Thoughts from Black Hat

Thoughts from Black Hat
Thoughts from Black Hat 

By Roger A. Grimes
August 10, 2007

Talk to anyone who attends Black Hat USA conferences and you'll hear 
about how boring the talks are, how nobody learned anything new, how the 
hacks were known last year not to mention the ridiculous posers. Ask 
those same attendees if they plan to attend next year, and they say 
"yeah" as fast as a poker player pushing all in with pocket aces.

I learned that pushing all in with pocket 5s in Las Vegas apparently 
isn't nearly as smart, but that's another topic.

While many of this year's Black Hat sessions were ultraboring I walked 
out of more talks than I stayed in I learned all sorts of interesting 
factoids. And although there wasn't, as in the past, any raw meat flying 
into the audience, some of the speakers were superknowledgeable and 
entertaining. Here are the ones that seemed to impress the audiences in 
the sessions I attended:

Hacking Macs is easy

And my Microsoft, Windows-loving self didn't say this. It was 
self-proclaimed Mac enthusiast and security researcher, Charles Miller, 
Ph.D., principal security analyst with Independent Security Evaluators. 
He talked about how easy it was to hack Leopard and iPhones, which share 
a common root OS.

Essentially, Dr. Miller said that Apple was falling down on the job and 
making its OS way too easy to hack. He said he found more than 50 OS X 
programs that run in the SUID (Set User ID) context, most of which had 
been made non-SUID by most Unix and Linux distros years ago. He said 
that OS X doesn't randomize memory, the stack, heap, or kernel 
instruction pointers, which are simple antibuffer overflow mechanisms 
deployed in Windows, Linux, BSD, and many other OSes.

He continued by listing dozens of old programs and libraries patched in 
other OSes that Apple is still installing by default, or just getting 
around to patching. Dr. Miller showed the crowd two recent JavaScript 
exploits (one on OS X and the other for the iPhone) and shared all the 
great reasons why the Mac OS X is an easy platform to exploit. He also 
shared his techniques for hacking iPhones and discussed several other 
tools that made finding Apple exploits easier. He was absolutely giddy 
about some of the new changes Apple is making that will simplify the 
life of a hacker, er, researcher in the coming months.

Ultimately, Dr. Miller lamented Apple's growing market share as matched 
against its current state of security design. A member of audience put 
it this way: "Apple is like this little ole, family-town sheriff who's 
moved to inner-city D.C. and is attempting to spread the love. It won't 
be pretty."

Hacking RFID

For my money, Chris Paget, director of R&D for IOActive, provided great 
entertainment from his RFID hacking demos and gun-shooting videos. Paget 
and his company developed a low-cost, handheld device for cloning RFID 
cards. Paget held up several RFID cards, waved them close to his cloning 
device, and in seconds created a usable copy of the original RFID card. 
He even placed one of the RFID cards into a protective sleeve that is 
advertised to keep the RFID card safe from cloning. Within 3 seconds, 
his device successfully read the information stored on the RFID card. In 
conclusion, Paget said, "If you use 125KHz proximity cards, your doors 
are highly insecure!"

At the back of the audience, another vendor, Identity Stronghold, was 
handing out free "secure sleeves" to help protect security cards from 
malicious cloning. I asked if the card sleeve would prevent the cloning 
that Paget was demoing. "No," was the reply, "not 125KHz cards." Maybe 
it's time to investigate your company's RFID frequencies.

Phil Zimmerman showed off his new Zfone VoIP security software. It adds 
solid encryption protection to any software-based VoIP security software 
simply by installing the free software and pointing your VoIP software 
to a new host port. It doesn't use persistent keys or PKI. Mr. Zimmerman 
spent lots of time answering the audience's questions about the Zfone 
and encryption software in general. But he had me at "Today, what I 
really care about is making sure democracy continues to thrive." You 
have to admire a guy with a 30-year burning desire for the betterment of 
the commons.

Bruce Schneier gave a great second-day keynote on the psychology of 
security. If you've been following any of Bruce's writings over the last 
year, you're already intimately familiar with the topic. I think I've 
read more than half a dozen of his essays on the subject, but he still 
managed to bring fresh information to the table and was a good speaker. 
I believe everyone, involved with security or not, should read Bruce's 
provocative information.

Brandon Baker of Microsoft spoke on Windows Server 2008's new 
virtualization model used in the Windows Virtualization Server (WSV) 
server role. Although I'm unsure if the new security changes apply to 
just WSV or virtualization in general, here's the gist of the newer 
security implementation: In older-style VMs, Guest OSes ran their kernel 
in the processor's Ring 1 (instead of Ring 0) and their applications in 
Ring 3. This necessitated that VM software fake the Guest OSes' kernel 
into thinking it was running in Ring 0, as it expected. This requires 
virtualization tricks and special VM drivers.

The newer VM security model uses Intel and AMD hypervisor processor 
extensions to separate memory, CPU, and other resources into one or more 
partitions. The software portion of the hypervisor and the VM software 
run in the root partition. All Guest OSes run in separate partitions 
with separate resources, but with access to Ring 0 and above. This means 
no special VM drivers are needed. However, Guest OSes are prevented from 
directly accessing hardware by the extensions built into the CPUs.

Baker went on to summarize the threat-modeling scenarios and assumptions 
used to secure the next-generation virtualization software. He even 
covered threats they didn't address (for example, utilization DoS 
attacks, covert channels, and so on) inside of each partition and where 
the biggest risks were. This was nothing new for those who follow 
virtualization, but it offered a nice, short presentation of the 
implemented changes.

Former chief counterterrorism advisor Richard Clarke gave the first 
day's keynote. I've seen him speak twice this year, and both times he 
thoroughly entertained the audience. I was upset that he took both 
opportunities to shamelessly hawk his latest book the guy's being paid 
to speak about security issues near and dear to our hearts, not to plug 
his writing. I have to say that my opinion of him has dropped 
considerably. I'm shocked. (In an unrelated story, my seventh book on 
computer security, "Windows Vista Security: Securing Vista Against 
Malicious Attacks," written with Dr. Jesper Johansson, is finally out 
and sold well at Black Hat. I'm shocked, I tell you.)

Attend HITBSecConf2007 - Malaysia 
Taking place September 3-6 2007 featuring seven tracks of technical 
training and a dual-track security conference with keynote speakers 
Lance Spitzner and Mikko Hypponen!  -  Book your seats today! 

Site design & layout copyright © 1986-2015 CodeGods