Lucas Adamski's notes
Well it was quite the long week, I just got back late Sunday from Blackhat Vegas 2011 and Defcon. Blackhat was.. well, Blackhat. Defcon however was in new digs at the Rio this year and besides the utterly hopeless food situation (hello Rio... thousands wandering in search of food and you can't open half the restaurants?), it was much nicer. Plenty of space to move around or just chill, and except for a few very popular talks the lines were generally quick and most everyone got in.
For many who haven't been to a security conference before, it may seems like all everyone talks about is how to break stuff, but really talks fall into at least two buckets:
- Vulnerability and exploit discussion
- Security and privacy ecosystem
I'll mention some of the more interesting talks in the above buckets. I'm not necessarily picking the most news-worthy, but things that I saw or read about that peaked my curiosity.
Vulnerability and exploit discussion
- Alessandro Acquisti: Faces Of Facebook. Fascinating discussions of correlating publicly available data (namely, photos) to see if you can find a significant match between personally identifiable pictures (i.e. on Facebook) with uncorrelated pictures (from dating sites or just random street photography). The short version is you could, with just a random picture of a person in a given city, figure out their real identity along with a pretty good guess at least part of their social security number. http://www.techwarelabs.com/black-hat-2011-faces-of-facebook-the-largest-real-id-database/
- Phone networks are proving to be about as insecure as most security researchers assumed. Talk regarding femtocell (micro cell towers) security: http://www.zdnet.co.uk/news/security-threats/2011/07/14/vodafone-femtocell-hack-lets-intruders-listen-to-calls-40093413/ ... and of course the UAV that can crack wireless networks and snoop on phone calls and SMS messages: http://www.geek.com/articles/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-20110729/
- Random bit memory errors can have interesting security side-effects: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Dinaburg
- Adobe Reader X Sandbox is a bit porous.. but not surprising since the underlying model is closer to IE7's protected mode than it is to Google's Chrome (i.e. sandboxed process still has network and disk read access). Also contained an escalation of privilege attack that was apparently enabled by exposing write access to a file that contained some Reader configuration settings. Moral here is exposing any filesystem access directly to the sandboxes process poses significant risks. https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Sabanal
- Charlie Miller had an interesting talk on just how much control the OS can have over say a laptop battery. Turns it quite a bit, even to the point of causing the battery to overheat and shut down. Sadly, nothing caught fire (yet): http://www.accuvant.com/capability/accuvant-labs/security-research/featured-presentation
- More focus on USB devices.. careful what you decide to plug into your computer! https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Davis and https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Ose
- In other non-shocking news, mobile security updates are glacial, measured in the dozens of *weeks*: http://blog.mylookout.com/2011/08/inside-the-android-security-patch-lifecycle/
- DDoS still lives... including some neat innovations that can take down certain platforms (*ahem* Windows) or entire local networks from just a single low-powered device. Turns out IPv6 allows devices to advertise themselves as routers over and over again.. and Windows machines will happily keep adding each of to their routing table... for a few seconds, until they lock up solid. Also an amusingly ironic detour via the world of _defending_ LulzSec against DDoS attack. https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Bowne
- Hacking wireless water meters: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#McNabb
- Cracking passwords is getting ever cheaper/faster: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Imhoff
- Android lets one app monitor the state of other running processes, including detecting when they gain focus and pre-empting their GUI. This allows a malicious app to run at start time, hide in the background and effectively impersonate many popular apps to steal credentials and have all sorts of fun. This is another example of how mobile devices have a serious generalized problem regarding their lack of reliable indicators for security context and state. https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Percoco
Security and privacy ecosystem
- Moxie Marlinspike announces an interesting tool called Convergence.. essentially a revision of Perspectives but focused on distributing trust to a number of authorities rather than just trying to support self-signed certs. http://www.darkreading.com/security/attacks-breaches/231300428/time-for-a-better-web-of-trust.html
- Interesting tools announced to enable emergency P2P communications via cellphones in case a natural (or political) disaster shuts down the the cell phone system: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Wilhelm
- Attention for better or worse on bitcoin, including Dan Kaminsky (http://www.bitcoinmoney.com/post/8493775234/dan-kaminsky-toorcon-bitcoin) and https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Skunkworks (News Flash: Bitcoin mining causes graphics card shortage!)
