BlackHat USA 2008 WrapUp

Blackhat USA 2008 was an amazing experience this year. The first four days of training could not have gone better. Since SCuD only ran the one class this year it was a lot less work and stress on the Hired Guns. The students were great and we are fortunate every year to have some of those students become our friends that we look forward to seeing every year. Blackhat is as much a Reunion of friends and colleagues as much as a security conference.

The briefings were really good but very crowded. I hope to see Blackhat better distribute the talks between both floors of the conference center next year. Also I think they should create a dedicated area for vendors. Having vendor booths in the main hallway contributes to a terrific traffic jam. The congestion was so bad people were using service/employee hallways to get between talks. It is a known fact that attendees will go see vendors regardless of location and having the vendor circus show in the hallway is just not fun anymore. As an aside, I saw several vendors pulling stunts that would cause me to never consider them for business. One vendor had leather clad skanks to draw attention to their products and that simply insults my intelligence and professionalism. T-shirts and Prize wheels are one thing but tasteless promos are simply childish.

The talks themselves were fantastic. Blackhat has made it’s mark by having the best of the best of this industry present talks and research and this year once again expanded on that theme.

The DNS talk by Kaminsky was good. I wish he had spent more time on the actual attack and research instead of validating the danger of a DNS attack. The majority of the talk focused on how many different technologies could be vulnerable due to a DNS flaw. I think most of us realize the pervasiveness of DNS and inherent ramifications of any DNS attack. I wanted more time spent on the actual attack. Some of the interesting facts about the DNS patch. The patch was reverse engineered in 51 hours by Pieter de Boer and a full paper was written by Sec-consult.com within 5 days of release. Keep in mind that the patches were specifically crafted to make reversing more difficult. Dan stated, “This proves any patch can be reverse engineered”.

The actual attack built upon previous research as well as some new vectors discovered by Dan. I won’t delve into the specifics of the attack because his slides will provide any of the info you need. Black Ops 2008: It’s the End of Cache As We Know It (ppt). Slides 10 – 18 are the real meat of the attack. Dan’s major addition is that since multiple requests for 1.foo.com will be suppressed by TTL all the attacker needs to due is make subsequent requests for 2.foo.com, 3.foo.com and so forth. If an attacker is asking for multiple subdomains and therefore not limited by TTL and the attacker is trying 100 answers per resolver request this greatly increases the chances of hitting the right transaction ID number and becoming the “DNS server” for *.foo.com

As interesting as the attack is the unique response of the vendors. This response of behind-the-scenes collaboration and the coordinated multivendor patch is the first time we’ve seen such a group response to a security vulnerability. Obviously the nature of the protocol flaw and implementation of not so random transaction ID’s necessitated such a coordination but one dares to hope this is a harbinger of things to come. Perhaps, we shall see.

The most fascinating talk was Felix (FX) Linder’s talk on Developments in Cisco IOS Forensics. The talk dealt with the difficulties and tactics of detecting a binary level comprimised Cisco router. We now IOS is becoming a larger target. Two of the other talks at BlackHat concentrated on Cisco IOS hacking and vulnerabilities. FX’s work on Recurity Labs Cisco Incident Response (CIR) is truly ground breaking and I don’t even want to imagine the amount of IOS code he’s looked at in the past years.

Some other talks you should take a look at.

Fyodor’s NMAP – Scanning the Internet
Bruce Potter’s Netflow Analysis
Chawdhary & Uppal’s Cisco IOS Shellcodes

All in All BlackHat was a great experience. I met more people this year than the previous years combined. The knowledge and the people truly make the InfoSec community one of the best communities in the world, and BlackHat represents the best of this community.

PS: For futher reading I’ve created a Blackhat/Defcon linkdump of great articles and blog posts about the cons.

Leave a Reply