Monday, August 11, 2008

Get Rich or Die Trying (BlackHat USA 2008)

Update 08.11.2008: Added a video interview of Trey and myself to the bottom of the post.

Our speaking slot was informally dubbed the “power hour” due to the number of stellar presentations all booked at the same time - many of which I would have loved to attend personally. Nate McFeters & Co. unveiled the details on their GIFAR research, Microsoft announced they’ll be revealing vulnerability details to certain vendors prior to public disclosure, Joanna Rutkowska on Xen Hypervisor, etc. And making matters just a little bit more interesting, we were generously given a larger ballroom. This was scary because with a speaking time near the end of the last day combined with top-notch competition, a sparsely attended room would have been entirely likely. So when the room filled to capacity, I’m guessing of around 1,000 people (standing room only) Trey Ford and I were extremely ecstatic! Which reminds me, Trey Ford (Director of Solutions Architecture) pinched hit for Arian Evans (Director of Operations) so he could focus more time on his presentation, “Encoded, Layered and Transcoded Syntax Attacks.

The premise for the “Get Rich or Die Trying” presentation was looking forward at the next 3-5 years considering that we’re probably going to see less fertile ground for XSS/SQLi/CSRF to be taken advantage of – that is if the good guys do their job well. So the bad guys will likely focus more attention on business logic flaws, which QA overlooks, scanners can’t identify, IDS/IPS can’t defend, and more importantly issues potentially generating 4, 5, 6 or even figures a month in illicit revenue. In many ways though this is sort of like predicting the present since just about every example we gave was grounded with a real-world public reference and backed by statistics. We also wanted this presentation was very different than what most are used to at BlackHat that tend to be deeply technical, hard to follow, and often dry. And while everyone in webappsec is transfixed on JavaScript malware issues, we chose another direction.

We designed a presentation meant to be a lot of fun, that taught things anyone could do, and perhaps by the end might have people questioning their ethics. Judging from much of the feedback I think we might have succeeded on the last point. :) RSnake was also a good sport when we ribbed him a little bit. For those interested in the slides, I quickly uploaded them to slideshare. The quality is decent (hard to see the references) and you can download the PDF. I’m working on slenderizing it now, so when I have it I’ll upload that as well, including the video when we get it.




Lastly thank you very much to everyone who came and supported us, it meant a lot.


8 comments:

Eric said...

Great slideshow Jeremiah, glad you posted it.

Anonymous said...

I heard about your presentation, and really wanted the slides. Thanks for sharing such interesting material :)

Ari E-B said...

Although I agree with your larger point (business logic is starting to yield higher profits than hack attacks), I can't help but disagree with one thing. You mentioned on one slide that XSS, XSRF, SQL injection, etc. are all on the way out. We've known about buffer overflows for decades now, and for some reason they still occur. I don't think any of these attacks will actually be "on the way out" in a few years. They may be supplanted by newer attacks in terms of risk, but I just can't see them going away.

Jeremiah Grossman said...

@bachrach44, oh I agree that those issues are not going to vanish entirely for the exact reasons you described. In fact, I said as much in the speech at Black Hat. However, I do see evidence of their overall decline and difficulty increase in identifying them in high value target websites. My theory, and it is just a theory, is that monetizing them in the next 3-5 years will get much harder to do and the alternative of going after business logic flaws will be more attractive to the bad guys. Either way, we're going to have to find and fix both as best we can with business logic flaws not getting nearly the same amount of attention. Hence another reason for the talk.

Anonymous said...

Link to PDF of sildes seems to be a zero byte file?

Thanks for posting to SlideShare, but I really would like the PDF of the slides.

Thanks

Anonymous said...

What about the Blackhat presentation of your colleague Arian Evans and associated tool? I mailed Arian about it some weeks ago on his anachronic mail address, but got no reply...

Maybe you can tell me where I can download the tool and the slides.

Anonymous said...

Hi,
regarding your slide 29, check this link
http://www.all-nettools.com/forum/showthread.php?t=7790
So probably this is not such a big threat.

Jeremiah Grossman said...

hmph, very interesting. Thanks for posting!