- Microsoft announce a $250K prize for new exploit mitigation techniques: http://www.eweek.com/c/a/Security/Microsoft-Offers-250000-in-BlueHat-Prizes-for-Security-Technology-857524/
- Another talk regarding reducing the reliance on single authorities or servers of information.. in this case trying to turn RSS into a distributed P2P model: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Alonso2
- Willingness of civilians to engage in public acts of cyber sabotage is becoming a hot topic: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Holt
- Another tool to reduce online tracking and profiling, Chrome-only extension unfortunately: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Kennish
Ian Melven's Notes
I attended Blackhat, these are the talks I picked out :
- I attended the Reader X sandbox talk by some IBM X-Force folks which Lucas covered above. I would add that my takeaway here is : 'choose your sandbox policies very very carefully'. Most of the problems with the Reader sandbox were caused by policies that differed from those used by Chromium, which shares the same sandbox implementation. On Flash Player the local security model only allowed filesystem OR network access, which would have prevented the attacks they showed (reading data and sending it to a server). It obviously wouldn't prevent the 'writing JS file to a startup dir attack'. They also showed an attack that completely disabled the sandbox (requiring the user to restart Reader), but did not disclose details. If this sounds interesting, look for the full whitepaper, which appears to not yet be published on the web.
- "Attacking Clientside JITs", Chris Rohlf + Yan Ivnitskiy (Matasano) : i attended this along with many other Mozilla folks. This was a pretty high level overview of different kinds of JITs, security issues with JITs (largely based around pages being RWX), the JIT spraying technique (think heap spraying but with JS constants), and various mitigations implemented by various browsers/JITs. While IE and Chrome have more mitigations in place than Firefox currently, the speakers stated they've been in contact with the JS team and that Firefox and its JITs should have mitigations in place in the near future.
- Crypto For Pentesters, Tom Ptacek and Mike Tracy (Matasano): this was an excellent, very fast paced talk covering how to break incorrectly implemented crypto systems. I highly recommend checking this out if possible, especially for the infrasec folks. They demonstrated tools they wrote to perform attacks against certain weaknesses of crypto in web applications. These relied on errors such as using HMAC incorrectly (hashing key|message instead of hash(key) hash(message)) leading to a length extension attack, reusing the same keystream with AES in CTR mode (don't use a time based nonce, especially if your app can send multiple responses per time slice), and using AES in ECB mode. They also announced a web site similar to web goat that implements many common crypto mistakes they have seen while assessing client web apps where you can try your hand at actually pulling off their attacks, attempt challenges, there's a leader board etc. Very cool.
- Hacking Android - this was a talk I was really looking forward to, given my focus on mobile, but unfortunately the presenters never showed
- Smart Fuzzing the Web - Fishnet Security wrote an open source App-Scan like tool (RAFT - http://code.google.com/p/raft/), it embeds Webkit and is designed around the idea of correlating and analyzing results across a web app pen tester's suite of tools, e.g. it can read in burp scanner logs, and aggregare its results for say, XSS, with the results of its own tests/scans. One cool idea they had was to use robots.txt from the top 100 Alexa/Quantcast websites to build their word list for the directory brute forcing feature.
- Relevant to Moxie's announcement, he commented in this bug https://bugzilla.mozilla.org/show_bug.cgi?id=644640 "Implement extension point for extensions to influence trust decisions in PSM" adding his vote for it.
- One theme I picked up on at the conference was 'the current defenses aren't good enough'. This was not just explicitly called out in the talks, but also heavily reinforced by the Microsoft offer of money for new mitigation techniques that Lucas mentioned above, and a similar program from the US Government/DHS offering independent researchers and small security firms the chance to bid for contracts to do research into defense.
- Thanks to all the folks who attended our Milk n Cookies party as well !
This was my first BlackHat conference so I went in with some high expectations. Here are my reviews of the talks I attended:
This talk was intended to be more technical, but the speaker received a day-pack and t-shirt instead of his luggage from his airline. He managed to pull together a pretty reasonable talk that outlined how SPDY works, and published a client library for SPDY. It was a great into to the protocol that explained some of the issues with it, and an excellent overview of how HTTP is implemented over SPDY. I highly recommend that *all* members of Infrasec watch this video and get a solid understanding of SPDY since it seems like a strong candidate to become widely adopted. [libspdy]
Reverse Engineering Browser Components
I bailed on this one after ~15 minutes for the Femtocell talk.
Femtocells: A poisonous needle in the operator's hay stack
This talk was pretty good. It could be summarized as "mobile providers open gaping hole in operator networks by giving attackers control of edge devices with old bugs.". It was interesting to note that an attacker could simply acquire the IpSec configs from the device they demo'd and then put the SIM in to a properly equipped computer and hop onto the provider network. [Slideshare]
Aerial Cyber Apocalypse
Nothing really new here, but didn't stop it being an awesome talk :) backtrack + RC Targetting Drone + Arduino == wi-fi snooping UAV with an operational range of 25km and a 22,000ft cieling(400ft legal limit from FAA). [UAV Link]
Chris Paget gave a great overview of her experiences doing a final security review with Microsoft of Vista prior to release. No really big shockers here, but strong support for the Microsoft SDL process and an explanation of the engagement cycle and process they had.
