Here at the Hyatt Regency Crystal City in Arlington, Virginia, it is day two, the last day of Black Hat DC 2010, the world’s leading information security event. Yesterday we discussed Black Hat DC 2010 – Day One, and the convention’s hosting of more than 500 security experts from the public and private sector as well as underground hackers from around the world.
Today, February 3, Black Hat DC 2010 opened with “An Uninvited Guest (Who Won’t Go Home).” During this presentation, Bill Blunden addressed “battle-tested” forensic tools used to analyze storage devices. Bill gave the audience a guided tour of the latest rootkit methods deployed against Windows platforms.
As mentioned yesterday, the three tracks for day two include: Application Security, Forensics and Privacy, and Metasploit. Whether you were among the lucky ones to have attended the event, or if you did not attend, we have described some of this years’ Black Hat Briefings for you in this post. As always, we welcome your comments.
Connection String Parameter Pollution (CSPP) Attacks
Chema Alonso and Jose Palazon demonstrated how users apply tools and web applications to configure a connection against a database server. More specifically, in Microsoft Internet Information Services, how to steal the user account credentials, get access to web applications impersonating the connection, and taking advantage of web server credentials to connect against internal database servers in the DMZ without credentials.
In a post by Kelly Jackson Higgins, DarkReading, Black Hat DC: Researchers Reveal Connection String ‘Pollution’ Attack, she discusses CSPP and the CSPP Scanner (Google Spanish to English translation link for download) tool Alonso and Palazon released that provides for testing to determine if database servers are vulnerable to this form of attack.
Hacking Oracle 11g
David Litchfield, NGSSoftware Ltd., presented Black Hat Briefing “Hacking Oracle 11g.” Litchfield’s penetration testing techniques revealed yet another bug in Oracle’s database code. This Oracle Hacker Gets The Last Word (Greenberg, Forbes).
As cited by Ellen Messmer, Network World, in Black Hat: Zero-day hack of Oracle 11g database revealed, “Litchfield said he thinks Oracle probably deserves a ‘B+’ for security in the current version of its database, which he characterized as an improvement over the previous version.”
Advanced Command Injection Exploitation
David D. Rude II (bannedit), Security Engineer, ACS Inc., presented “Advanced Command Injection Exploitation: cmd.exe in the ’00s.” An interesting discussion on advanced techniques used to exploit command injection bugs. “Baaedit” showed examples of code injection used by attackers to change program execution when their code is injected into computer programs.
In Vincenzo Iozzo’s presentation “0-Knowledge Fuzzing,” he described “fuzzing” as “a pretty common technique used both by attackers and software developers . . . knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary.” He continued with a demonstration of how to use techniques like code coverage, data tainting, and in-memory fuzzing to build a “smart fuzzer” with no need to instrument it.
This was a great explanation of the different attack types using numbers, chars, metadata, and pure binary sequences; application fuzzing, protocol fuzzing, and file format fuzzing. Without a doubt, we found this to have been another worthwhile Black Hat Briefing.
Neurosurgery With Meterpreter
Colin Ames, Security Researcher, Attack Research LLC and David Kerb, affiliated with Attack Research, each have over ten years’ experience with penetration testing, reverse engineering, and malware analysis. They demonstrated post-exploitation memory manipulation using Metasploit’s Meterpreter to build memory exploitation tools. The information they provided showed our audience how to gather evidence from attacks to use in determining where attacks originate from and the intent behind these attacks.
Why Black Hats Always Win
In this Black Hat DC 2010 Briefing, Val Smith with Attack Research and Chris, Security Consultant and Researcher with Secure DNA, discussed “Why Black Hats Always Win.” Now, the “good guy” versus the “bad guy” always makes for a good debate. Maybe it was just the expression on their faces, but there might have been a lot of opposing opinions among onlookers during this briefing.
White hat methodologies versus black hat methodologies were the center theme. Attackers versus defenders—offensive versus defensive—We went down the entire trail from information gathering to data collection with stopovers at vulnerability assessment and exploitation. This was one of the more exciting briefings at Black Hat DC this year, and we could have gone on way past sundown without running out of Black Hat versus White Hat information security issues to discuss.
During his presentation “iPhone Privacy,” Nicolas Seriot, Datamining R&D Engineer, University of Applied Sciences Western Switzerland, discussed iPhone privacy issues as he questioned Apple’s position regarding the iPhone’s security implementation. The talk continued with examples of how “rogue applications” access private information on devices without modifications that might prevent a breach of end-users’ privacy. In his white paper iPhone Privacy (PDF), Seriot wrote about writing spyware for the iPhone as he introduces his proof-of-concept “SpyPhone.”
InfosecEvents’ Closing Comments
Black Hat DC 2010 was an awesome information security event. As with past Black Hat events, public and private sector information security experts thrilled audiences with talks and demonstrations regarding the latest technologies used by hackers; and the information security industry’s continuing battle against these global threats to our quality of life in this information dependent world. We look forward to seeing you at the next event!