By Roger A. Grimes
August 10, 2007
Talk to anyone who attends Black Hat USA conferences and you'll hear
about how boring the talks are, how nobody learned anything new, how the
hacks were known last year not to mention the ridiculous posers. Ask
those same attendees if they plan to attend next year, and they say
"yeah" as fast as a poker player pushing all in with pocket aces.
I learned that pushing all in with pocket 5s in Las Vegas apparently
isn't nearly as smart, but that's another topic.
While many of this year's Black Hat sessions were ultraboring I walked
out of more talks than I stayed in I learned all sorts of interesting
factoids. And although there wasn't, as in the past, any raw meat flying
into the audience, some of the speakers were superknowledgeable and
entertaining. Here are the ones that seemed to impress the audiences in
the sessions I attended:
Hacking Macs is easy
And my Microsoft, Windows-loving self didn't say this. It was
self-proclaimed Mac enthusiast and security researcher, Charles Miller,
Ph.D., principal security analyst with Independent Security Evaluators.
He talked about how easy it was to hack Leopard and iPhones, which share
a common root OS.
Essentially, Dr. Miller said that Apple was falling down on the job and
making its OS way too easy to hack. He said he found more than 50 OS X
programs that run in the SUID (Set User ID) context, most of which had
been made non-SUID by most Unix and Linux distros years ago. He said
that OS X doesn't randomize memory, the stack, heap, or kernel
instruction pointers, which are simple antibuffer overflow mechanisms
deployed in Windows, Linux, BSD, and many other OSes.
He continued by listing dozens of old programs and libraries patched in
other OSes that Apple is still installing by default, or just getting
exploits (one on OS X and the other for the iPhone) and shared all the
great reasons why the Mac OS X is an easy platform to exploit. He also
shared his techniques for hacking iPhones and discussed several other
tools that made finding Apple exploits easier. He was absolutely giddy
about some of the new changes Apple is making that will simplify the
life of a hacker, er, researcher in the coming months.
Ultimately, Dr. Miller lamented Apple's growing market share as matched
against its current state of security design. A member of audience put
it this way: "Apple is like this little ole, family-town sheriff who's
moved to inner-city D.C. and is attempting to spread the love. It won't
For my money, Chris Paget, director of R&D for IOActive, provided great
entertainment from his RFID hacking demos and gun-shooting videos. Paget
and his company developed a low-cost, handheld device for cloning RFID
cards. Paget held up several RFID cards, waved them close to his cloning
device, and in seconds created a usable copy of the original RFID card.
He even placed one of the RFID cards into a protective sleeve that is
advertised to keep the RFID card safe from cloning. Within 3 seconds,
his device successfully read the information stored on the RFID card. In
conclusion, Paget said, "If you use 125KHz proximity cards, your doors
are highly insecure!"
At the back of the audience, another vendor, Identity Stronghold, was
handing out free "secure sleeves" to help protect security cards from
malicious cloning. I asked if the card sleeve would prevent the cloning
that Paget was demoing. "No," was the reply, "not 125KHz cards." Maybe
it's time to investigate your company's RFID frequencies.
Phil Zimmerman showed off his new Zfone VoIP security software. It adds
solid encryption protection to any software-based VoIP security software
simply by installing the free software and pointing your VoIP software
to a new host port. It doesn't use persistent keys or PKI. Mr. Zimmerman
spent lots of time answering the audience's questions about the Zfone
and encryption software in general. But he had me at "Today, what I
really care about is making sure democracy continues to thrive." You
have to admire a guy with a 30-year burning desire for the betterment of
Bruce Schneier gave a great second-day keynote on the psychology of
security. If you've been following any of Bruce's writings over the last
year, you're already intimately familiar with the topic. I think I've
read more than half a dozen of his essays on the subject, but he still
managed to bring fresh information to the table and was a good speaker.
I believe everyone, involved with security or not, should read Bruce's
Brandon Baker of Microsoft spoke on Windows Server 2008's new
virtualization model used in the Windows Virtualization Server (WSV)
server role. Although I'm unsure if the new security changes apply to
just WSV or virtualization in general, here's the gist of the newer
security implementation: In older-style VMs, Guest OSes ran their kernel
in the processor's Ring 1 (instead of Ring 0) and their applications in
Ring 3. This necessitated that VM software fake the Guest OSes' kernel
into thinking it was running in Ring 0, as it expected. This requires
virtualization tricks and special VM drivers.
The newer VM security model uses Intel and AMD hypervisor processor
extensions to separate memory, CPU, and other resources into one or more
partitions. The software portion of the hypervisor and the VM software
run in the root partition. All Guest OSes run in separate partitions
with separate resources, but with access to Ring 0 and above. This means
no special VM drivers are needed. However, Guest OSes are prevented from
directly accessing hardware by the extensions built into the CPUs.
Baker went on to summarize the threat-modeling scenarios and assumptions
used to secure the next-generation virtualization software. He even
covered threats they didn't address (for example, utilization DoS
attacks, covert channels, and so on) inside of each partition and where
the biggest risks were. This was nothing new for those who follow
virtualization, but it offered a nice, short presentation of the
Former chief counterterrorism advisor Richard Clarke gave the first
day's keynote. I've seen him speak twice this year, and both times he
thoroughly entertained the audience. I was upset that he took both
opportunities to shamelessly hawk his latest book the guy's being paid
to speak about security issues near and dear to our hearts, not to plug
his writing. I have to say that my opinion of him has dropped
considerably. I'm shocked. (In an unrelated story, my seventh book on
computer security, "Windows Vista Security: Securing Vista Against
Malicious Attacks," written with Dr. Jesper Johansson, is finally out
and sold well at Black Hat. I'm shocked, I tell you.)
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!