Geeks With Blogs

Last week I attended the Black Hat DC 2008 Briefings. The following is a list of the presentations I saw, the key concepts discussed as well as things I found interesting or didn’t know.

Summary of Black Hat DC 2008 Briefings


DAY 1 - Web App Track


Preparing for the Cross Site Request Forgery Defense

·         A cross site request forgery (CSRF) can be used to force users to submit data to online web applications, sometimes manipulating their local cache or history.

·         This vulnerability could make a user run a search query, fetch arbitrary image files or pages as well as post messages to online forums, or even manipulate their account.

·         Two demos showed how this could be done using Netflix and Google.

·         Basic way to prevent CSRF is to always require one parameter that the attacker would not know


Threats to the 2008 Presidential Election

·         Online donations for presidential campaigns have been used more than ever in 2008

·         Typo squatting such as (mistype of is easy way people can get trapped or tricked

·         Email squatting, for example, emails to go to the unintended recipient

·         Phishing sites that redirect donations to opposing candidate, the phisher or someone other than the intended candidate

·         Denial of services attacks are possible by a high-number of small transaction donations at one time

·         Browser data leakage, using a CSS link visited feature, website can determine whether you’ve viewed a webpage before

·         Monitoring of people’s communications (i.e. FlexiSpy receives copies of SMS, call logs, emails and lets you listen to conversations on mobile device)

·         Ransomware could be a virus, Trojan, or worm that encrypts your data and demands a ransom for it’s restoration


Bad Sushi: Beating Phishers at their Own Game

· is a collaborative website for tracking phishers on the Internet and has an open API for developers to integrate anti-phishing into applications

·         Reality is scary, simple Google searches such as “Spam ReZulT” return numerous compromised online identities

·         Phishing is easy, a number of phishing kits have been developed and are just copied, edited, and reused in most cases

·         Phishers even phish each other, the author of a phish kit builds in his/her own feedback loop, which other phishers may or may not notice when modifying and reusing

·         Root problem is that static identifiers & passwords are often used, resolution is to use two-factor authentication

·         (ATMs are a target as well, ATM skimmers steal swipes of your debit card and record keypad touches)


URI Use and Abuse

·         Some software such as Trillian, iTunes, Picasa expose a custom URI (for example, picasa://) that can be used in a browser

·         This opens up the attack vector of vulnerabilities in the software to the Internet

·         Registered URIs are kept in the registry of Windows (Macs have them too)

·         Demos included using an exploit in Adobe Reader to cause a buffer overflow and using Google’s Picasa to steal the user’s pictures


Scanning Applications 2.0

·         Web Hacking Incidents Database (WHID) is Web Application Security Consortium project dedicated to maintaining a list of web application related security incidents

·         Web 2.0 applications differ from traditional ones in that they usually leverage dynamic client-side scripting and web services (see Pageflakes for numerous examples)

·         Techniques for testing web 2.0 applications include

o   determining the web service type via fingerprinting

o   determining the AJAX library type via fingerprinting

o   fuzzing information structures such as JSON, XML etc.

o   crawling sites with the DOM as opposed to direct links

·         Presenter offers free tools for scanning web 2.0 applications here



DAY 2  - Defense Track


DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife

·         DTRACE was created at Sun and release with Solaris 10

·         Now in Apple OS X, and soon to be in FreeBSD

·         Allows you to trace an application at runtime in an almost root-kit like way

·         Beauty of it is that it’s built into the OS and was designed to be the least intrusive on the application under trace

·         Uses the language of D, which is a subset of C, but without control-flow constructs

·         DTRACE toolkit gives you templates out of the box for seeing stack analysis, code coverage, heap analysis etc.


Dynamic Taint Propagation: Finding Vulnerabilities Without Attacking

·         Taint propagation is a technique where you track your system code during execution and figure out what values are “tainted” by input that comes from outside

·         A taint propagation tool would track inputs throughout the system and give you test coverage execution information of all possible input paths

·         Fortify is a company that sells products that do this for .NET or Java


(un)Smashing the Stack: Overflows, Countermeasures, and the Real World

·         Recommended reading, How to Writer Buffer Overflows, by Mudge

·         Discussed defense mechanisms (such as StackGuard, DEP, ASLR) that have been built into operating systems to make exploiting overflows harder


Classification and Detection of Application Backdoors

·         Backdoors exist in many applications and are sometimes purposely baked in

·         Types include special credentials to bypass authentication and/or hidden functionality that can be used to do something extra to the system

·         One example was given, the creator of Unix put a backdoor into the login prompt. To prevent people from seeing this backdoor in the code, since it was open-source, he hid the logic for putting the backdoor in the code inside the compiler. To prevent people from seeing that, he only distributed the compiler binaries and not the code. To prevent people from seeing the logic when the disassembled the binaries, he put code in the dissembler that stripped it out. Moral of the story is that backdoors exist many places we don’t know about


Botnet Population and Intelligence Gathering Techniques

·         Botnets usually refers to a group of compromised computers (via a remote access trojan, RAT, for example) remotely controlled by a master

·         They utilize DNS instead of IP addresses since you can create an almost infinite amount of domains using subdomaining and change them to point to new IP addresses

·         Tools out there make it easy to set up a botnet (for instance, using the PoisonIvy trojan)

·         Research at Georgia Tech is using DNS caching distribution patterns to estimate relative size of botnets that exist on the Internet


Information Operation in the Cyber Domain, Immunity Style

·         Presenter was hired for a large-scale targeted attack on a private company

·         This differed from other penetration tests in that they had no time limit

·         They were able to compromise the network first through the email server and monitored all emails

·         Then via a little social engineering and an ActiveX script vulnerability they installed an undetectable shell extension on user’s computers

·         At that point they discovered that there was another segmented network that something was moving between with a USB keychain

·         They modified a USB memory dump tool to write all the data from the keychain to disk and managed to compromise secret data from the segmented network

·         (A Microsoft Research tool called Detours was used as part of the attack!)


Posted on Tuesday, February 26, 2008 12:45 PM Security | Back to top

Copyright © Devin A. Rychetnik | Powered by: | Join free