Jagged Thoughts | Dr. John Linwood Griffin

August 14, 2011

Black Hat USA 2011 and DEF CON 19

Filed under: Reviews — JLG @ 12:19 PM

This week I attended BH and DC for the first time.  My takeaways are:

1. Recent legislation and threats of lawsuits have had a chilling effect on the work presented at these conferences.

I felt there were very few “success stories” of systems hacked or security measures defeated.  Even the white-hat types who presented seemed subdued in the impact or scope of the projects they presented.  For example, one of my favorite talks was “Battery firmware hacking” by Dr. Charlie Miller; see for example http://hardware.slashdot.org/story/11/07/22/2021230/Apple-Laptops-Vulnerable-To-Battery-Firmware-Hack.  Miller described how he discovered the default unlock code for the battery firmware for Apple batteries, and showed some of the values that could be modified, and described the process of updating the firmware…but didn’t go so far as to show a video of a battery catching fire or exploding.  It seems implausible to me that he didn’t try it [he claimed he didn’t] — leading several attendees to opine that he was threatened with a lawsuit from Apple [as he allegedly was in previous years] if he did so.

2. Everyone under the sun identifies themselves as a “pen tester”.

Either there is far more work on penetration testing than I was aware of, or someone’s lyin’.  (One of my friends suggested that “pen tester” is also used as a G-rated term for someone who does computer network operations [CNO]-type work for hire, especially in the shady world of corporate espionage, so perhaps it’s just a catch-all euphemism.)  This made me wonder what competitive advantages are marketed in penetration testing — cost? speed? past performance? specialization by technology or by threat?

3. It’s probably a lot easier to be invited to speak at these conferences than you would think.

The quality of work presented was low, especially at DC.  If you are interested in presenting you need to have some sort of interesting hobby or side project.  Spend a couple of months hacking on an interesting enough idea and you could be standing on a stage in Vegas next summer.

4. It’s the year of the UAV!  (Unless that year was last year.)

There were at least two homebrew unmanned aerial vehicles on display, including a neat one that had vertical take-off and land (VTOL) capability.  One of the BH talks was “Aerial Cyber Apocalypse: If we can do it… they can too” where the presenters (Richard Perkins and Mike Tassey) detailed the construction of their inexpensive autonomous UAV with 10-pound payload (in their case, with signals intelligence equipment onboard).  Yikes.  Based on my previous experience with the DoD SBIR program, I anticipate a surge in Government solicitations to detect and deflect UAVs over the next 1-2 years in response to the commoditization of cheap payload-capable UAV technology.

5. There is an exciting new DARPA program for hackers to get fast and short-term funding for their hacking.

The usual contracting process (get a DUNS number, then get another number, then put an accounting system in place, then competitively bid on a proposal, then wait 3-6 months, then get a contract in place, then deliver in 6-12 months) can take upwards of 6-7 years to transition useful technology to the Government.  A DARPA program manager (Pieter “Mudge” Zatko) has pushed through a program (DARPA-RA-11-52) wherein small groups of hackers can receive small amounts of money in only two weeks, without having to jump through the usual contracting hoops, and you retain commercial rights to the resulting work.  I’ve heard people talk before about trying to streamline the Government funding process but this is the first concrete example I’ve seen…I hope it works.

6. There were many talks on mobile device and mobile infrastructure [in]security, especially focused on Apple products.

These included:  A talk on behavior-based intrusion detection systems (a complementary approach to signature-based IDSes) in the context of mobile devices, drawing on similar work done on regular OSes (system calls made, resources utilized, Internet destinations contacted); a talk discussing kernel-level exploitation of iPhones using previously disclosed vulnerabilities (uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows); a talk identifying vulnerabilities in the Android OS and in applications on the Android Market; a talk discussing the length of time (surprisingly, months) it takes for Android security updates to be installed by at least 50% of vulnerable systems; and a talk about reverse-engineering the enterprise-targeted “mobile device management (MDM)” infrastructure available for IT departments to use to push security policies onto iOS devices (and how the MDM process could be co-opted by a sophisticated attacker to gain access to a device).