Overview of how to exploit pickle.loads if it contains user supplied input. Great talk, including writing platform independent python shellcode. Spent the last 30 minutes of the talk grepping and inspecting our apps.
Crypto for Pentesters
Not much to add to Ian's review. This video is pretty much a required watch. Also, watch for Matasano's upcoming project 36chambers which is a crypto oriented hackme site.
Smartfuzzing The Web
So this talk was less about fuzzing and more about current challenges in app sec. They did some neat work mining robots and updating dictionaries for fuzzers, but most of the talk was outlining issues with existing tools. They also spent some time talking about RAFT which is NOT an intercepting proxy, but does a bunch of data management and has some basic fuzzers built into it. Worth checking out, but seems really buggy right now.
Chip & Pin is definately broken
Public disclosure of extensions of issues that are known in the finance sector. SDA is horribly broken, and DDA has issues. Showed a sample of a neat EMV card skimmer, and discussed the types of skimmers seen in the wild. A good aspect to this is that EMV adoption results in a liability shift; when an EMV transaction is performed with a valid card and pin the customer assumes the liability since the PIN and Card are "secure". Good talk about a big ugly mess.
- Analyzing SPDY ::
The key take away from this talk for me is what we could learn for use in Web Sockets. For example SPDY allows for session wide settings based on origin for persistence and in its V2 format is vulnerable to session hijacking. As it uses stream IDs (even for server, odd for client) for the control frames in sessions. The issue is that some sites are re-using the ID. If web sockets calls for any session management type of work it should be very carefully checked as to how to avoid both hijack and replay.
- Hacking Google Chrome OS ::
Again the take away here is how this could relate to web apps. In this talk they showed how trusted apps that were used in Chromium where the user had only access to Google and Google docs could use apps to leverage access to the data of another user. The attack they talked most about used a Scratchpad that had js in the name that was shared and on mouse-over attacked a user to whom it was shared. I think this has a good deal to do with the permissions that the apps have.
- How do we communicate app permissions?
- If we sandbox do we then have APIs that could be misused?
Implications for B2G:
- For chromium, Chrome is the desktop, in our case its Gecko, could exposed APIs be dangerous?
- They showed how an app could force an install to a device, as the ://android.market could be leveraged to a linked phone-user account.
- We should implement common uses cases in well tested and controlled APIs to keep them from being misused.
- What kind of rights should extensions have?
- to what websites, if any?
- Beyond files undeleting OWADE::
Interesting forensic tool the major issues raised towards us (as they talked about us directly)
- Form fill is on by default and the fill/form history is not protected thus it can be easily read (address, credit card, etc)
- We should look in bugzilla for older password bugs such as password tied to a user account
- Can we use the master password for sync to protect this?
- How can we encourage users to move off of blank master passwords? Mobile son?
- Is there a diff in how we handle this across platform (mac/win/linux)? If so how do we unify?
- Reverse Engineering Browser Components
Bailed after 5 min for Tamper Evident Seals
- Tamper Evident Seals - Design and Security::
This was an interesting talk and made me think about the implications of what we think we know. Seals in the real world are useful but only as useful as one is willing to audit or monitor for tampering. So casual checking is easy to fool. Do our checks give us a false sense of protection because we aren't sufficiently examining them?
- Aerial Cyber Apocalypse::
These guys used an off the shelf remote control plane to do some interesting digital aerial recon that make me think somewhat about emanating electromagnetic signals and how they might be used to gather info especially given that we see threats at our level but may miss them at lower or higher levels. Point of view attacks for lack of a better term.
- Hacking Androids for Profit::
Presenters were a No Show So dropped in but was not very interested in either of Virtualization under attack or Legal Aspects of Cybersecurity. The biggest take away from the virtualization one is that we may need to take care if we sandbox or virtualize things and what has access to those APIs. As well as how things that are virtualized then communicate with other areas and how that could be misused instead of protecting.
- Battery Firmware Hacking::
Really interesting talk, I think this has thought implications in how we attach hardware to say web-apps as we move forward. As the devices could pose a risk if they are altered in ways not intended by the manufacturer.
