Security/Conferences/BlackhatDefcon2011: Difference between revisions

Lucas Adamski's notes

Well it was quite the long week, I just got back late Sunday from Blackhat Vegas 2011 and Defcon. Blackhat was.. well, Blackhat. Defcon however was in new digs at the Rio this year and besides the utterly hopeless food situation (hello Rio... thousands wandering in search of food and you can't open half the restaurants?), it was much nicer. Plenty of space to move around or just chill, and except for a few very popular talks the lines were generally quick and most everyone got in.

For many who haven't been to a security conference before, it may seems like all everyone talks about is how to break stuff, but really talks fall into at least three buckets: a) Vulnerability and exploit discussion b) Security and privacy ecosystem

I'll mention some of the more interesting talks in the above three buckets. I'm not necessarily picking the most news-worthy, but things that I saw or read about that peaked my curiosity.

Vulnerability and exploit discussion

• Alessandro Acquisti: Faces Of Facebook. Fascinating discussions of correlating publicly available data (namely, photos) to see if you can find a significant match between personally identifiable pictures (i.e. on Facebook) with uncorrelated pictures (from dating sites or just random street photography). The short version is you could, with just a random picture of a person in a given city, figure out their real identity along with a pretty good guess at least part of their social security number. http://www.techwarelabs.com/black-hat-2011-faces-of-facebook-the-largest-real-id-database/
• Phone networks are proving to be about as insecure as most security researchers assumed. Talk regarding femtocell (micro cell towers) security: http://www.zdnet.co.uk/news/security-threats/2011/07/14/vodafone-femtocell-hack-lets-intruders-listen-to-calls-40093413/ ... and of course the UAV talk from Defcon that can crack wireless networks and snoop on phone calls and SMS messages: http://www.geek.com/articles/geek-pick/wasp-the-linux-powered-flying-spy-drone-that-cracks-wi-fi-gsm-netwokrs-20110729/
• Random bit memory errors can have interesting security side-effects: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Dinaburg
• Adobe Reader X Sandbox is a bit porous.. but not surprising since the underlying model is closer to IE7's protected mode than it is to Google's Chrome (i.e. sandboxes process still has network and disk read access). Also contained an escalation of privilege attack that was enabled by apparently exposing write access to a file that contained some Reader configuration settings. Moral here is exposing any filesystem access directly to the sandboxes process poses significant risks. https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Sabanal
• Charlie Miller had an interesting talk on just how much control the OS can have over say a laptop battery. Turns it quite a bit, even to the point of causing the battery to overheat and shut down. Sadly, nothing caught fire (yet): http://www.accuvant.com/capability/accuvant-labs/security-research/featured-presentation
• More focus on USB devices.. careful what you decide to plug into your computer! https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Davis and https://www.blackhat.com/html/bh-us-11/bh-us-11-briefings.html#Ose
• In other non-shocking news, mobile security updates are glacial, measured in the dozens of *weeks*: http://blog.mylookout.com/2011/08/inside-the-android-security-patch-lifecycle/
• DDoS still lives... including some neat innovations that can take down certain platforms (*ahem* Windows) or entire local networks from just a single low-powered device. Turns out IPv6 allows devices to advertise themselves as routers over and over again.. and Windows machines will happily keep adding each of to their routing table... for a few seconds, until they lock up solid. Also an amusingly ironic detour via the world of _defending_ LulzSec against DDoS attack. https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Bowne
• Google Chrome OS: first time ever someone uses a JavaScript vulnerability (in an add-on) to obtain a local escalation of privilege... oh wait, not hardly. https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Osborn
• Hacking wireless water meters: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#McNabb
• Cracking passwords is getting ever cheaper/faster: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Imhoff
• Android lets one app monitor the state of other running processes, including detecting when they gain focus and pre-empting their GUI. This allows a malicious app to run at start time, hide in the background and effectively impersonate many popular apps to steal credentials and have all sorts of fun. This is another example of how mobile devices have a serious generalized problem regarding their lack of reliable indicators for security context and state. https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Percoco

Security and privacy ecosystem

• Moxie Marlinspike announces an interesting tool called Convergence.. essentially a revision of Perspectives but focused on distributing trust to a number of authorities rather than just trying to support self-signed certs. http://www.darkreading.com/security/attacks-breaches/231300428/time-for-a-better-web-of-trust.html
• Interesting tools announced to enable emergency P2P communications via cellphones in case a natural (or political) disaster shuts down the the cell phone system: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Wilhelm
• Attention for better or worse on bitcoin, including Dan Kaminsky (http://www.bitcoinmoney.com/post/8493775234/dan-kaminsky-toorcon-bitcoin) and https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Skunkworks (News Flash: Bitcoin mining causes graphics card shortage!)
• Microsoft announce a $250K prize for new exploit mitigation techniques: http://www.eweek.com/c/a/Security/Microsoft-Offers-250000-in-BlueHat-Prizes-for-Security-Technology-857524/
• Another talk regarding reducing the reliance on single authorities or servers of information.. in this case trying to turn RSS into a distributed P2P model: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Alonso2
• Willingness of civilians to engage in public acts of cyber sabotage is becoming a hot topic: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Holt
• Another tool to reduce online tracking and profiling, Chrome-only extension unfortunately: https://www.defcon.org/html/defcon-19/dc-19-speakers.html#Kennish