The work I found most interesting is as follows:

A. “Virtualization Under Attack: Breaking out of KVM”

When virtualization is used for security and isolation between VMs, it is important that the hypervisor itself isn’t a vulnerability vector.  The speaker used a known vulnerability in the Linux KVM (kernel virtual machine) implementation — KVM supports hotplugging but allow you to unplug a device that shouldn’t be unplugged (the emulated real time clock), resulting in an exploitable dangling pointer — allowing them to run shellcode on the host.  I didn’t see this talk in person but reportedly the talk concluded with a “demonstration against a live KVM instance”.  Note that this doesn’t represent a vulnerability inherent to all hypervisors; just of an unpatched version of KVM.

B. “Beyond files undeleting: OWADE”

As described by the speakers:  “To reconstruct the users online activity from his hard-drive, we have developed OWADE (Offline Windows Analysis and Data Extraction), an open-source tool that is able to perform the advanced analysis required to extract the sensitive data stored by Windows, the browsers, and the instant messaging software.  OWADE decrypts and geolocates the historical WiFi data stored by Windows, providing a list of WiFi points the computer has accessed (including the locations of the access points to within 500 feet) and when each point was last accessed. It can also recover all the logins and passwords stored in popular browsers (Internet Explorer, Firefox, Safari, and Chrome) and instant messaging software (Skype, MSN live, Gtalk, etc.). Finally, it can reconstruct the users online activity by reconstructing their browsing history from various sources: browsers, the Windows registry, and the Windows certificate store.  In certain cases, OWADE is even able to partially recover the users data even when the user has utilized the browsers private mode.”

C. “Legal Aspects of Cybersecurity–(AKA) CYBERLAW: A Year in Review, Cases, issues, your questions my (alleged) answers”

The speaker provided a fascinating tour of cyber law precedent set over the previous year — for example, the decision in the Google wardriving case that just because a wireless network is unencrypted doesn’t mean that the general public is allowed to sniff traffic on the network; doing so may still violate the federal Wiretap Act if “the networks were configured to prevent the general public from gaining access to the data packets without the assistance of sophisticated technology.”  (I’m still trying to figure out what “configured to prevent” means in this case — does it mean the SSID wasn’t broadcast in the beacon frames?)

D. “SSL And The Future Of Authenticity”

The speaker spoke disparagingly about certificate-based authenticity in SSL.  Astonishingly, the author discovered (by looking up and cold-calling one of the original authors of SSL) that certificates were a last-minute design hack and were not thoroughly considered or evaluated.  As a result we have the certificate system we have today, where once you decide to trust a certificate authority you can never revoke that trust; see for example the Comodo hack earlier this year that resulted in false but valid certificates being issued in Iran for major sites (Google, Yahoo, Skype).  The speaker released a browser plugin that uses P2P-like multipath collaboration to determine the authenticity of the credentials presented by a remote site.  It will be interesting to see if the plugin catches on.

E. “Femtocells: A poisonous needle in the operator’s hay stack”

The speaker noted the rise of femtocells (home base stations to which your cellular phone can directly connect to make phone calls and transfer data) and described a fatal flaw in their design and deployment:  Whoever deployes such a device is able to overwrite the firmware on the femtocell and can interpose as a man-in-the-middle on voice and data communications; critically, the link between the phone and the femtocell is encrypted but the link between the femtocell and the cellular backend is *not*.  (The speakers demonstrated this using a real femtocell.)  Also, since the femtocell is a trusted element in the cellular network, it can both collect subscriber/location information from other femtocells on the network, and it can be used as a platform to DoS or otherwise attack the cellular network infrastructure.

