By Ellen Messmer and Tim Greene
The annual Black Hat Conference, which opens July 29 at Caesar's Palace in
Las Vegas, brings together security researchers and vendors in a
freewheeling atmosphere aimed at laying bare the risks and vulnerabilities
in IT products.
Like Vegas itself, Black Hat is a gamble where anything can happen, and
this year will be no exception, with security specialists taking
well-aimed shots at two of the industry's biggest targets: Microsoft's
Vista software and myriad vendors with network access control (NAC)
With Vista still in beta, Microsoft, a key sponsor of Black Hat this year,
is inviting Black Hat attendees - 3,000 are anticipated - to identify any
security shortcomings they can in the Vista code. In a novel and candid
way, Microsoft product managers and engineers will present six sessions on
Windows Vista and its security during the conference, challenging anyone
there to rip Vista security apart.
Microsoft will find more than enough takers for that challenge.
Joanna Rutkowska, senior security researcher at Singapore-based security
firm COSEINC, will demonstrate a new rootkit for Vista during her
presentation "Subverting Vista kernel for fun and profit." A rootkit is
software that hides malicious code or computer processes, making it a
danger to users.
Called Blue Pill, Rutkowsk's rootkit is based on Advanced Micro Devices'
Storage Virtualization Manager Pacifica's virtualization technology. She
says Blue Pill is undetectable and easily installed, and doesn't require
the perpetrator to exploit a weakness in the underlying operating system.
In addition to demonstrating Blue Pill, Rutkowska will show how it's
possible to circumvent Vista security by loading only digitally signed
code into the kernel. "It's very impressive," says Marc Maiffret, founder
and chief hacking officer at eEye Digital Security, who saw the Blue Pill
rootkit and technique for bypassing Vista's security in Singapore a week
ago at the SyScan Conference, where Rutkowska first made them public.
Her bypass technique might not be a flaw Microsoft can fix easily with a
software patch, says Maiffret. "It seems to be an architectural problem
with Vista," he says. Rutkowska agrees it's a design issue and will
propose a few ways Microsoft might consider changing Vista to eliminate
the security-bypass problem. Vista's code-signing protection was devised
as a way to stop malware, such as kernel rootkits and back doors, from
being loaded into the Vista kernel, says Rutkowska, but her Black Hat
presentation will show Vista is as vulnerable to the same kernel malware
threats as its predecessors.
Although the first version of Blue Pill she developed is for Vista,
there's no reason a Blue Pill couldn't be made for other operating systems
as well, she says. She adds neither she nor her firm will release the
code, which could be used for malicious purposes.
Microsoft had no comment when questioned about Blue Pill and the Vista
security-bypass technique. Black Hat will present other sessions on
rootkits, including ones by Greg Hoglund, founder of the Rootkit.com Web
site, Jamie Butler, CTO at Komoku, and Komoku's president, William
Among the other sure-to-be-controversial conference topics: Ofir Arkin,
CTO of Insightix, is expected to detail the risks inherent in using the
array of NAC products on the market today. NAC is a term now used to
describe an array of methods to determine and enforce endpoint security.
(Read about what Pitney Bowes is doing with NAC technology. ) Cisco
and Microsoft are prominent among the scores of companies offering NAC
products, and the Trusted Computing Group has devised standards for it.
Arkin's session at Black Hat, "Bypassing network access control systems,"
is expected to cover the "flaws associated with each and every NAC
solution" and how "these flaws allow the complete bypass of each and every
[NAC] mechanism currently offered in the market," according to the Black
Hat agenda's description. He says he won't mention specific NAC products
in his talk but will explain the various categories of NAC products and
point out potential bypasses, so customers considering buying them will
recognize there may be holes to plug. "The purpose of the presentation is
to educate people that they need to look better into this market and
understand what they are receiving from [NAC] solutions so they can fill
the gap they might currently have," Arkin says.
Insightix itself makes NAC software that Arkin says gets around some of
the problems, but he says he will refrain from making a product pitch.
Some vendors could see his talk as denigrating the competition while
boosting his own fortunes. Cisco, for one, which expects to monitor the
Arkin talk, says it's reserving comment until Arkin's presentation on
Arkin says he will detail NAC's inherent problems by discussing the broad
categories of technical elements NAC schemes typically use, including DHCP
proxies, broadcast listeners, 802.1x and endpoint security assessment. For
example, he says he will point out that the DHCP proxies used to enforce
network access controls can be bypassed by a network insider issuing a
static IP address to a malicious device that wouldn't have to deal with
DHCP, or spoofing the device as a printer, switch or other device likely
to be exempt from NAC assessment.
"As long as users understand these solutions are not perfect and take
other measures, then I do my job right," Arkin says.
All contents copyright 1995-2006 Network World, Inc.
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.