Better late than never, I suppose. I taught
TCP/IP Weapons School at
Black Hat DC 2008 last month, and I also attended two days of briefings (many available in the
archives).
The briefings began with Jerry Dixon from
Team Cymru, which appears to now offer commercial services related to large scale Internet monitoring and infrastructure issues. Jerry noted several problems hampering security efforts, including
lack of a dedicated security operations team (CIRT) and
lack of network cognizance. I really like the idea of "cognizance," since one word is always better than the two word version -- "situational awareness." Jerry thought the Federal government's plan to reduce network gateways and monitor traffic at those points made sense.
The image at right is a small snapshot of Team Cymru's
Internet Malicious Activity Map. I think visualizations like this are interesting. I was glad to see my class A dark.
Special Agent Andy Fried from the US Treaury Department spoke about his work countering attacks against his agency. He explained that it's impossible to stop everyone, so you have to rely on "aggressive identification and shutdown" of compromised systems.
Chuck Willis from MANDIANT discussed using Cross-Site Request Forgery to create "false evidence" on a person's computer. He said CSRF is usually a problem for server admins, not people browsing the Web. The idea is to force clients to sliently visit incriminating Web sites, thereby adding entries to their browser history, Web cache, and so on. As a simple example he showed (live) how to add a movie to someone's Netflix basket without their involvement. Chuck described how various encoding methods (decimal, dword, hex, octal) can obfuscate URLs, thereby frustrating simple forensic analysis. Including unguessable parameters when designing Web apps is one way to counter CSRF.
Oliver Friedrichs from Symantec previewed some material from his upcoming book Crimeware, some of which is described in this
post.
Niteshi Dhanjani and
Billy Rios presented how exposed many phishers as relative newbies who are open about their activities and obvious when you know where to look ("fullz", vip-dumps, etc.). I'd like to mention that I love Nitesh's statement in
Social Engineering Social Networking Services: A LinkedIn Example:
The job of information security is to make it harder for people to do wrong things.Nathan McFeters and Rob Carter talked about protocol handler issues in URI handlers, or URIs that link to applications like "aim://". They showed how URIs can be accessed via XSS and many of them suffer buffer overflow vulnerabilities.
I missed Tiller Beauchamp discuss
Re-Tracer, or using Dtrace to for reverse engineering. At the same time Chris Tarnovsky from
Flylogic Engineering was destroying "security devices" like USB tokens and related "secure chip" technologies. He showed how most vendors security claims are completely bogus. I was astounded by what he could do with several thousand dollars of used equipment, stepping through single instructions on a chip and dumping memory.
Brian Chess and Jacob West explained how to instrument code using dynamic taint propagation.
The presentation on Cisco router forensics by Felix Lindner (FX) was awesome -- probably my favorite talk. He discussed TCL backdoors, patched IOS images on the Web, enabled lawful intercept hidden from router admins, and other cool IOS tricks. Most interesting was his description of configuring routers to "write core" and uploading the resulting file to a FTP server for router integrity analysis. His company provides a
free service to analyze router dumps. I hope he commercializes it so I can add it to my operations.
David Dagon from Georgia Tech and Chris Davis from Damballa talked about botnets. They described using IP IDs (hello TCP/IP Weapons School) to estimate botnet size. They referenced the
15th Annual Network & Distributed System Security Symposium Proceedings for related work.
Sinan Eren from Immunity described how his team conducts "information operations," which is not DoD IO but systematic, stealthy, long-term compromise for red teaming purposes. His methodology in the case at hand was as follows:
- Attack the anti-virus/spam filter on the target company's mail transfer agent.
- Hook the AV to grab copies of all email. (Feeling good about that AV scanner now? Hey, it's defense in depth! Add more, you're secure! Not only does it not work 2/3 of the time, it's an avenue to be compromised! Argh.)
- Analyze email to understand the target.
- Inject forged email into ongoing thread between target and customer. Include malicious attachment.
- From target's computer, exploit DNS MSRPC vulnerability in target's PDC.
- Grab hashes, exploit other hosts. Find files of interest.
- Identify special network segmented from current network but accessed via USB drive.
- Modify USBDumper to acquire files when drive is moved from first network to special network.
- All interesting data transferred via Immunity's "PINK" C&C channel.
PINK is a proxy-aware, HTTP-based C&C channel that reads and writes to blog sites after conducting Google searches for highly specific text. The bot and master communicate via blog posts and comments. PINK was installed as an Explorer shell extension, which doesn't require admin privileges.
Sinan concluded by recommending we
invest in human capital, not security products. Agreed!