Blackhat 2009 Round-Up

This being my first BH, experiencing it juxtaposed against what has been roughly a decade of impressions about what the event is like was interesting. No doubt, BH 2009 is quite different than it was back then. Nevertheless, it was a fantastic educational experience.

In terms of event attendance, I appreciated for the first time the value of Twitter as a social situational awareness tool. Following #blackhat inspired me to switch presentations on at least two occasions to see something better, and kept me abreast of the dynamic nature of peripheral events like happy hour gatherings, etc. It also helped me keep track of and share my thoughts on presentations as they happened - notes I'm happy to share with the public, and which allow me to summarize the event here.

On to the presentations. Below I'll summarize my notes only on presentations that I feel I attended enough of to speak intelligently on.

Rod Beckstrom: Beckstrom's Law
I won't attempt to recreate Rod's law here, but the gist of it is that the value of a network to an individual is the difference in cost of that individual performing an action without the network and with the network. His example was buying a book: if one could buy a book at a brick-and-mortar store for $26, but buys it online for $16, the value for that transaction is $10. Extrapolating this, the value of a network is the cost savings of all actions for all users of that network. It's an interesting academic exercise, but I do not really see its applicability even in microcosms of the internet or limited scope environments for two reasons: first, the notion of value seems to be subjective in nature, making any derivative metric itself subjective. Second, and more indisputably, it is an exponential evaluation to compute this value, severely limiting the size of a "network" (however you may define it) that could be valuated.

One argument Rod made in his talk was that the best investment we can make in security is to improve internet protocols. I disagree. The threats we face in 2009 are so far up into the application layer that internet protocols really aren't a serious risk by comparison. If we want to invest money, we need to make it in areas that reduce the profit margin for the adversary, or increase their risk when they attack. This means a major shift in public policy, lobbying congress and the presidency for sane, threat-driven measures to go after perpetrators, and financial backing for investigations (local, federal) and prosecutions. There also needs to be more accountability on the part of software manufacturers, something that the government can assist with as well possibly via FTC incentives. These are "softer," more ambiguous investments than re-architecting protocols, but they will go much further in their effect.

Nathan Hamiel & Steve Davis: Weaponizing the Web
Nathan and Steve spent a lot of time building up and pontificating about proper web design, but when they got to the meat of their presentation the material was quite valuable. The primary focus was on different ways to leverage cross-site scripting, with a heavy emphasis on Cross-site Request Forgery. This is a technique I was naive to until their talk, and their discussion definitely piqued my interest. A lot of good work has been done on browser-based trust exploitation of late. I suggest everyone check out the work done on this modern twist on the browser trust issues first exploited with XSS. I will add as a critique, though, the material could have been presented more clearly. Even with a pretty strong understanding of related exploits, I found their presentation hard to follow at times.

Nitesh Dhanjani: Psychotronica
I was a little worried about this presentation given its name, but I certainly was not disappointed. Nitesh's presentation was one of the most insightful and effective presentations I've seen in a long time. In it, he discussed his research based on open-source intelligence on relative "happiness" of people, using various words and contexts to quantify the overall attitude of, say, a blog entry. Nitesh then takes this technique and builds it into a tool which can digest tokenized social network entries to illustrate how satisfied or happy a person is over time. In one stunning demonstration of this tool, he maps the long misery of a man, married with a child. At one point in the timeline, the nature of the man's language changed for the positive, rather unexpectedly. Days after this behavioral change, the man killed his wife, child, and then himself. It was a shockingly poignant example of how attitdues can, in retrospect, amplify understanding of the behavior of individuals. There are many possible applications of this technique to OSINT in terms of known threat actors in our field - perhaps not in the dimension of happiness, but maybe financial status, busy-ness, or stress level, to name a few. If patterns of open-source intelligence can be established prior to certain security "events," then perhaps detection can be pushed into the reconnaisance phase of an attack in a very new way.

