BlackHat USA 2009

Last week and through the weekend I was in Las Vegas for this year’s annual block of hacker conferences, BlackHat USA and DEFCON.  This year was a bit different for me as my employer no longer covers conference expenses (even if you’re speaking!), so since I was there not representing a company and entirely on my own dime, I stayed with some local friends for the first half of my stay and did a lot less gambling… none actually.  My gracious hosts did a lot of ferrying me around for the first half of my stay as well to help me avoid cab fares.

One of the highlights of BlackHat was obviously the Pwnie Awards.  This industry awards ceremony, highlighting the successes and failures of the security industry of the past year, has quickly become one of my favorite parts of BlackHat.  If you’re interested, you can find this year’s nominees and winners listed over at the Pwnie Awards website.  The impromptu dinner afterward was very enjoyable as well, where I shared a meal with the likes of the lovely Shyama Rose, that beef-hunk (nsfw) Alex Sotirov, Pusscat, who needs no introduction, the code machine I call a boss, HD Moore, some d00d from Rhode Island, slow, and a slew of other interesting and intelligent people.

I didn’t make it to many parties this year, but one of the few BlackHat parties that I did make it to was the Microsoft party over at Treasure Island.  An awesome mix of people made for some good conversations, but the music indoors was horrible…  The DJ was playing all kinds of early-90’s tunes like Bel Biv Devoe, Boys II Men, etc. Outside the music was much better (house!) except that the DJ kept having to stop the music for any number of reasons, the longest of which being the Pirate show going off just outside the balcony on the waterfront between the club and the street.

Overall BlackHat was a fairly enjoyable experience.  I would have liked to have seen more of the presentations but due to an extremely late night Wednesday night culminating in my friend locking himself out of his hotel suite, soaking wet, in his boxers, I ended up sleeping late on Thursday and then attempted to get over to DEFCON early to get registered and get one of the electronic badges to play with.  You can however read my thoughts on the various presentations I did see below:

Practical Windows XP/2003 Heap Exploitation – John McDonald, Chris Valasek

This was probably the most technically interesting talk that I attended at BlackHat.  The few times I’ve had to exploit something via the heap in the past, it was always a pain-in-the-ass, inexact science involving sprays and hoping that call instruction ends up in the right place.  This talk however was about none of that.  It was about exploitation using the heap and it’s structure itself, and attempting to not leave the heap in a corrupted state (or at least a corrupted state that it was aware of).  John and Chris did an excellent job of describing the heap and it’s internal layout and structure to those of us in the audience that weren’t all that familiar with it, such as the heap free bitmap.  They also covered how the heap is managed and the various algorithms used to do so.  They then covered the existing heap security mechanisms and how those worked, such as heap cookies, safe un-linking checks, and process termination when something is noticed to be awry.  Following all of this groundwork to bring the audience up to speed they briefly touched on existing exploitation techniques such as overwriting the look-aside list, bitmap flipping attacks, and faking a populated list.  Finally they got into the meat of their presentation, the new exploitation tactics that they had developed.  These included a bitmap XOR attack and a couple of new tricks using the look-aside list, but the really interesting one was leveraging a 1 byte overflow to de-sync the heap cache and create a “shadow” free list which is used when allocation is requested for specific sizes.  This allowed the return of the same memory address every time that an allocation for these specific sizes was made, which is really, really cool.  Finally they listed some of the tools that they use when working in this space and performed a demo.  The impression I was left with was that to accomplish exploitation this way was a LOT of work, but I guess when you really, really need to exploit that vulnerability and all you have to work with is the heap, it is possible (:

Sniff Keystrokes With Lasers/Voltmeters Side Channel Attacks Using Optical Sampling of Mechanical Energy and Power Line Leakage – Andrea Barisani, Daniele Bianco

Neither of these attacks are anything new; I’ve read papers detailing both of these attacks before.  These researchers did however seem to refine the attacks a bit from what I remember reading many years ago.  This was however the funniest presentation I saw at BlackHat, with the researchers having an ongoing narrative about “The Hacker” and “The Washed-Up Porn Star” with still pictures and even a video, which was really very funny and over-dramatic.  Regarding the sniffing techniques, the first was to use an oscilloscope or voltmeter to measure the line voltage where a computer was plugged in.  When the keyboard sent character codes to the computer, the power differential for each bit of the character code would show up as a wave in the line power, and could be detected and read with fairly high accuracy.  But what if the computer isn’t plugged into line power? That’s where the second attack came in…  The second attack was using a laser microphone to listen to keystrokes by bouncing the laser off of the computer itself, such as the lid of a laptop computer.  This technique was much less exact because it was detecting audio, and you had to do some fairly boring post-analysis of the keystroke patterns to attempt to decipher what the words being typed were.  Again, nothing new here, both of these attacks have been refined and published in various journals over the years.

Analyzing Security Research in the Media – Panel

This was an interesting panel discussion seating a number of Information Security Journalists who mostly answered questions from the moderator.  I believe they were going to take some questions from the audience toward the end, but I had to duck out early to prepare for my own presentation that was coming up in the next time slot.  The questions that I heard asked and their summarized responses were:

1. What makes a threat newsworthy?

The panel mostly agreed on the answer to this one, which was a combination of widespread impact, whether or not it involved a new or exciting product, the amount of damage it could do or how quickly it could spread.  They also indicated that many times they relied on the experts in whichever field was applicable to help identify the big stories.

2. How does someone bring a story to a journalist and do you have any advice to give for doing so?

One panelist said to know your reporter and build a rapport.  Most of the panel seemed to agree that this was all about building relationships with reporters so that they come to know you and trust the information you bring them.

3. The Panel was asked about their thoughts on the relationship between Security Journalists and the Mainstream Media.

It’s fairly obvious that the mainstream media tends to sensationalize, and most Panelists noted this fact.  They also indicated that the mainstream media tends to take a more passive posture regarding security journalists where they follow the stories and may pick up an interesting one now and then but they don’t really proactively engage with the security journalists.  One Panelist indicated that many security journalists will drop a story when the mainstream media picks it up because that usually indicates that the story is over or played-out.

4. The Panel was asked if they have any advice for bloggers and journalists on maintaining accuracy in technical details.

One Panelist indicated that there should always be some form of journalistic process involving fact checking, source checking, a sanity check from another blogger/journalist, etc. however another Panelist said that it really depends on the type of blogger or journalist, and the different types have different requirements.  Expert individuals blogging about their field of expertise may not necessarily require the same types of self-scrutiny that faux-journalists require, and ranting bloggers aren’t held to the same standards because they’re not trying to be a reputable source of information.  One Panelist also mentioned trying to avoid bias via agenda if you’re trying to be a real journalist, however certain bias if it promotes good behaviors in the reader such as encouraging additional personal research can be a good thing.

5. The Panel was asked about their thoughts on the overall journalism industry’s current struggles and perceived diminishing quality.

Most of the panel agreed that the way of physical print journalism was definitely dying, because the primary revenue stream that kept them in business, advertisement sales, just wasn’t there anymore. One Panelist noted that the current trend was to produce short, quick stories rather than longer more in-depth pieces.  Many indicated that digital journalism was the future, and much of that would be seeded by sources such as blogs.

Metasploit Framework Telephony – I)ruid

Donning my black hat for a while, I presented a turbo-talk about the new telephony library that I’ve added to Metasploit.  I discussed exploiting systems with Metasploit over dial-up and the new Metasploit Wardialer, both of which use the new telephony library.  Overall I felt my talk went really well, although I did rush through it a bit and ended at 15 minutes instead of my target 20.

Leave a Reply