Sharing Insecurities at Black Hat

Security experts, malware ninjas and hackers of all shades packed the hallways of the Palace Tower conference area at Caesar’s Palace in Las Vegas Aug. 1 and 2 for the 11th AnnualBlack Hat Briefings USA conference.The event provides security pros with a venue for outlining the latest flaws, both technological and human, in today’s digital defenses.

While it’s likely a portion of Black Hat’s attendees make their living through — or at the very least dabble in — illegal activities like piracy and identity theft, the conference is not an underground gathering of criminals. It’s sponsored by legitimate security vendors, and presenters expose flaws with the intention of showing the industry where its own weaknesses lie. The point is to get burned in a controlled environment. It beats getting burned in the wild.

“A lot of the security incidents we see these days are because developers haven’t been burned,” Jason Lewis, systems architect atSoteria Network Technologies, told TechNewsWorld “This also applies to IT support staff — if I’m aware that FTP (file transfer protocol) has a remote exploit, I’m going to remove the service from my system. The idea that not talking about a vulnerability will keep people safe is naive.”

Black Hat is all about the exchange of information, added Jeremiah Grossman, CTO ofWhite Hat Security.

“The people in attendance all share similar interests — understanding how to effectively attack and defend various computer systems,” he told TechNewsWorld.

Access Denied

Black Hat Director Jeff Moss opened the conference by noting that attendees came from 50 countries. “They managed to make it in past IS (internal security),” he remarked.

That was not the case for all of the speakers Black Hat hoped to present. Reverse engineer Thomas Dillien, also known as “Halvar Flake,” was denied entry to the U.S., said Moss. Officials detained him for carrying the materials he meant to present as a private citizen rather than as a representative of an organization, according to an entry on Dillien’s blog. Moss lamented the legal difficulties of getting good presenters to the event, a trend he said will “stifle this business.”

Following the keynote addresses, attendees dispersed to nine conference areas for briefings related to voice services security, reverse engineering, forensics and anti-forensics, and all-around “cool stuff” — each designed to draw attention to security blind spots.

“The flaws revealed in forensics software seem to be the most damaging,” Lewis remarked. “If computer-related convictions have been made with tools that have critical weaknesses, that could make things difficult for computer crime prosecutions. This year’s Black Hat followed a tradition of introducing new ideas and methods for compromising systems.”

Mutant Worms and Embarrassing Ajax-Ulations

The threats detailed at Black Hat were not necessarily new, noted Grossman; however, many known threats are growing in severity. “The rate of vulnerability exploitation is up, as well as the interest in monetizing illegal activity,” he said.

For one demo, Billy Hoffman, lead security researcher atSPI Dynamics, and John Terrill, executive VP and cofounder ofEnterprise Management Technology, created a monster, putting the spotlight on a threat not getting as much attention as it did a few years ago — worms.

Sipping Red Bull and talking a mile a minute, Hoffman described “The Little Hybrid Web Worm That Could,” a worm that utilizes client-side and server-side languages and latches onto browsers and servers to spread across multiple hosts, all the while upgrading its infection methods while in the wild. The pair stopped short of building a fully functional worm with such properties, though they did demo components of the worm in an isolated environment.

Hoffman also joined Bryan Sullivan, development manager at SPI Dynamics, to give Ajax (asynchronous JavaScript and XML) a cold shower in the briefing “Premature AJAX-ulation.” As Web developers fall over themselves to create Ajax apps, they said, not nearly enough attention is paid to security flaws, several of which the pair demonstrated.

“The biggest threats seem to continue to be around application security, specifically Ajax, and, in general, Web 2.0 technologies,” Mandeep Khera, VP of marketing forCenzic, told TechNewsWorld. “However, we need to cut through the hype and understand that even though Ajax is becoming increasingly important, there are less than 1 percent of applications that are Ajax. Corporations need to focus on fixing their legacy applications as well.”

Not all sessions required that attendees have advanced knowledge of coding and network infrastructure to understand the presentations. Wednesday evening, security researcher and author Johnny Long put his slideshow skills to use, generating laughs from a packed audience during his talk on “No-Tech Hacking” — in other words, social engineering.

Coding skills are one thing, but simple tricks like sneaking a look over someone’s shoulder to see their desktop screen, entering through a so-called secure building’s smokers’ entrance, and pretending to be an AT&T maintenance guy, Long said, are skills of the true hacker ninja.

Guard Your Flank

Walking through a conference populated by computer experts constantly on the lookout for the latest chinks in digital armor, one couldn’t help but suspect that some of the attendees plunking away at laptops might be testing new ways to snoop on computers in their immediate vicinity. Black Hat’s own literature warned about the use of wireless devices in the Palace Tower, with a note reading, “Help prevent MitM (man-in-the-middle) Attacks, please create a static ARP (address resolution protocol) entry” — followed by instructions on how to do so.

“Normal prophylactics apply,” added Moss in his introduction address.

Almost everyone at the conference carried a notebook, smartphone or UMPC (ultra-mobile PC), and despite the security warnings, hacks happened. Take, for instance, the attendee whose Gmail home screen was flashed on the projector for all to see during an Errata Security demonstration of a WiFi sniffing tool.

Do conferences like these breed insecurity, showing malicious hackers new tricks to commit crime?

“Not really,” asserted Grossman. “Attackers don’t typically time their profit-driven exploits to coincide with conferences. The real ‘bad guys’ already have the tools and exploits they need — which doesn’t necessarily mean it’s cutting-edge — to monetize their activity. Black Hat provides a forum to discuss what the attackers are likely to be exploiting, and how, two to three years from now.”

Still, noted Soteria’s Lewis, Black Hat events do tend to coincide with a wave of patches coming from software providers. “It looks like Apple released iPhone fixes the day before Black Hat because of the Charlie Miller presentation,” he said, referring to the briefing “Hacking Leopard: Tools and Techniques for Attacking the Newest Mac OS X.”

Miller is senior security analyst forIndependent Security Evaluators, which last month publicized a flaw in the iPhone that would allow a hacker to take complete control of the device.

Not all hacks go off without a hitch. As conference-goers milled around coffee and bagel carts Thursday morning, a fire alarm sounded, complete with strobe lights and an automated voice ordering everyone out of the building. All seemed to notice; none seemed to care.

After a moment of looking around, perhaps for smoke or panicked hotel employees, people ignored the sirens and resumed their conversations. If some hackers had a master plan that involved evacuating Black Hat, well, that attack failed to own anyone.