This year I had the pleasure of attending the Blackhat Briefings and Defcon in Las Vegas. Although there are many other good security conferences, the combination of Blackhat with Defcon to my mind remains the gold standard for the biggest news that affects the computer (in)security industry. In past years, foundational Internet protocols such as DNS and SSL have been thoroughly trounced, PLC’s used in SCADA environments have been broken, and security researchers have found and weaponized new exploitation techniques. This year had many quality presentations, and I’d like to acknowledge a few of them in this blog post:
“Black Ops” – Dan Kaminsky. For those that aren’t aware, Dan is the security researcher who discovered a serious cache poisoning vulnerability in DNS and presented this at Blackhat in 2008. Dan’s talks are a technical tour de force, and he typically concentrates on broad security problems that impact major protocols and applications. This year, his Black Ops talk discussed a collection of ideas, and two of the most impactful are 1) a needed change (particularly for VM’s) to how entropy is collected, and 2) a technique for mitigating SQL-injection attacks in popular web services. For 1), the usual strategy for collecting entropy is for an application to appeal to the operating system via /dev/random or /dev/urandom. Behind the scenes, the OS gathers entropy from sources such as a hardware RNG, the keyboard and mouse, disk rotation variances, and more. However, there are large deployment environments that sometimes have none of these sources available such as server-side VM’s, and this implies that other strategies for collecting entropy are needed in such environments. This is where Dan hopes that an older technology for entropy collection that is based on timing differences between two different clocks can be brought back and updated. Towards this end, Dan is going to release a new project called “Dakarand” soon on his website http://dankaminsky.com. Now, for 2) and mitigating SQL-injection attacks, Dan has already released a project called “Interpolique”: http://dankaminsky.com/interpolique/. For the complete Black Ops slides you can download them here: http://dankaminsky.com/2012/08/06/bo2012/
“Hauwei Routers” – FX. This presentation was given at Defcon by two researchers from Recurity – a Germany-based reverse engineering firm. FX is well known in the security community, and has been presenting at Defcon for many years. The original title of this talk was “Hacking [redacted] Routers”, and essentially it lays out in detail a huge attack surface in Huawei routers. The attack surface is provided by vulnerabilities in many Huawei components and covers the spectrum from both stack and heap overflows to low RSA modulus size used for SSH communications to web services issues. One of the best quotes from the talk was “Why does Huawei bother to build backdoors into their routers when there are heap overflows all over the place?”. The slides are quite compelling, and can be found here: http://phenoelit.org/stuff/Huawei_DEFCON_XX.p
“Linux Interactive Exploit Development with GDB and PEDA” – Long Le. This talk dived into the details of how to develop exploits using a Python GDB extension developed by Le called “PEDA”. According to the talk abstract, exploit development is a time consuming process that frequently involves spending a lot of time in a debugger. However, GDB does not provide an intuitive interface that is geared towards exploit development (perhaps for obvious reasons), and this is where PEDA comes in. For example, from the Blackhat abstract, PEDA provides “cyclic pattern create and search; ELF headers and symbols retrieval; simple ASM instructions and ROP gadgets search; common shellcodes and ROP payloads generation (ret2plt data transfer, ret2dlresolve); exploit skeleton generation; in memory fuzzer; and crashdump logging”. The talk was presented in a workshop format and exploits were developed live by the audience against an older version of the telnet daemon with guidance from Le. The slides can be found here: https://media.blackhat.com/bh-us-12/Briefings/Le/BH_US_12_Le_Linux_Interactive_Exploit_Development_with_GDB_and_PEDA_Slides.pdf
“Here Be Backdoors: A Journey into the Secrets of Industrial Firmware” – Ruben Santamarta. This talk presented a series of techniques for finding backdoors in SCADA systems through reverse engineering of vendor firmware images. To me, this was an important talk because Ruben demonstrated that backdoors and other vulnerabilities in industrial systems can be found in some cases quite easily without having any access to the target hardware itself (which can be quite expensive). Once a weakness is found by an attacker, it is simply a matter of locating a target SCADA system that is connected to the Internet, and the SHODAN scanning service can help here. Given the importance of SCADA systems that are in positions of physical control and manipulation in everything from water treatment plants to power generation infrastructure, this talk has broad ramifications and only heightens the debate around responsible disclosure. (As a side note, Enterasys plays in the SCADA protection space, see http://www.enterasys.com/company/literature/siem-security-energy-control-wp.pdf and http://www.enterasys.com/company/literature/infoblox-sab.pdf)
There were many other worthy presentations, and I encourage you to take a look through the information available on the Blackhat and Defcon websites. Many of the researchers also make their presentations available through their own websites, and the researchers themselves can generally be found on Twitter.