Wow, what a week. Blackhat and Defcon are infamous for their approach to sharing information amongst the community. New bugs/flaws aired in public for the first time with the intention to explain the process on how they were first identified, in some cases going into intense detail to highlight how they can be exposed.
Both events were probably the most political and emotional ever with the recent announcements on NSA and leaked PRISM details alongside the deaths earlier in 2013 of Aaron Swartz and Barnaby Jack, two young men who were both thought-leaders in their space. Aaron with his campaign on internet freedom and Barnes with his infectious desire to break open and highlight serious flaws in critical devices whilst making hacking fun. Both were remembered in their own way at the event.
Alongside this, we have the sessions with some great talks. I attended as many as possible with the intention to focus on the big news stories where standing room only was the order of the day if you were late. I’ll summarise my top talks of Blackhat below:
Maltego Tungsten Release
Maltego is a mapping tool by Paterva however at the event, the team demonstrated how their new release, Tungsten, could also be used for offensive measures. I’m a big fan of visual aids and so have used Maltego for its mapping capacity however using Tungsten to map and profile a target is a great way to demonstrate with tools how easy it is to profile a target and even unleash a basic attack with the pre-attack intelligence. Paterva also demonstrated their integration with Kingfisher, a spear-phishing toolkit, designed to highlight how easy it has become to use technology to assist with this lure stage.
http://maltego.blogspot.com/2013/04/blackhat-2013-tungsten-preview-trees.html
Android: One Root to Own them All
Bluebox’s very own Jeff Forristal took to stage in front of a full house to release details of the Android flaw that was given to Google back in February. Jeff did a great job of presenting his finding that initially started when he looked to integrate Google Maps using its API. He then discovered something strange with the ability to submit duplicate “classes.dex” which could be used for legitimate but also very intentionally malicious purposes. With the official announcement of the flaw, it took 17 days for malware to be found in the wild that could exploit this vulnerability. It then took just 7 days for more master key vulns to be found.
In its current state, with research verified by Bluebox, upto 69% of Android devices are vulnerable with the majority of these being open to attack because the flaw prays on non-Google Play store apps. The majority of the 69% of the devices were open to Amazon and Enterprise app stores. This is definitely one to watch as the impact could be huge.
http://bluebox.com/corporate-blog/commentary-on-the-android-master-key-vulnerability-family/
Java Every-Days
HP took to stage to tell us what we all know in that Java is broken however these guys went to new depths in highlighting how bad the situation is by referencing and open up some common exposures and referring to these and how they were discovered. They quoted Websense security research highlighting that back in March over 93% of browsers were running an out-of-date Java plug-in which is a huge number. They also reference the finding that exploit kits by design will target a Java vulnerability. The session was perfectly wrapped up highlighting the risks associated to this and that it should be a focus of any organisation to start mitigation plans against these known and documented exposures.
Click to access US-13-Gorenc-Java-Every-Days-Exploiting-Software-Running-on-3-Billion-Devices-WP.pdf
SSL, Gone in 30 Seconds
My favourite talk of the event was from Prado, Harris and Gluck who started off their presentation by updating the wikipedia page from the announcement last year of CRIME in that the vuln had been fixed. It had not. They introduced us to BREACH which was designed to attack HTTP responses by measuring the size of the response and emulating this. They highlighted how with BREACH the attack can be launched in just over 30 seconds and is typically successfully with few mitigating factors. The biggest takeaway is that this side-channel attack can be used against all versions of SSL and TLS. This kinda highlights that the security of HTTP is broken…which is another big deal.
http://breachattack.com/#howitworks
Sandbox (General)
I went to all the sandbox talks where possible, including the Cuckoo and FireEye talks where the focus of discussion was on sandbox evasion techniques. I have followed evasion techniques for many years include malware analysis using sandboxes when time-based techniques were first introduced. Nothing new from these talks other that the surge in malware now designed to identify and bypass a sandbox or only to launch when it identifies user behaviour is growing. The feedback was keep your sandbox updated and hardened to avoid being bypassed and to also use more than just sandbox technology to identify the threat. Common sense but yet another solution to constantly manage and update. I’m a firm believer in using cloud computing for sandbox requirements as you have near infinite resources in the cloud and vendor hardening and updating their own sandbox in their own environment makes more sense. This needs to be leveraged in order for us to move away from sandboxing as a point control and to embed this in the lifecycle of an attack to generate supporting events.
Conclusion
So to summarise, a great few days catching up with thought-leaders in the industry, learning new techniques and being present for the release of some very cool tools and new disclosures. It will be remembered as a political and emotional event but also as further indication that we are all vulnerable, even as people, which was echoed and supported in holding silence and solidarity for those few moments before the event.
RIP Barnaby (Barnes) Jack, 1977-2013
security-exposed.com 