Black Hat USA is only a few days away, and I think the conference gets bigger each year. There are eight different tracks during the Black Hat Briefings, and many of the presentations sound interesting. Because there are so many choices, we decided to gather our top give picks for sessions you can’t afford to miss:

1) Black Ops 2008: Its The End Of The Cache As We Know It by Dan Kaminsky

DNS is at the heart of every network — when a web site is browsed to, it says where the site is, and when an email is sent, DNS says where to. The answer is usually correct — but not always. Six months ago, it became clear that there was an ancient design flaw, present in the original 1983 specification for DNS, that would allow any attacker to insert their own addresses for DNS names. An industry wide bug hunt commenced, culminating in a simultaneous release date of patches for virtually all platforms. We will talk about the issue, and about how a partnership between industry competitors and researchers helped protect all our customers.

 

2) Xploiting Google Gadgets: Gmalware and Beyond by Tom Stracener and Robert Hansen

Google Gadgets are symptomatic of the Way 2.0 Way of things: from lame gadgets that rotate through pictures of puppies to calendars, and inline email on your iGoogle homepage. This talk will analyze the security history of Google Gadgets and demonstrate ways to exploit Gadgets for nefarious purposes. We will also show ways to create Gadgets that allow you to port scan internal systems and do various javascript hacks via malicious (or useful) gadgets, depending on your point of view. We’ve already ported various javascript attack utilities to Google Gadgets (like PDP’s javascript port scanner) among other things. We will also disclose a zero day vulnerability in Google Gadgets that makes Gmalware (Gmodules based malware) a significant threat.

 

3) MetaPost Exploitation by Val Smith

When penetration testing large environments, testers require the ability to maintain persistent access to systems they have exploited, leverage trusts to access other systems, and increase their foothold into the target. Post exploitation activities are some of the most labor intensive aspects of pen testing. These include password management, persistant host access, priviledge escalation, trust relationships, aquiring GUI access, etc. Penetration testers acquire hashes, crack them, keep track of which passwords go with which usernames / systems and finally reuse this information to penetrate further systems.

This paper will first cover the technical details of these topics as well as some examples of manual methods currently in use during penetration tests. Next we will present some improvements to these techniques and demonstrate some tools we have developed which can be integrated with other popular applications such as Metasploit. We will also demonstrate automated methods for using collected password intelligence to penetrate massive numbers of systems. Finally we will suggest some future directions for this area.

 

4) The Internet is Broken: Beyond Document.Cookie – Extreme Client Side Exploitation by Nathan McFeters, John Heasman, and Rob Carter

The dangers of client-side threats such as XSS and CSRF are well understood in the context of vulnerable web applications. Furthermore, the dangers of malicious script as a vehicle for exploiting browsers flaws and reconnoitering the Intranet have been discussed at length. Now what if XSS and CSRF could be leveraged to directly to compromise the host… by design?

Rewind a few years ago and the client-side landscape was somewhat different: research was focused on exploiting the complex interactions between components exposed by the browser. The security of the whole was defined as the sum of the weaknesses of the parts, namely JavaScript, Java, Flash, and anything accessible via a protocol handler. These types of attack gave way to direct browser flaws… after all, why carry out a multi-stage attack when you could trigger straight code execution? Fast forward to 2008: browser flaws are not going away in the foreseeable future but they are on the decline, and in a world of stack cookies, non-executable stacks and ASLR they are becoming increasingly hard to exploit. Which takes us back to the complexity issues. They never went away. In fact the situation has gotten worse spurred by the development of offline solutions such as Google Gears and Adobe AIR, the plethora of protocol handlers and an explosion of browser helper objects.

This double session presentation combines the research of four notable Black Hat presenters who have previously discussed client side exploitation from browser to rootkit. This combined with a rapidly increasing corporate interest in "outsourcing" applications to the browsers, this fast paced, entertaining, and novel presentation answers the question: should we really be building next generation applications on the shaky foundations of the browser?

This is NOT another talk focused on XSS or CSRF, it’s about issues and vulnerability classes that have not been discussed anywhere else. You get all of this from some legit, good looking security researchers, what more could you ask for?

 

5) Pushing the Camel Through the Eye of a Needle by SensePost

In 2007 SensePost demonstrated the how DNS and Timing attacks could be used for a variety of attacks. This year we take those attacks further and show how small footholds in a target network can be converted into portals we can (and do) drive trucks through! With some updated SensePost tools, and some brand new ones, we will demonstrate how to convert your simple SQL Injection attacks (against well hardened environments) into point and click (well, type and click) ownage, how the framework management pages you never knew you had, can double as our network proxies and why despite all of the hype around SQL Server 2005, we still enjoy finding it behind vulnerable web applications. The talk is fairly technical and expects that the attendees understand the basics of Web Application and Web Browser based attacks. Attendees will leave with new attack vectors, a couple of new tools and some thoughts on future directions of these attacks.

 

We will be posting our picks for each time slot soon, and stay tuned for our coverage!