Black Hat/Defcon hackfests next week promise rollicking action

Black Hat/Defcon hackfests next week promise rollicking action
Black Hat/Defcon hackfests next week promise rollicking action 

By Ellen Messmer
Network World

Rigorous and sometimes raw disclosure of network vulnerabilities will 
all be part of the action at next weeks back-to-back hackfests, Black 
Hat and Defcon in Las Vegas.

Exploits that can lure wireless LAN users into phony access control 
points, plus discussions of how to break into computers by manipulating 
coding errors will be hot topics. At one session, AirTight Networks will 
demonstrate how phony WLAN access points can be set up to trick a WLAN 
user into using them -- an attack AirTight says neither its 
intrusion-prevention system (IPS) nor anyone elses can stop.

We call it multipot, and we accidentally stumbled upon this observation 
in our own testing, says Pravin Bhagwat, CTO at AirTight, about its 
planned demo at Defcon.

The multipot attack, according to Bhagwat, is a variation on the Evil 
Twin ploy, in which a single WLAN access point is given a spoofed 
Service Set Identifier based on the SSID of a legitimate wireless access 
point, something done through WLAN sniffing.

With Evil Twin, the attacker sits in the path of the network, monitoring 
the user with the purpose of stealing log-in credentials and observing 
other traffic, says Bhagwat. Todays IPS can thwart this by breaking the 
connection by keeping track of authorized access points, he says.

But to his dismay, Bhagwat says AirTight has found if the attacker has 
set up two or more controlled Evil Twin access points to lure in a 
single WLAN user, the IPS is ineffective at repelling the attack.

You kill one connection but the new one is enabled, says Bhagwat. Why 
cant you knock both off at the same time? Because you need a sensor to 
transmit and it can only transmit one at a time. Its a cat-and-mouse 

Bhagwat says AirTight will be doing the Multipot demonstration at Defcon 
because theres a need in this industry to become aware of this so new 
technologies can be developed. AirTight says its experimenting with a 
new defense but doesnt expect to be able to publicly reveal it until 
later in October.

A session at Black Hat that could provoke discussion will show how its 
possible to remotely compromise servers by exploiting poor software 
coding called dangling pointers that developers might leave in C or C++ 

Danny Allen, director of security research at Watchfire, which will be 
demonstrating the attack, describes a dangling pointer as a software 
error in which a pointer thats supposed to indicate a specific address 
in memory holding a particular software object is actually pointing to 
an address in memory that doesnt hold anything.

Dangling pointers were never deemed to be a security risk, but well show 
a way to automate remote command execution to alter the pointer to look 
at the place where we have the ability to write code, says Allen. You 
can automate where you want malicious code to be. Were not trying to 
find your dangling pointers for you, but well show how they can be 
exploited to take root control of the machine.

Microsoft earlier this month released a patch for Microsoft Internet 
Information Server after Watchfire recently showed Microsoft how a 
dangling-pointer code flaw it had left unfixed for two years could be 
manipulated, says Allen.

Microsoft never fixed this before because it wasnt considered a security 
issue, says Allen. But in the Black Hat demonstration, Watchfire will 
present a too -- which it wont generally release -- that will show how 
to redirect dangling pointers and upload a malicious-code payload to a 
target, in this case an upatched version of Microsoft IIS. Understanding 
about security risk of dangling pointers is in its infancy, says Allen, 
but it should be on the radar screen.

Other sessions scheduled for Black Hat and Defcon next week include:

* Several presentations on the topic of fuzzing, the investigative 
  process of using specialized tools to run scripts that are tuned to 
  throw garbled data at an application in order to see how it handles it 
  in order to discover unwanted code-execution risks. At one such 
  session, researchers from TippingPoint, which are expected to discuss 
  Sulley, an open source fuzzing tool being released at Black Hat.

* Security in VoIP will get a critical review from Barrie Dempster, 
  senior security consultant at NGS Software and in a separate session, 
  from Himanshu Dwivedi, founding partner at iSec Partners, who will 
  detail exploits against VoIP protocols IAX and H.323. NGS Software 
  director of research John Heasman will also present on the security 
  implications of Apples preboot environment for Intel-based 
  Macintoshes, the Extensible Firmware Interface.

* Sipera Systems product manager Sachin Jogelar is expected to discuss 
  vulnerabilities associated with dual-mode VoIP phones that can 
  automatically switch between Wi-Fi and cellular networks.

* Researcher Roger Dingledine will discuss how the Tor anonymity network 
  he helped develop will be extended to make it harder to block users 
  accessing it.

* In a session entitled Hacking Capitalism, Matasano Security 
  researchers will detail the specialized protocols used by the 
  financial industry to execute billions of dollars in trades, and 
  discuss the flaws inherent in them. In a separate session, Matasano 
  Security promises to reveal vulnerabilities in data-leakage prevention 

* Researchers from Germany-based ERNW GmbH are scheduled for a talk 
  about Cisco Network Admission Control and its purported design flaws.

* Security researchers Joanna Rutkowska and Alexander Tereshkin, both 
  with Invisible Things Lab, are scheduled to present some new findings 
  about virtualization-based malware, new methods for compromising the 
  Vista x64 kernel and the supposed irrelevance of the Trusted Platform 
  Module and BitLocker. Rutkowska gave a presentation on rootkits and 
  Microsoft software at last years Black Hat that won a standing ovation 
  from the audience. As a counterpoint at this years event, though, 
  Symantec researchers will take an opposing view in their presentation 
  entitled Dont tell Joanna, the Virtualized Rootkit is Dead. At this 
  session, Symantec will disclose techniques for detecting any trace of 
  virtual-machine malware though not necessarily eliminating it. 
  Symantec says theres a friendly competition going on now between 
  Rutkowska and Symantec on this.

* IBM Internet Security Systems researchers Mark Dowd, John McDonald and 
  Neel Mehta will discuss C++-based security and vulnerabilities that 
  can exist in C++ applications, some which may not have been publicly 
  disclosed before.

* HD Moore, director of security at BreakingPoint Systems and founder of 
  the Metasploit Project, will discuss new techniques for compromising 
  organizations, along with new modules that will available for the 
  Metasploit Framework, an open source exploit-development platform.

* Websense researchers Stephen Chenette and Moti Joseph plan to discuss 
  how to defend against techniques disclosed earlier this year that 
  allow an attacker to manipulate the browser heap layout using specific 
  sequences of JavaScript allocation.

Social issues wont be overlooked at Black Hat, as Gadi Evron, security 
evangelist at Beyond Security, takes up the topic of Estonia: 
Information Warfare and Strategic Lessons in a talk on what happened in 
Estonia during the massive denial-of-service cyberattack there last 

And Kenneth Geers, author of several books on nations and terrorists 
interests in cyberspace, war and security, promises to take up 
provocative topics, including Which countries have the worst Orwellian 
computer networks?

Some controversy already has swirled around the Black Hat conference as 
last moth a presentation that promised to undermine chip-based desktop 
and laptop security was suddenly withdrawn without explanation. The 
briefing, TPMkit: Breaking the Legend of [Trusted Computing Groups 
Trusted Platform Module] and Vista (BitLocker), promised to show how 
computer security based on trusted platform module hardware could be 
circumvented. No explanation was forthcoming by Black Hat or the 

All contents copyright 1995-2007 Network World, Inc.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods