Thoughts from Black Hat

Good info on bad deeds from the Black Hat conference

Talk to anyone who attends Black Hat USA conferences and you'll hear about how boring the talks are, how nobody learned anything new, how the hacks were known last year -- not to mention the ridiculous posers. Ask those same attendees if they plan to attend next year, and they say "yeah" as fast as a poker player pushing all in with pocket aces.

I learned that pushing all in with pocket 5s in Las Vegas apparently isn't nearly as smart, but that's another topic.

While many of this year's Black Hat sessions were ultra boring -- I walked out of more talks than I stayed in -- I learned all sorts of interesting factoids. And although there wasn't, as in the past, any raw meat flying into the audience, some of the speakers were super knowledgeable and entertaining. Here are the ones that seemed to impress the audiences in the sessions I attended:

Hacking Macs is easy: And my Microsoft, Windows-loving self didn't say this. It was self-proclaimed Mac enthusiast and security researcher, Charles Miller, Ph.D., principal security analyst with Independent Security Evaluators. He talked about how easy it was to hack Leopard and iPhones, which share a common root OS.

Essentially, Dr. Miller said that Apple was falling down on the job and making its OS way too easy to hack. He said he found more than 50 OS X programs that run in the SUID (Set User ID) context, most of which had been made non-SUID by most Unix and Linux distros years ago. He said that OS X doesn't randomize memory, the stack, heap, or kernel instruction pointers, which are simple antibuffer overflow mechanisms deployed in Windows, Linux, BSD, and many other OSes.

He continued by listing dozens of old programs and libraries patched in other OSes that Apple is still installing by default, or just getting around to patching. Dr. Miller showed the crowd two recent JavaScript exploits (one on OS X and the other for the iPhone) and shared all the great reasons why the Mac OS X is an easy platform to exploit. He also shared his techniques for hacking iPhones and discussed several other tools that made finding Apple exploits easier. He was absolutely giddy about some of the new changes Apple is making that will simplify the life of a hacker, er, researcher in the coming months.

Ultimately, Dr. Miller lamented Apple's growing market share as matched against its current state of security design. A member of audience put it this way: "Apple is like this little ole, family-town sheriff who's moved to inner-city D.C. and is attempting to spread the love. It won't be pretty."

Hacking RFID: For my money, Chris Paget, director of R&D for IOActive, provided great entertainment from his RFID hacking demos and gun-shooting videos. Paget and his company developed a low-cost, handheld device for cloning RFID cards. Paget held up several RFID cards, waved them close to his cloning device, and in seconds created a usable copy of the original RFID card. He even placed one of the RFID cards into a protective sleeve that is advertised to keep the RFID card safe from cloning. Within 3 seconds, his device successfully read the information stored on the RFID card. In conclusion, Paget said, "If you use 125KHz proximity cards, your doors are highly insecure!"

At the back of the audience, another vendor, Identity Stronghold, was handing out free "secure sleeves" to help protect security cards from malicious cloning. I asked if the card sleeve would prevent the cloning that Paget was demoing. "No," was the reply, "not 125KHz cards." Maybe it's time to investigate your company's RFID frequencies.

Phil Zimmerman showed off his new Zfone VOIP security software. It adds solid encryption protection to any software-based VOIP security software simply by installing the free software and pointing your VOIP software to a new host port. It doesn't use persistent keys or PKI. Mr. Zimmerman spent lots of time answering the audience's questions about the Zfone and encryption software in general. But he had me at "Today, what I really care about is making sure democracy continues to thrive." You have to admire a guy with a 30-year burning desire for the betterment of the commons.

Bruce Schneier gave a great second-day keynote on the psychology of security. If you've been following any of Bruce's writings over the last year, you're already intimately familiar with the topic. I think I've read more than half a dozen of his essays on the subject, but he still managed to bring fresh information to the table and was a good speaker. I believe everyone, involved with security or not, should read Bruce's provocative information.

Brandon Baker of Microsoft spoke on Windows Server 2008's new virtualization model used in the Windows Virtualization Server (WSV) server role. Although I'm unsure if the new security changes apply to just WSV or virtualization in general, here's the gist of the newer security implementation: In older-style VMs, Guest OSes ran their kernel in the processor's Ring 1 (instead of Ring 0) and their applications in Ring 3. This necessitated that VM software fake the Guest OSes' kernel into thinking it was running in Ring 0, as it expected. This requires virtualization tricks and special VM drivers.

The newer VM security model uses Intel and AMD hypervisor processor extensions to separate memory, CPU, and other resources into one or more partitions. The software portion of the hypervisor and the VM software run in the root partition. All Guest OSes run in separate partitions with separate resources, but with access to Ring 0 and above. This means no special VM drivers are needed. However, Guest OSes are prevented from directly accessing hardware by the extensions built into the CPUs.

Baker went on to summarize the threat-modeling scenarios and assumptions used to secure the next-generation virtualization software. He even covered threats they didn't address (for example, utilization DoS attacks, covert channels, and so on) inside of each partition and where the biggest risks were. This was nothing new for those who follow virtualization, but it offered a nice, short presentation of the implemented changes.

Former chief counterterrorism advisor Richard Clarke gave the first day's keynote. I've seen him speak twice this year, and both times he thoroughly entertained the audience. I was upset that he took both opportunities to shamelessly hawk his latest book -- the guy's being paid to speak about security issues near and dear to our hearts, not to plug his writing. I have to say that my opinion of him has dropped considerably. I'm shocked. (In an unrelated story, my seventh book on computer security, " Windows Vista Security: Securing Vista Against Malicious Attacks," written with Dr. Jesper Johansson, is finally out and sold well at Black Hat. I'm shocked, I tell you.)

Show Comments