- SSL And The Future Of Authenticity::
I think Moxie made a very interesting case for how trust decisions are broken in the current CA model. I think his underlying thinking on trust requirements and Trust Agility are very good but the way that Convergence implements this is flawed. Trust Agility:
- A user can change trust decisions at any time
- Individuals can decide where to anchor their trust (browser, org, etc.)
- Users should have more direct control over both of these
- Faces Of Facebook::
A very interesting talk, others have said most of what I would say. My add to this is that we should be cognizant of how disconnected non identifying information sinks can be tied together to create privacy eroding applications.
- Sticking to the Facts: Scientific Study of Static Analysis Tools::
While interesting I think this talk was flawed as the method used to analyze the tools was less than optimal. I still think that static analysis tools could be very useful to us, but we need to perform some rigorous proof of concept testing in our own ecosystem and tweaked for our usage to see if the cost-benefit is positive for our use of these kind of tools.
Sid Stamm's Notes
Keynote (Day 1): Cofer Black
- Spent 25 years in counter-terrorism
- Warned people about trails of events that lead to great attacks (great as in big)
- "Men's minds have difficulty adapting to things in which they have no experience." -> Attacks are not scary and hard to understand until you live through one.
- We were apparently ready for 9/11 with an Afghan War Plan (to hunt Bin Laden) and a worldwide attack matrix (to find and disrupt terrorist cells)
- "In crisis all bureaucracy melts away
We used to have a threat classification, from minor to major: Chemical, Bacteriological, Radiological, Nuclear. This has changed to include "cyberwarfare": Kinetic Bacteriological, Cyber. Apparently cyberwarfare is scariest.
Fire alarm goes off
"The stuxnet attack is the rubicon of our future" because it is (1) expensive (2) physical destruction via cyber means (3) physical effects of the attack could lead to kinetic retaliation by victim. What is an appropriate response to an electronic attack?
He called this "the Code War".
For the most part this speaker spent a lot of time explaining how M2M devices (embedded, mobile-connected) can be assaulted. The conclusion was that if we can assault these devices and have a variety of effects, MAYBE a payload can be delivered via SMS.
Types of attacks on M2M devices:
- firmware/OTA flash attack
- Baseband attack
- APN/private network attack
Firmware/OTA: ways to update devices "securely" over the air. Perhaps you can reflash OTA if you're careful.
Baseband: These M2M devices have their own network stacks... attack them. In fact, some will answer to FTP. You can own devices remotely by hosing the net stack, but there's lots of development time involved with making such an exploit.
APN: The network (private IP-based network) inside the GPRS or other RF section. This is an internal network that, given access to it, you can play with mobile devices as if they were just hosts on the internet.
What should we (attackers) be doing?
- M2M hardware is cheap and homogeneous. An attack on one device is easily tailored to a completely different device.
- These devices usually have baseband and microcontrol without shared memory, so we can attack the bus --- which often takes AT commands.
- Stuff sent over this bus may be encrypted but often is not (and when it is, the encryption is weak).
- Lets tap pins, sniff data, and reverse the bus.
If you can dig into and watch SMS communication coming into a live device you can figure out how to customize messages to attack it.
Use the telephone to war-drive devices. Find those that reject phone calls -- these are usually M2M devices. Can also look up caller-ID on these devices to see what they claim to be.
OWADE (Forensics) talk
This talk discussed how to recover browser-oriented data from Windows. They discussed how to attack the weak points of encrypted windows storage and how a lot of stuff is stored in the clear anyway.
- Form history is not encrypted on disk (we should do that)
- Chrome and IE use DPAPI (windows encrypted storage) to store browser data.
- Firefox does not use the DPAPI (or keychain on Mac).
SSL/Authentication + Trust (Moxie Marlinspike)
- Moxie is sad about comodo.
- Implications of hacking them were that it was an act of war
- Not so much.
- The attacker was not state sponsored and was easily identified since (after obtaining the certs) he searched for and found sslstrip. The incoming referer gave away the search query.
- Nothing happened to comodo; there were no side-effects to the hacking except for some bad press.
- Accountability is not there.
- Found out (from one of the original SSL designers) that "the CA thing was a bit of a hand wave"
- Trust anchors can be modified at any time (without breaking the web)
- Individuals can decide where to anchor their trust (not relying on the sites to pick)
It's "our data, should be our trust decision."
Argues DNSSEC is worse because we place the trust in inflexible roots (foo.ly can't change who signs their records).
Perspectives is a good direction except:
- Needs completeness (something better than an add-on)
- needs privacy (notaries shouldn't know your entire web history
- needs responsiveness (don't wait on slow notaries)
Convergence ... an improvement on perspectives.
