Black Hat 2012

Conferences Fuel Your Passion

Few things spark your passion for information security the same way as a conference. It’s inspiring to talk to so many different people in the industry and listen to a variety of talks, all in one place. I had the chance to personally meet many readers of the Tenable blog and listeners of the Tenable podcast. I also heard some great talks as well. Here are some highlights.

Smashing the Future for Fun and Profit

I was really excited to see the folks on this panel come together and "talk shop." It’s a rare opportunity to see Jeff Moss (Dark Tangent), Adam Shostack, Marcus Ranum, Bruce Schneier, and Jennifer Granick all share the same stage! This did not happen by chance, as this panel brought back five of the original speakers Jeff Moss assembled at the first two Black Hat conferences held in 1997 and 1998.

I've had the unique opportunity to interview each of the 2012 panel members individually, so I was particularly interested to see how their thoughts, ideas, and opinions would converge. I was not disappointed. The topics ranged from software security, the government’s role in security, consumerism and how ease of use impacts security, the vulnerability market, and so much more. Jennifer Granick was an outstanding moderator (which was not an easy task by any stretch!).

The big question for me was, “What changed?” Jeff had a great anecdote. He said we don't really solve the problems, but we just run away from them and they seem to go away. We've just been able to run faster. I reviewed the topics presented at the first Black Hat conference in 1997, and I couldn't agree more. Vulnerabilities in TCP/IP, secure coding, and over-reliance on firewalls all made the list — topics we still discuss, and problems we still run from today.

Bruce Schneier commented on how we can't just be faster than the person next to us. There are people (whether state-sponsored or working independently) specifically targeting your organization, and almost everyone is terrible at protecting themselves from this threat (as evidenced by the seemingly endless news of companies suffering breaches).

Don't Stand So Close to Me: An Analysis of the NFC Attack Surface

Charlie Miller gave a very entertaining presentation about vulnerabilities discovered in NFCs (Near Field Communications) found in many mobile devices, including Android devices and Nokia phones. NFC wireless chips use the phone's power source to communicate wirelessly (typically in the 13.56 MHz frequency) with other devices. The range is less than 4 centimeters, and it’s used to share contacts, images, or web addresses between devices. The window of opportunity is small, as not only do you have to be in close physical range, but the device must be on and not in "sleep mode." Charlie showed some of the ways in which you could "wake up" the phone, such as by sending your target a text message.

As part of his research, Miller wrote a low-level fuzzier for Android devices and discovered some vulnerabilities. He didn’t go on to exploit the initial vulnerabilities found, which were fixed in the "ice cream sandwich" release of the Android operating system. Interestingly enough, he had not yet reported the vulnerabilities, but Google had fixed them on their own accord. In order to exploit an Android device, Miller used the NFC functionality to send a phone's browser to a website, coupled with a vulnerability in Webkit, to gain unauthorized access to the device.

On Nokia devices, the NFC chip uses Bluetooth to share files. Miller discovered a way to use NFC communications to enable Bluetooth and download information from the phone, such as contacts and pictures, or even place phone calls.

Although the attacks require close physical proximity, it raises concerns about the configuration of mobile devices. For example, what if a phone manufacturer doesn’t allow you to disable NFC on your device? Also, if you’ve disabled a service, such as Bluetooth, NFC attacks can enable a service and even reconfigure your phone to be vulnerable. This makes hardening your devices extremely difficult.

From SQL Injection to MIPS Overflows: Rooting SOHO Routers

Zachary Cutlip did some research on a specific brand and model of SOHO wireless router/file server. The NETGEAR WNDR3700 v3 was his target of choice (Cutlip also believes the 3800, 4000, and 4400 models to be vulnerable as well). Using a SQL injection flaw, he was able to exploit a buffer overflow vulnerability in the DLNA (Digital Living Network Alliance) process. DLNA allows devices on your network that run this protocol to share files, stream media, or even print from wireless devices. There are two vulnerabilities used in conduction which allow you to compromise the device. The first is a SQL injection, which is then exploited to perform a traditional stack-based buffer overflow.

I found the information about how the firmware was implemented to be the most interesting part of this talk. The developers of this particular firmware made poor security architecture choices. For example, passwords are stored in clear-text in the /etc/passwd file. The stack is protected with ASLR, but the heap and software libraries are not. Also, searching through the source code revealed 265 instances of the "strcpy" function, a "no no" when it comes to writing secure code. The presentation really underscored the state of security on embedded systems, which in my experience, has always been very poor. I also picked up some great technical tips as well, such as using the "bin walk" program to find file system offsets in binary firmware files and setting your callback IP address to 10.10.10.10 to overcome any byte order mismatches.

Errata Hits Puberty: 13 Years of Chagrin

I've spent a lot of time talking to folks just getting started in security. They ask many of the same questions, such as "Where do I go to get information about security?" As a security professional, I want to send them to the right places. While that’s not the only reason for the importance of Attrition's Errata pages, for me it’s one of the best reasons to keep a close eye on the industry and point out sources of mis-information. The Errata pages at Attrition have been doing this for 13 years, pointing out everything from books containing plagiarism to people in the industry labeled as "charlatans." While many may just see it as a way to point fingers, this talk emphasized that Errata exists to help the industry.

Using their own time and some donations over the years, they publish information about people, companies, and manufacturers and uncover everything from inconsistencies to data-loss statistics. It was clear they are not out to purposely tarnish any one person's or company's reputation, but to collect facts and present them. In fact, they welcome an open dialog and the opportunity to correct mistakes. For example, one person had been placed on the "charlatans" list, corrected his actions, showed that he had accepted responsibility for the mistake and corrected his actions, thus prompting his removal from the charlatans list.

Final Thoughts

The Black Hat conference did a great job at doing what it does best, bringing new security threats to light from some of the brightest in the security industry. Panels are a tough thing to pull off at a conference, and Black Hat had one of the best panels I've seen in some time. To complete the picture, there were a few talks covering some of the latest defensive techniques, including one titled "Sexy Defense: Maximizing the Home-Field Advantage" which discussed defenders taking a more proactive role when defending your network. As always, I can't wait for next year!