Steve Topletz, Jonathan Logan & Kyle Williams: Global Spying
My mother always said "if you don't have anything nice to say..." I'll make an exception here. This was a tinfoil-hat presentation that made sweeping generalizations and rattled off 'facts' without a single citation, all to sell fear to the audience that their every move is being monitored by the government - an attitude that conveniently maps to their company's business model of protecting your privacy. The cherry on top was giving everyone a free trial of their company's software, because of course you can trust a for-profit entity so much more than a democracy...

Alessandro Acquisti: I just found 10 Million SSNs
I don't need to say much on this, as the beans were effectively spilled weeks ago. I will say this was a fantastic presentation that clearly followed the scientific method to present and defend a theory using statistically relevant conclusions with heavy - if somewhat unsurprising - social implications. I don't think I can personally pay a higher compliment to a presenter. Alessandro summed it up nicely when he pointed out that identity and authentication cannot be the same thing, but that is precisely what we've been doing with SSN's: the public identifier is also used as a private authenticator, and thus we have the identity theft problems of today. The contrast to the previous presentation in the same room (Global Spying) was truly amazing.

Nick Harbour: Win at Reversing
Nick always puts on a good show, and this was no exception as he illustrates an elegantly simple, but brilliantly constructed tool to facilitate malware unpacking. I'll do my best to describe it here, begging your pardon if my memory isn't dead-on. Nick starts off by articulating the limitations of kernel-level API hooking when analyzing malware behavior. While certain common procedure calls used by malware (like GetHostByName) are executed in ring 0, many other common ones like GetProcAddress are strictly user-land. Makes sense. Nick then turns the user-land rootkit on its head by inline hooking the malicious code, opening access to all API calls by the code, not just those touching ring 0. From here, a procedure likely to be called after the code has been unpacked in memory is identified. Replace this call with an infinite loop (only 2 bytes) prior to execution, and bam! Running the patched PE leaves the unpacked code idling in memory for extraction & analysis. To take it to the next level, Nick then introduces Apithief, which automates much of the complexity of this process for the analyst. The tool should soon be available on Mandiant's site, according to Nick (it wasn't as of the writing of this entry).

Bruce Schneier: Reconceptualizing Security
I can't really say anything here that you won't read on Bruce's blog, nor would I be so eloquent in doing so, but I will say this was my first time seeing him talk, and it was a pleasure to do so. A few take-aways I found particularly significant:
  • One underlying problem that facilitates the divergence between feeling secure and being secure is language: 'security' can apply to both states.
  • Everyone has their own model of reality from which they make decisions. This applies on an individual level as well as instinctual within our species. This is the first time in the history of humankind where our reality is changing faster than our individual and natural model of reality. Whether or not we will ever be able to catch up remains to be seen, but the gap seems to be accelerating.
Unrelated to the subject of his talk, Bruce also discussed one of the recent problems revealed in AES. My understanding is the issue lies in AES's key scheduling algorithm, for the 256-bit 10-round implementation. The shorter 128-bit key is not long enough to propagate the scheduling issue, and the 14-round implementation, which is what we typically use, sufficiently dillutes the effect of the vulnerability. Bruce's comment was that, while none of the recent AES vulnerabilities represent significant risk on their own, they are concerning as possibly a harbinger of improved attacks to come.


Blackhat 2009

I will be tweeting BlackHat 2009 (my username is, you guessed it, mikecloppert). If we happen to be in the same place, drop by and say hi!

Never been before, but looking forward to the chaos. I'm going to try to attend DefCon, but if I can arrange it, I'll only be there Friday. Due to some housing shenanigans, I must be back in DC for the weekend.


Dear Information Security Industry,

Stop exploiting current events by making dubious or outright false statements in order to advance your own agenda. You do nothing more than devalue yourselves and the credibility of the rest of us when you do so.

