every site/page they visit, but it is ideas like that that can get us thinking deeper than our day-to-day usually affords us.

I missed several talks I’d like to see, some because they were just too packed to bother with, or because they were held concurrently with other talks I wanted to see. I hope to catch these on video at some point, unless I hear that they’re not worth the effort to go beyond the presentation materials on the attendee cd.

Time-Based Blind SQL Injections Using Heavy Queries…
Compliance: The Enterprise Vulnerablity Roadmap.
Strace & RSnake – Xploiting Google Gadgets: Gmalware & Beyond
Satan is on my friends list: Attacking Social Networks.
Advanced Physical Attacks: Going Beyond Social Engineering…
SensePost – Pushing the Camel through the eye of a needle.
Fyodor – NMAP-Scanning the Internet.
G.Mark Hardy – A Hacker Looks at 50.
Gaming- The Next Overlooked Security Hole.
Mati Aharoni – BackTrack Foo- From bug to 0day.
Is that a unique credential in your pocket or are you just pleased to see me?
Autoimmunity Disorder in Wireless LANs.
Career Mythbusters: Separating Fact from Fiction in your Information Security Career.
Grendel-Scan: A New Web Application Scanning Tool.
Renderman – How can I pwn thee? Let me count the ways.
Identification Card Security: Past, Present, Future.
Jay Beale – They’re Hacking Our Clients! Introducing Free Client-side Intrustion Prevention.
Renderman – 10 Things that are Pissing me off.
DAVIX Visualization Workshop

I’m catching up on my feeds today at work (amazingly, I didn’t have a huge pile-up of issues like I expected!), and I was reading Bejtlich’s updates on Black Hat. Particularly, I think I want to see the presentation Deeper Door: Exploiting the NIC Chipset by Shawn Embleton and Sherri Sparks of Clear Hat Consulting. Richard says, “This presentation reinforced the lesson that relying on an endpoint to defend itself is a bad idea.” Basically the researchers found ways to pass packets past host-based protections.

While this isn’t a revelation that will cause us to throw our hands in the air about endpoint protections (it’s just a bit too exotic to be a big risk right now), it does reinforce my feeling that the network is the future of security, the stuff that is actually passed from system to system. Well, at least until it is all encrypted for privacy concerns. This is because endpoints just cannot ultimately be trusted or protected in such a way as to remove the network protections and barriers.

Besides, on a related note, I had two overarching security take-aways from my Defcon experience:

1) Open networks are untrusted networks; act like it. The ability for attackers to subvert subnet traffic or sniff traffic or attack endpoints is just huge on an open network. Compound this with wireless… Basically user beware. Hell, even I sit at hotspots and scan around and sniff casually.

2) Endpoints are still ripe to attack, even if you think you run host-based protections. Maybe seeing Jay Beale’s talk on host-based protection will change my mind, but like Maynor said in his panel talk, he’s not risking even turning on his Macbook wifi because he knows or at least one 0day exploit for Broadcoms. Yes, we’re a paranoid lot, and Maynor maybe a little more so since he is a personality, but the actions/habits of the experts should not be taken lightly.

Some thoughts on Defcon and what to plan for next year.

1. Research the talks a bit more. This breaks down into several points:
   1. Think twice about talks given at both BlackHat and Defcon. It seems too much to ask speakers who made 75 minute talks for BH to trim a bit to comfortably cover 50 minutes at DC. They either have to rush or not finish, or both. Sadly, most of the better talks fall into this category, and it really sucks that they all had to stop short in their material.
   2. Check the presentation materials early to avoid highly technical, focused talks that won’t benefit me. Sitting in a code-related talk in code I don’t write can be interesting, but ultimately not too beneficial.
   3. Check the presentation materials to avoid overly shallow talks that don’t give any information other than stuff I already know.
   4. Check whether the talk has been given before. Either I can catch the talk elsewhere because it’s been given at 3 other cons, or the speaker may be pretty raw or even English-challenged.
2. Get into some parties, do less talks.
3. Print out some self-promoting swag. I obviously am not trying to make myself or the site some pillar of information or profitable venture, but it is nice to be able to spread the word and get involved a bit more. I’d like to print some personal cards with contact info on them, maybe print a few cool t-shirts that have my name or site address, and maybe something else like a little scrolling LED on my backpack with the site address.
4. It’s vacation! Go alternative! I might think about dyeing my hair next year a bit bluer (professionally done) or bring some clothes for the parties/balls. Defcon is really a great place to just kick back and do whatever isn’t the normal fare for work/days, so one may as well experiment.

I mostly missed this whole Countrywide data theft scandal, but I’m catching up! As Rothman pointed out:

…Rebollo told special agents that he knew most computers in the office had a security feature that disabled the use of a thumb drive. However, he discovered that one computer didn’t have this feature.

There are two possibilities here, the latter of which I might think is the real reason.

1. The system simply got skipped/missed. Repeatedly. Over the course of two years. I’d have to call bullshit on this one unless their IT is inept or dangerously overworked.

2. Someone, somewhere complained about the inability to use thumbdrives to move data, most likely involving a client or VP/exec. So IT set up a special system that was exempt from the security measures but still allowed on the network, because business wanted that convenience.

I really like what Rothman said in his post:

And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn’t worth the paper it’s written on, if it’s not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, “it only takes one.” I guess Countrywide gets that now too.

And that is why we will continue to need people to watch logs, alerts, and make sure every device is accounted for. Getting “most” of them is simply not a sustainable security approach.

Oh, and if you want to know the best ways to get around security controls in a business, interview the average employees. They find the ways, unbeknownst to non-monitoring IT/security teams.

Just moments ago I posted some headlines from the Black Hat/Defcon week/weekend. Marcin just linked me over to a story with more info on the recent attacks on some security researchers/persons (Shimel, pdp were the two I mentioned). I’m still wondering if they accidentally checked their accounts or had their systems pwned at Black Hat. However, they could also easily fall prey to an email sent to a web mail account that drops them elsewhere and steals their logins if cached…

My eye caught this snippet from the story:

Whoever broke into Petkov’s account was able to archive an entire email spool into an mbox file. Without knowing his password, the attackers most likely would have had to archive all 2GB message by message.

The last part is simply not true. Jay Beale gave a talk at Defcon about a new tool he and a coworker (I missed his name, Justin I think) have developed that will reroute traffic on the network to his machine and then start messing with the http packets to do all sorts of evil things like, oh, harvest all emails from a web-based mail account. The tool is called The Middler, and should soon be available. Here is the presentation which he didn’t come close to finishing in the 50 minute talk.

Current versions of Ventrilo server (3.0.2) are vulnerable to a remote crash vuln just posted to full-disclosure. Check out the POC (yeah, runs on Windows). When run, it just crashes the server. The server should have a stay-alive type of process also running which will recover the main program, but just repeat the POC to create a DOS effect.