Black Hat hackers party on security woe

Black Hat hackers party on security woe
Black Hat hackers party on security woe 

By Ellen Messmer
Network World
August 06, 2007

If Las Vegas is a place to expose all, then that notion worked for the 
security experts who spent two days here at the Black Hat Conference 
laying bare the security weaknesses of everything from VoIP, to 
rootkits, and mobile phones.

For the roughly 3,700 attendees who packed the conference held at 
Caesar's Palace, it was a walk on the wild side as some security 
practitioners shed their reserve and gloried in the naked truth that the 
computer systems in use today are pretty much just putty in the hands of 
a good hacker. At one session, speaker Nick Barbour, senior consultant 
at security services firm Mandiant, went so far as to educate his 
audience on how to write better malware.

"Being able to find more clever malware that can evade forensics will 
"make my job more interesting," said Barbour, who gave a presentation 
titled "Stealth Secrets of the Malware Ninjashe." Barbour went on to 
describe in detail techniques for Live System Anti-Forensics, Windows 
hook injection mechanisms, Library Injections and more that he assured 
his listeners could take evasive malware to a new level. "This talk is 
mostly about evil."

Much in keeping with the theme of Black Hat, where honesty is not the 
best policy but the only policy, iSec Partners security experts Himanshu 
Dwivedi and Zane Lackey took the stage to deliver the bad news: VOIP 
systems based on H.323 and the Inter Asterisk eXchange (IAX) protocols 
can be fairly easily compromised and brought down.

"There are a lot of known problems with SIP," said Dwivedi, principal 
partner at iSec, referring to the VoIP Session Initiation Protocol. "But 
we are here to say H.323 and IAX are just as bad."

In case anyone doubts their revelations about how weak authentication 
and authorisation design in H.323 and IAX can let attackers compromise 
VOIP systems and launch denial-of-service (DoS) attacks, they have made 
available exploit tools on the iSec Partners Web site to prove their 

Returning to Black Hat to take up the theme of virtualisation rootkits, 
Joanna Rutkowska, the noted expert who brought the topic to worldwide 
attention last year with her virtualisation rootkit malware called "Blue 
Pill," acknowledged that researchers are getting closer to detecting her 
creation. At the end of her technical presentation, she announced she 
was posting Blue Pill - and its nested hypervisor variant New Blue Pill
- for general download.

That evoked some concern at Symantec, which had been begging her to 
share a Blue Pill sample prior to the conference because Symantec, 
Matasano Security and Root Labs are teaming on a project to detect 
virtualisation malware, and the only virtualised malware they had tested 
was on something they already had in hand, Vitriol, created by 
researcher Dino Dai Zovi.

"We think it's actually quite dangerous to release code like that to the 
public," said Oliver Friedrichs, director of Symantec's Security 
Response division, about the release of Blue Pill. While the stealthy 
Blue Pill is intended for research purposes only, Symantec anticipates 
it could quickly become a new attack vector. He said there were no plans 
to release Vitriol, a similar type of virtualisation rootkit.

Hacker techniques for DoS and botnet attacks are making their way into 
social conflicts, such as the cyber attacks that occurred earlier this 
year against Estonia, a small nation of 1.3 million people with a 
well-developed Internet-based ecommerce and web infrastructure.

Estonia saw its banking and government websites electronically fired on 
in late April and May. The electronic DoS attacks, coupled with what one 
investigator says was a custom-built botnet designed to disrupt Estonian 
home and business networks, came as tensions between Russian 
nationalists and Estonians spilled over into street riots in the 
nation's capital.

"I tried to understand both sides," said Gadi Evron, the well-known 
botnet hunter who works for Beyond Security and also the Israeli 
Computer Emergency Response Team (CERT), who says he was invited by the 
Estonian CERT to help with defence and analysing the aftermath of the 
event, which some are calling the "first Internet war."

Evron, who said during his Black Hat presentation that he wouldn't use 
that term but it was a cyber-conflict, said the current analysis done 
with Estonian officials indicates the first wave of DoS attacks against 
specific Web sites may have been triggered by the "Russian blogosphere" 
where angry Russian speakers urged use of attack tools to ping websites. 
"They provided a tool for the entire population to use," Evron said.

The second phase of the attacks a few weeks later saw something more 
sinister. "One attack was launched by specifically crafted bots," Evron 
said. "The attack target was hard-coded into the source."

These hard-coded bots, designed to attack specific Estonia websites, 
were dropped onto home computers in Estonia, basically making Estonian 
home computers the source of attacks on their own country's 
infrastructure. In the aftermath, analysts are now trying to figure out 
whether the attack was simply energetic hacktivists, or something even 
darker, like a coordinated attack by the Moscow Kremlin, something the 
Russian Government has fiercely denied.

"Who is behind the attacks" Evron said, answering with some wry humour, 
"The KGB. But that doesn't exist anymore."

While the old Soviet Union's KGB secret security service technically no 
longer exists, it's hard to forget its style. "OK, the KGB no longer 
exists," Evron said. "I can't tell if it was something random from the 
blogosphere or a planned attack." But he added: "I find it hard to 
believe it was a mere epidemic."

Several signs point to a well-organised plan with attack events 
commencing at virtually the same time. "The Russian-language blogosphere 
was updated periodically with new attack instructions," he noted. "It 
was adjusting and responding to the defensive actions of Estonia."

Evron noted that this style of Internet-based information battles are 
likely to be part and parcel of future conflicts, where adversaries turn 
the citizens' computers and networks against them.

Not all the news was bad at Black Hat.

For instance, at least we can take comfort in the fact that cell-phone 
and smartphone viruses still constitute a minute proportion of the 
hundreds of thousands of overall computer viruses, with only 373 
distinct phone-based specimens to worry about so far.

That's according to Mikko Hypponen, chief research officer at F-Secure, 
whose Black Hat presentation vividly demonstrated how some of those 
phone viruses can attack phones via Bluetooth wireless and other means.

Most phone-based viruses are targeting Symbian platform phones today, 
said Hypponen, though he guessed that would shift more toward Windows 
Mobile and the iPhone. Cell-phone virus writers today largely just 
remain malicious pranksters who write malware to disrupt phone use, he 
pointed out.

So far there's little indication that these virus writers are turning 
into the kind of money-loving types who write malware for PCs today 
mainly to make a buck. Nor has the type of malware hitting PCs these 
days, such as rootkits or viruses that replicate over email, yet been 
seen, "and we haven't seen anything that we couldn't clean and get out 
of a phone," Hypponen concluded.

Visit the InfoSec News book store! 

Site design & layout copyright © 1986-2014 CodeGods