F. “Lives On The Line: Defending Crisis Maps in Libya, Sudan, and Pakistan”

The speaker described “crisis mapping” — an interesting use of SMS messages for those in need to communicate with emergency responders during situations of disaster or civil unrest.  From the speaker’s paper: “Days after a 7.0 magnitude earthquake decimated the capital city of Haiti, a small team of technologists acquired the SMS shortcode 4636 and published the number throughout the disaster affected area. The project, which came to be known as Mission 4636, received over 50,000 SMS messages from citizens on the ground — messages containing calls for help from newly formed camps in open spaces such as sports fields and the locations of people trapped inside buildings.  The messages, most of which were received in Haitian Kreyol, were translated by an online team of over 1000 members of the Haitian diaspora collected through Facebook, then geolocated by additional online volunteers to pinpoint the location where the messages originated.  The processed messages were then forwarded to relief agencies on the ground[.]  Those reports enabled the response agencies to develop situational awareness on the ground and determine where aid was most needed.”  The speaker highlights unsolved vulnerabilities in crisis mapping (organization and authentication; platform choice and location; message collection, processing and presentation) and called for standardization work to address these vulnerabilities.

G. “Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption”

This work is of interest to anyone doing application development for the iOS platform; the paper surveys iOS security features including address space layout randomization (ASLR), code signing, sandboxing, and encryption.  Regarding encryption, the author concludes: “The Data Protection API in iOS is a well designed foundation that enables iOS applications to easily declare which files and Keychain items contain sensitive information and should be protected when not immediately needed. There are no obvious flaws in its design or use of cryptography. It is, however, too sparingly used by the built-in applications in iOS 4, let alone by third-party applications. This leaves the vast majority of data stored on a lost device subject to recovery if a remote wipe command is not sent in time.  The default iOS simple four-digit passcodes can be guessed in under 20 minutes using freely available tools, which will allow the attacker will physical access to the device to also decrypt any files or items in the Keychain that are protected using the Data Protection API. For this reason, it is crucial that sufficiently complex passcodes be used on all iOS devices.  Even with sufficiently complex passcodes, there are a number of sensitive passwords that may be recovered from a lost device, including passwords for Microsoft Exchange accounts, VPN shared secrets, and WiFi WPA passwords. This should be taken into account and these passwords should be changed if an iOS device storing them is lost.”

H. “Security When Nano-seconds Count”

The speaker described the computing architecture (bleeding edge) and security implications (no security whatsoever) of high-frequency trading computers on Wall Street.  This is an environment where microsecond delays in processing or communications can result in huge amounts of dollar losses.  In the speaker’s words: “For nearly all installations, the usual perimeter defensive mechanisms will be completely absent.  You won’t find a firewall, you won’t see routers with ACLs, you won’t see IDS and frankly, anything that you’d recognize as a security tool.  The essential reason that security devices are largely (if not wholly) absent from most implementations is that the best the IT Security industry can offer falls short.  Most commercial firewalls process data and add a few milliseconds of additional latency.  In the vast majority of interconnection scenarios, a few milliseconds isn’t that much of a problem.  In the case of low latency trading, it’s about 100,000 times too slow.  In addition to products which simply do not support this mode of operation, there’s a skills gap in the practitioner space….”

I. “Bit-squatting: DNS Hijacking without exploitation”

The speaker argues that bit flips in memory are more common than you’d think — given the number of devices and the amount of RAM deployed in the world, the speaker estimates a bit-flip rate of approximately 600k bit-flips per hour.  To test whether bit flips were occurring in practice, the speaker registered 31 “bit-flipped” domains such as “mic2osoft.com” (one bit away from “microsoft.com”).  Surprisingly, the author saw about 50 web requests per day to these domains (after manually filtering out web vulnerability scanners, search engine crawlers, and other web spiders) that could be attributed to memory bit-flips.  I’m not convinced of the rigor of the authors’ work, but the result is neat and certainly warrants further investigation.

J. “Chip & PIN is definitely broken: Credit Card skimming and PIN harvesting in an EMV world”

The speakers presented truly terrifying work.  The “chip and PIN” system uses a smartcard credit card in combination with a user-supplied PIN to authenticate a credit or debit transaction.  Previous work showed that chip-and-PIN cards can be used successfully without knowing the PIN; this work demonstrated that skimmers (to capture the card data plus the PIN) are easy to build and use.  The “terrifying” part is the authors’ observation that banks are shifting liability to the consumer now that the PIN is used for authentication: “the cardholder is assumed to be liable unless they can unquestionably prove they were not present for the transaction, did not authorize the transaction, and did not inadvertently assist the transaction through PIN disclosure.”  They noted a case in June 2011 where a Canadian bank refused to void a fraudulent $81,276 transaction because “our records show that this was a chip-and-PIN transaction. This means [the customer] personal card and personal PIN number were used in carrying out this transaction. As a result, [the customer] is liable for the transaction.”  Two of the four authors (all European) had fraudulent activity on their chip-and-PIN cards in the month preceding their talk.

K. “Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers”

In the past I’ve seen work on how much information is stored in a network on auxiliary devices such as printers, photocopiers, and VoIP systems.  The authors revisited this topic, looking specifically for embedded web servers on a network, and published a tool (BrEWS) to identify and enumerate these devices on a network.  What I found interesting about their work was their use of Shodan, a queryable commercial database that can be used to find publicly visible embedded web servers (by searching for unique strings in the web server headers returned by these devices).  The authors note that Google and other companies try to block results for such vulnerable systems, but someone who knows where to look (Shodan in this case; I was previously unaware of that service) can easily and inexpensively buy the search results of interest.

I’m told that the full proceedings (including videos) are usually posted on the BH and DC web sites later in the year:
https://www.blackhat.com/html/bh-us-11/bh-us-11-home.html
https://www.defcon.org/html/defcon-19/dc-19-index.html

Final thoughts:

OVERALL IMPRESSION: I’ve previously attended only academic security conferences (CCS, NDSS, USENIX Security, DSN) and had been told to expect something different at BH and DC (i.e., haxx0rz).  I wasn’t disappointed (there were haxx0rz aplenty) although overall I was less impressed than I had expected to be.  Much of the work was simply incomplete — the CFP for both conferences closed in May and it turns out to be common practice for speakers to submit incomplete/work-in-progress ideas while planning to complete the work (or demonstrate the cool result) by the time August rolls around…but unfortunately many people weren’t able to complete the work or show the cool result.  Add to that the “chilling effect” described above and overall I felt the conference leadership really needs to address the quality-of-work problem.  Still, I’m glad I attended both conferences & I’ve walked away with stronger skills and knowledge.

BH VALUE: The most valuable thing about Black Hat was the vendor floor.  Unlike other vendor floors I’ve seen, this one had genuine engineers and techie types manning the booths — meaning that attendees could ask nitty-gritty questions about the products and services hawked by the vendors and get useful answers.  Many of the major CNO or security players had a booth so I was able to get a feel for the state of the industry and especially the state of commercial products to support network defense and computer forensics.  BH also ran a contest that required you to visit at least 15 of the vendor booths which turns out to be a great way to force you to talk with folks you wouldn’t have otherwise.  On the downside, a problem with BH is that they run multiple tracks (around 8 tracks simultaneously over the two days) meaning you miss many of the talks you would want to see; fortunately many of the slides and papers are available on the conference CD.

The Black Hat briefings are expensive (~$2000) but they one of the leading venues for open CNO discussions.

DC VALUE: The most valuable thing about Def Con was what happened outside the talks.  The DC organizers work hard to give the event a spontaneous hacker vibe and to encourage spontaneous hacking (defined as “curiosity and exploration of cool things”).  So there was a room filled with soldering irons and electronics puzzles and challenges; there was a lockpicking room where you could buy lockpicking sets and locks to practice upon; there were contests everywhere and parties and movies every night and long lines and fifteen thousand reasonably hygienic people packed into a series of small rooms.  They even annually run an amateur radio exam session at DC (I took the exams and qualified for a General-class amateur radio license; I missed the Extra-class license by two questions out of 50).

Def Con is cheap ($150), is interesting, and is in a fun location (Vegas).  Of particular value is that many of the BH talks are repeated at DC.  Next year is their 20th conference and should be an especially good year to attend.