2009-07-30

Blackhat 2009 Round-Up

This being my first BH, experiencing it juxtaposed against what has been roughly a decade of impressions about what the event is like was interesting. No doubt, BH 2009 is quite different than it was back then. Nevertheless, it was a fantastic educational experience.

In terms of event attendance, I appreciated for the first time the value of Twitter as a social situational awareness tool. Following #blackhat inspired me to switch presentations on at least two occasions to see something better, and kept me abreast of the dynamic nature of peripheral events like happy hour gatherings, etc. It also helped me keep track of and share my thoughts on presentations as they happened - notes I'm happy to share with the public, and which allow me to summarize the event here.

On to the presentations. Below I'll summarize my notes only on presentations that I feel I attended enough of to speak intelligently on.

Rod Beckstrom: Beckstrom's Law
I won't attempt to recreate Rod's law here, but the gist of it is that the value of a network to an individual is the difference in cost of that individual performing an action without the network and with the network. His example was buying a book: if one could buy a book at a brick-and-mortar store for $26, but buys it online for $16, the value for that transaction is $10. Extrapolating this, the value of a network is the cost savings of all actions for all users of that network. It's an interesting academic exercise, but I do not really see its applicability even in microcosms of the internet or limited scope environments for two reasons: first, the notion of value seems to be subjective in nature, making any derivative metric itself subjective. Second, and more indisputably, it is an exponential evaluation to compute this value, severely limiting the size of a "network" (however you may define it) that could be valuated.

One argument Rod made in his talk was that the best investment we can make in security is to improve internet protocols. I disagree. The threats we face in 2009 are so far up into the application layer that internet protocols really aren't a serious risk by comparison. If we want to invest money, we need to make it in areas that reduce the profit margin for the adversary, or increase their risk when they attack. This means a major shift in public policy, lobbying congress and the presidency for sane, threat-driven measures to go after perpetrators, and financial backing for investigations (local, federal) and prosecutions. There also needs to be more accountability on the part of software manufacturers, something that the government can assist with as well possibly via FTC incentives. These are "softer," more ambiguous investments than re-architecting protocols, but they will go much further in their effect.

Nathan Hamiel & Steve Davis: Weaponizing the Web
Nathan and Steve spent a lot of time building up and pontificating about proper web design, but when they got to the meat of their presentation the material was quite valuable. The primary focus was on different ways to leverage cross-site scripting, with a heavy emphasis on Cross-site Request Forgery. This is a technique I was naive to until their talk, and their discussion definitely piqued my interest. A lot of good work has been done on browser-based trust exploitation of late. I suggest everyone check out the work done on this modern twist on the browser trust issues first exploited with XSS. I will add as a critique, though, the material could have been presented more clearly. Even with a pretty strong understanding of related exploits, I found their presentation hard to follow at times.

Nitesh Dhanjani: Psychotronica
I was a little worried about this presentation given its name, but I certainly was not disappointed. Nitesh's presentation was one of the most insightful and effective presentations I've seen in a long time. In it, he discussed his research based on open-source intelligence on relative "happiness" of people, using various words and contexts to quantify the overall attitude of, say, a blog entry. Nitesh then takes this technique and builds it into a tool which can digest tokenized social network entries to illustrate how satisfied or happy a person is over time. In one stunning demonstration of this tool, he maps the long misery of a man, married with a child. At one point in the timeline, the nature of the man's language changed for the positive, rather unexpectedly. Days after this behavioral change, the man killed his wife, child, and then himself. It was a shockingly poignant example of how attitdues can, in retrospect, amplify understanding of the behavior of individuals. There are many possible applications of this technique to OSINT in terms of known threat actors in our field - perhaps not in the dimension of happiness, but maybe financial status, busy-ness, or stress level, to name a few. If patterns of open-source intelligence can be established prior to certain security "events," then perhaps detection can be pushed into the reconnaisance phase of an attack in a very new way.

Steve Topletz, Jonathan Logan & Kyle Williams: Global Spying
My mother always said "if you don't have anything nice to say..." I'll make an exception here. This was a tinfoil-hat presentation that made sweeping generalizations and rattled off 'facts' without a single citation, all to sell fear to the audience that their every move is being monitored by the government - an attitude that conveniently maps to their company's business model of protecting your privacy. The cherry on top was giving everyone a free trial of their company's software, because of course you can trust a for-profit entity so much more than a democracy...

Alessandro Acquisti: I just found 10 Million SSNs
I don't need to say much on this, as the beans were effectively spilled weeks ago. I will say this was a fantastic presentation that clearly followed the scientific method to present and defend a theory using statistically relevant conclusions with heavy - if somewhat unsurprising - social implications. I don't think I can personally pay a higher compliment to a presenter. Alessandro summed it up nicely when he pointed out that identity and authentication cannot be the same thing, but that is precisely what we've been doing with SSN's: the public identifier is also used as a private authenticator, and thus we have the identity theft problems of today. The contrast to the previous presentation in the same room (Global Spying) was truly amazing.

Nick Harbour: Win at Reversing
Nick always puts on a good show, and this was no exception as he illustrates an elegantly simple, but brilliantly constructed tool to facilitate malware unpacking. I'll do my best to describe it here, begging your pardon if my memory isn't dead-on. Nick starts off by articulating the limitations of kernel-level API hooking when analyzing malware behavior. While certain common procedure calls used by malware (like GetHostByName) are executed in ring 0, many other common ones like GetProcAddress are strictly user-land. Makes sense. Nick then turns the user-land rootkit on its head by inline hooking the malicious code, opening access to all API calls by the code, not just those touching ring 0. From here, a procedure likely to be called after the code has been unpacked in memory is identified. Replace this call with an infinite loop (only 2 bytes) prior to execution, and bam! Running the patched PE leaves the unpacked code idling in memory for extraction & analysis. To take it to the next level, Nick then introduces Apithief, which automates much of the complexity of this process for the analyst. The tool should soon be available on Mandiant's site, according to Nick (it wasn't as of the writing of this entry).

Bruce Schneier: Reconceptualizing Security
I can't really say anything here that you won't read on Bruce's blog, nor would I be so eloquent in doing so, but I will say this was my first time seeing him talk, and it was a pleasure to do so. A few take-aways I found particularly significant:
  • One underlying problem that facilitates the divergence between feeling secure and being secure is language: 'security' can apply to both states.
  • Everyone has their own model of reality from which they make decisions. This applies on an individual level as well as instinctual within our species. This is the first time in the history of humankind where our reality is changing faster than our individual and natural model of reality. Whether or not we will ever be able to catch up remains to be seen, but the gap seems to be accelerating.
Unrelated to the subject of his talk, Bruce also discussed one of the recent problems revealed in AES. My understanding is the issue lies in AES's key scheduling algorithm, for the 256-bit 10-round implementation. The shorter 128-bit key is not long enough to propagate the scheduling issue, and the 14-round implementation, which is what we typically use, sufficiently dillutes the effect of the vulnerability. Bruce's comment was that, while none of the recent AES vulnerabilities represent significant risk on their own, they are concerning as possibly a harbinger of improved attacks to come.

1 comment:

Dean Jackson said...

The general fix for cross site forgery that I've used is to embed a one-use-only token into each link in a web application. When you click the link, the server makes sure that's the currently valid token; if it's the wrong token, but you're still a valid user, it sends you to a home page or an error page.

So no link into the application's dynamic content is ever valid from an external attacker's point of view.