Case in point #1: Allen Paller's statements on the recent (and long overdue) analysis of the predictability of SSN's. To wit,
"I don't think this is a high priority, because it doesn't deliver a big enough payoff" for hackers, he said. "You do identify theft so you can steal money, but it's easier to steal money by taking over someone's computer."
Are you serious? One compromises a computer to impersonate another. If you have an SSN, name, and other basic information like birthday, etc (that's often publicly available on social networking sites), it's Game Over - impersonation can be achieved at a much deeper level than simply userid/password - nevermind that more and more sites are implementing some sort of 2-factor authentication. This reeks of "look over here where I can make money," ignoring reality. SANS has a lot to offer the information security community, but when its leaders make such questionably accurate and profit-driven comments, it hurts all of our credibility (what professional doesn't have a cache of SANS certs these days) and devalues the institution as a whole.

Case in point #2: The questionably accurate stories floating around about this alleged North Korean-sourced DDoS against a completely random set of targets. I don't know for sure, but it seems the source of this attributional rumor is the Korea Communications Commission. Here's a sample of one of their statements:
“An aggressive distribution of vaccine programs against the attack has helped fight back,” the official, Shin Hwa-soo, said. “But we are not keeping our guard down. We are distributing the vaccine programs as widely as possible and monitoring the situations closely because there might be a new attack.”
A vaccine? Really? Please tell me we're not taking these people seriously. It seems to be a fact that some sort of DDoS attempt took place, but keep in mind the attribution to DPRK is hinging on people who distribute "vaccine programs" against a DDoS - whatever the hell that means. Initially, the attacks were downplayed - until 24/7 news got a hold of it and realized that CNA can be sexy. Then the "cyber security professionals" realized there was a platform for advancing an agenda and poured fuel on the hype fire. There are plenty of examples. Below are a few.

Google hosted news:
"Just from looking at footprint, it was Bigfoot, not Bambi," said Charles Dodd, founder and chief technology officer for Nicor Cyber Security.

What started off as "Cyber Attacks" on the east coast became "massive" by the time they got to San Francisco.
The US sites experienced a “massive outage”, according to Keynote Systems, a company which monitors 40 government sites in America.

Even Ron Beckstrom, whose comments were mostly well tuned, eventually fell victim to the hype cycle in a most spectacular way:
"[It's] a little bit like launching some Scud missiles towards the U.S.," noted Beckstrom. "These are cyber-scuds, very low-tech, but a lot of them, and kind of annoying."
No, Ron, it is nothing like this.
All of this hype, yet when you ask the victims, they tell you that the impact was negligible [source: ABC World News Tonight, 7/8/2009]. This underscores the classic properties of CNA that makes it much less effective in terms of real economic impact than CNE:
  1. Its effectiveness is often limited to the period over which it can be sustained - except when machine or software destruction is involved, in which case it simply becomes a DR exercise,
  2. It is difficult to sustain,
  3. It is open conflict and identifiable immediately, and
  4. It rarely maps to the intended strategic or tactical goals of the executor (what, for instance, was achieved here?)
So, can we please stop participating in the hype and lend some credibility to our young and rapidly emerging field by focusing on factual and rigorous investigation? Exaggeration and misrepresentation in the media is inevitable, but we encourage it when we reinforce it with expert opinion.

Administrivia Jul 2009

After a few months off, I'm resurrecting this blog. I've been busy with a variety of personal issues, like relaxing, over the past few months, as well as focusing what little time I have available on the SANS Forensics & IR blog. I'd considered abandoning this blog altogether in lieu of my contributions there, but have realized that I need an outlet for more spontaneous and opinionated entries that I feel do not belong there. Also, my criteria for contributing here is lower - I do not feel the need to positively contribute something new and meaningful with each entry, as I feel is appropriate for SANS.

In any case, a quick update. After many months of consideration, I decided it was in my best professional and personal interest to join Facebook and Twitter. If I don't understand these communication and interaction technologies as I understand others, I will inevitably find myself falling behind and unable to exist at the forefront of security (whether I will ever get there is debatable as well, heh). I likely won't be very active with these accounts, but will likely tweet at BlackHat this year in an effort to keep in touch with all the folks I'll know there. It'll be my first BlackHat, and I'm looking forward to it!