Black Hat 2007 / Defcon 15 Round-up

Update 08.08.2007: RSnake posts his account of BH/DC and uploads some great pics.

My final account of Black Hat 2007 and Defcon 15 is not nearly as entertaining as my wife Llana’s. First of all, Black Hat is by far my favorite conference and I look forward to it every year. The talks and speakers are top notch (well most are), the attendees comes from all over the world with interesting stories to share, and there is always something going on day or night. This years show was bigger than ever, 4,000 strong, with security professionals, press, analysts, hackers, government employees, vendors, etc. Black Hat is totally worth every penny spent if only to meet the people there.

RSnake and I presented Hacking Intranet Websites from the Outside (Take 2) to a packed audience: We discussed the current theory and demonstrated several cool tricks including browser history stealing and port scanning (using only HTML/CSS), De-Anonymizing, and Split VPN Tunnel Hacking (using some JavaScript Malware). For those who regularly read our blogs, you should be familiar with most of these techniques, but judging by the audience reaction they clearly were not. After the speech many dozens of people crowded the stage and met with us afterwards to ask questions and congratulate us on a job well done. We also made lots of press including NetworkWorld, E-Commerce News, InformationWeek, and InfoWorld

In the aftermath, Richard Bejtlich and Michael Farnum moved along to the Depression stage of web security grief:

“Existing defenses are absolutely ineffective against current attacks. I am struggling to describe the importance of this insight. It does not matter if you are fully patched, "properly configured," not running Javascript, or adopting any number of other current defensive stratgies if you use a Web browser that renders modern rich content. Almost none of the techniques described in the Black Hat talks relies upon exploiting vulnerable software. Almost all of them abuse inherent functionality for malicious reasons.”

Between our presentation and the DNS Rebinding talks, I think we really drove the point home that the Intranet is no longer off limits and browser security needs be rethought. And soon! Now it’s the browser vendor’s turn and with all the press I’m sure they’ve been queued up.

The slides and most of the PoC have been made available. Hopefully we get the video soon to post that as well.

Two great talks: Intranet Invasion With Anti-DNS Pinning by David Byrne and Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity by Brad Hill. I learned several things in each of these and the content was well presented.

Iron Chef Blackhat: OK, I have know idea how Brian Chess conned convinced me into being a judge without knowing exactly what I was getting into up front. But there I was, sitting next to the two other judges, John Viega and the Presendent of Hackistan. Behind us several hundred people thinking the same thing we were, “What the heck was going on here!?” If you’ve ever seen the cooking show Iron Chef then you should be familiar with the format. Two chefs face off for an hour then show off their wares to the judges, winner take all. They even had the mannerisms, aprons, and chef hats. :)

During the hacking, The President was non-stop cracking jokes saying sarcastic things like “this is blowing my mind”, making comparative references to Paris Hilton, and busting John’s Symantec chops for not ridding his computer of viruses. So damn funny. At the end the winner didn’t really matter. Both Iron Chefs showed well, people learned a thing or two about the VA process, and everyone seemed to really enjoy the show. Hopefully Brian and Fortify will keep this going. It was a lot of fun.

Side-channel conversations: There was a good bit of chitchat about BJJ and MMA. A lot of people in infosec train in various forms of martial arts. Makes sense I guess. However, I was not prepared for Chris Hoff’s unprovoked attack. In the front of PURE Chris comes out of no where like the Blaire Witch, hugs me and says, “all I want to do is get in your butterfly guard big boy.“ I think Mike Rothman was standing there just as confused as I was. :) Then later there was talk about some Hacker MMA Smackdown event rumor I hadn’t heard about. RSnake had and immediately said in his best Tyler Durden voice, “I’d fight Erik Birkholz.” I kid you not. Ask the Mozilla guys, there were there! Gotta be on guard at all times around these infosec guys, sheesh.

CiscoGate and Predictable Resource Location: Jeff Moss gave an excellent and entertaining presentation about the timeline of events circling around Michael Lynn, ISS, and Cisco fiasco from a while back. One thing I thought was interesting was that after a federal judge issued a TRO against BlackHat, they removed the offending files from the web server. Strike that, in their haste, they removed the links to the files and forgot to remove the originals. Someone took the opportunity to guess for the files on the web server for 8 straight hours until they finally found it, then shortly thereafter it flooded to every corner of the web. Cisco complained in court that this violated the TRO, but the court saw it otherwise.