- build it in to make it complete
- Cache stuff in the browser and use "notary bouncing" to improve privacy
- not locked down to one validation model (notaries can use any system they want; perspectives, PKI, etc).
What about captive portals?
Ultimate question to leave us with: "Who do I trust ... and for how long". CAs are permanent since you can't stop trusting them and still access the sites they validate.
Faces of Facebook
Summary: Technology + Facebook Photos + Tagging + Facial Recognition = OMGWTF!!!11!! SCARY!
Augmented reality, when used with facial recognition and cloud-based data mining, can be used to instantly stalk people who you encounter in bars or what have you.
Facebook, Google and Apple are all acquiring facial recognition technology.
- Facial recognition is improving. We're getting better at fingerprinting and even automatically finding faces in photos.
- Self-disclosure of information is increasing (facebook profiles, etc).
- Re-identification from public data sets is possible (AOL database, public facebook photo/name bindings, etc).
- Cloud-computing is getting cheaper and you can pay as you use it (e.g., amazon).
Your face is the link between your offline and online profiles.
This could result in a world where anyone could recognize a face of anyone else (using technology). Is this unregulated Real ID? Eek.
Demoed a smartphone app to identify people and guess their SSN. "The Wingman" augmented reality app. Funny.
Jesse Ruderman's notes
Sessions for which I took detailed notes
- Panel: Securing Applications at Scale
- Talk: How to compare static analysis tools
- Talk: Law of cybertravel
Sessions I enjoyed
- James 'myrcurial' Arlen - "Security when nanoseconds count"
- Inspiring to think about network security under the latency constraints imposed by being in the business of temporal arbitrage.
- Paraphrase of a car analogy: "Security shouldn't be brakes that are always on. Security should be brakes that let you go fast."
- Matt 'openfly' Joyce - "The Art of Trolling"
- Abuse of cognitive biases and rhetorical fallacies.
- If you're being a dick, and it's not funny, then you're just being a dick.
- Bruce 'Grymoire' Barnett - "Deceptive Hacking"
- 'datagram' - "Introduction to Tamper Evident Devices"
- Matt Johansen + Kyle Osborn - "Hacking Google Chrome OS"
- Makes me glad we have amo-validator. Filed bug 679504 on one more thing we should scan for.
Notable hallway conversations
- People love the idea of Rust, especially its object lifetime control (pointer types and argument types). Security conferences may be a good place to promote it.
- Ran into Andy Renk at the "Freak Show" party. He clarified Microsoft's stance on my DOM fuzzer.
- Met @fjserna, who told me about an awesome trick to force-enable ASLR.
- Filed bug 677797.
- Met @mmoutenot, who told me about neat tricks for fuzzing for null-terminator bugs.
- Had some conversations with anti-malware companies -- whitelisters such as Bit9 and analyzers such as Norman -- since I was curious what could be done with our crash-stats (for feedback, or helpers on support.mozilla.com, or for analysis for curiosity).
- (If you click the "modules" tab on https://crash-stats.mozilla.com/report/index/537102e7-9a80-478f-bbd2-94c522110816 you can see the kind of data for each crash report.)
- Realized that crash-stats doesn't have MD5s of DLLs :(
- I like the large buffet in the Rio casino, the Carnival World Buffet.
- Yummy chicken, pasta, and watermelon at the "American" station (right side). As close to a balanced meal as I'm going to get in Vegas.
- Long payment lines at peak hours. Avoid the line by:
- Eating at off-peak times. This buffet does not close between meals; it just switches from lunch to dinner at 3:30. (The conference schedule may force me to eat off-peak anyway!)
- Getting out of the "main line" and into the "paying with a credit card line" as soon as possible.
- If I'm alone, the coin toss trick could be used to cut the line. People behind me might think I'm a jerk but they would be more than wrong.
- Paying $10 to cut the line, if desperate.
- If I want to see a Vegas show, Tuesday night (before Black Hat) is a good time to do it.
- Rio hotel rooms cost ~$500 normally but ~$100 with the conference rate.
- It's totally worth it to switch hotels between BH and DC. Avoid taxi lines, attend parties without my backpack, and pay less.
- Staying Sunday night is feasible at this rate, and depending on flight costs, perhaps even cheaper. But by Sunday night I'm tired of Vegas and shitty Internet access.
- The DEF CON printed schedule is organized so poorly that even a bunch of ⌘F is preferable.
Swag that made me jealous
- Shirt: Nyan cat
- Shirt: “Video games ruined my life. Good thing I have two extra lives.”
- Laptop decal: Totoro carefully balancing the glowing Apple logo on his head.