Blackhat 2013 Review

Wow, what a week.  Blackhat and Defcon are infamous for their approach to sharing information amongst the community. New bugs/flaws aired in public for the first time with the intention to explain the process on how they were first identified, in some cases going into intense detail to highlight how they can be exposed.

Both events were probably the most political and emotional ever with the recent announcements on NSA and leaked PRISM details alongside the deaths earlier in 2013 of Aaron Swartz and Barnaby Jack, two young men who were both thought-leaders in their space.  Aaron with his campaign on internet freedom and Barnes with his infectious desire to break open and highlight serious flaws in critical devices whilst making hacking fun.  Both were remembered in their own way at the event.

Alongside this, we have the sessions with some great talks.  I attended as many as possible with the intention to focus on the big news stories where standing room only was the order of the day if you were late.  I’ll summarise my top talks of Blackhat below:

Maltego Tungsten Release

Maltego is a mapping tool by Paterva however at the event, the team demonstrated how their new release, Tungsten, could also be used for offensive measures.  I’m a big fan of visual aids and so have used Maltego for its mapping capacity however using Tungsten to map and profile a target is a great way to demonstrate with tools how easy it is to profile a target and even unleash a basic attack with the pre-attack intelligence.  Paterva also demonstrated their integration with Kingfisher, a spear-phishing toolkit, designed to highlight how easy it has become to use technology to assist with this lure stage.

http://maltego.blogspot.com/2013/04/blackhat-2013-tungsten-preview-trees.html

Android: One Root to Own them All

Bluebox’s very own Jeff Forristal took to stage in front of a full house to release details of the Android flaw that was given to Google back in February.  Jeff did a great job of presenting his finding that initially started when he looked to integrate Google Maps using its API.  He then discovered something strange with the ability to submit duplicate “classes.dex” which could be used for legitimate but also very intentionally malicious purposes.  With the official announcement of the flaw, it took 17 days for malware to be found in the wild that could exploit this vulnerability.  It then took just 7 days for more master key vulns to be found.

In its current state, with research verified by Bluebox, upto 69% of Android devices are vulnerable with the majority of these being open to attack because the flaw prays on non-Google Play store apps.  The majority of the 69% of the devices were open to Amazon and Enterprise app stores.  This is definitely one to watch as the impact could be huge.

http://bluebox.com/corporate-blog/commentary-on-the-android-master-key-vulnerability-family/

Java Every-Days

HP took to stage to tell us what we all know in that Java is broken however these guys went to new depths in highlighting how bad the situation is by referencing and open up some common exposures and referring to these  and how they were discovered. They quoted Websense security research highlighting that back in March over 93% of browsers were running an out-of-date Java plug-in which is a huge number.  They also reference the finding that exploit kits by design will target a Java vulnerability.  The session was perfectly wrapped up highlighting the risks associated to this and that it should be a focus of any organisation to start mitigation plans against these known and documented exposures.

Click to access US-13-Gorenc-Java-Every-Days-Exploiting-Software-Running-on-3-Billion-Devices-WP.pdf

SSL, Gone in 30 Seconds

My favourite talk of the event was from Prado, Harris and Gluck who started off their presentation by updating the wikipedia page from the announcement last year of CRIME in that the vuln had been fixed.  It had not.  They introduced us to BREACH which was designed to attack HTTP responses by measuring the size of the response and emulating this.  They highlighted how with BREACH the attack can be launched in just over 30 seconds and is typically successfully with few mitigating factors.  The biggest takeaway is that this side-channel attack can be used against all versions of SSL and TLS. This kinda highlights that the security of HTTP is broken…which is another big deal.

http://breachattack.com/#howitworks

Sandbox (General)

I went to all the sandbox talks where possible, including the Cuckoo and FireEye talks where the focus of discussion was on sandbox evasion techniques.  I have followed evasion techniques for many years include malware analysis using sandboxes when time-based techniques were first introduced.  Nothing new from these talks other that the surge in malware now designed to identify and bypass a sandbox or only to launch when it identifies user behaviour is growing.  The feedback was keep your sandbox updated and hardened to avoid being bypassed and to also use more than just sandbox technology to identify the threat.  Common sense but yet another solution to constantly manage and update. I’m a firm believer in using cloud computing for sandbox requirements as you have near infinite resources in the cloud and vendor hardening and updating their own sandbox in their own environment makes more sense.  This needs to be leveraged in order for us to move away from sandboxing as a point control and to embed this in the lifecycle of an attack to generate supporting events.

Conclusion

So to summarise, a great few days catching up with thought-leaders in the industry, learning new techniques and being present for the release of some very cool tools and new disclosures.  It will be remembered as a political and emotional event but also as further indication that we are all vulnerable, even as people, which was echoed and supported in holding silence and solidarity for those few moments before the event.

RIP Barnaby (Barnes) Jack, 1977-2013

Black Hat 2013: Preview

I was recently asked to record a preview of the top 3 topics to focus on @ Black Hat 2013.

For reference, the talks I refer to in the video are here:

Android: One Root To Own Them All (http://www.blackhat.com/us-13/briefings.html#Forristal)

SSL, Gone in 30 Seconds – A Breach Beyond Crime (http://www.blackhat.com/us-13/briefings.html#Prado)

Sandbox talks:

Hunting the Shadows: In Depth Analysis of Escalated APT Attacks (http://www.blackhat.com/us-13/briefings.html#Yarochkin)

Mo Malware Mo Problems – Cuckoo Sandbox to the Rescue (http://www.blackhat.com/us-13/briefings.html#Guarnieri)

I will follow-up with recordings at the event along with a post event conclusion on the top takeaways from Black Hat 2013.

50 Shades of Grey Hat

We have white hats, we have black hats, we even have grey hats.  However, what is the true meaning of a grey hat hacker?   These individuals are typically not malicious by nature and do not intentionally cause harm, yet at the same time they may not act ethically.

One of my favourite security books is still “Gray Hat Hacking: The Ethical Hacker’s Handbook” which references ethical disclosure, pen testing and tools, exploiting vulnerabilities and malware analysis.  It focuses on the same common tactic used in relation to attacks on organisations.  Chapter 16 of this book covers content security as an example with its focus on protecting information, and the attacks we see today still resonate from when this book was published many years ago.

Web and email are still the primary two channels, used to launch an enterprise attack, yet remain the weakest ingress and egress points on the network, with most organisations still having basic spam and web filter products running AV engines.  The book explained how easy it is to bypass these controls back in 2010 and continues to be a discussion point raised by grey hats.  A common question asked is “Why do we struggle to protect our networks and websites when the majority of attacks can be stopped?”

Another example of grey hats is security vendors or lone researchers disclosing vulnerabilities prior to vendors patching, with the aim of staking a flag and demonstrating their security research efforts.  In most cases, this is incorrect. They were simply first in lowering their standards with pressures offered by marketing teams or financial rewards to come up with the latest story and to assist with their visibility in the industry.  You also have individuals with the intention to gain notoriety in the industry.  A recent example resonates with the Apple Developer site hack which has been attributed to a lone researcher in the UK who was upset that the development site was vulnerable.  He claims his intention was not hacking but bug finding and testing if he could exploit the vulnerability by extracting data from the site.  He was quick to announce his involvement once the site was taken down.

This prompts the argument of  when to disclose, if the vendor fails to respond to these disclosures and the vulnerability is being used actively in the wild, does the individual or group who identified the vulnerability disclose this publicly? Doing the right thing then becomes a difficult decision.   We need to decide how much we can share and in what timeframe.

So where do we stand…are grey hat hackers good for the InfoSec industry?  I believe a code of conduct should be followed and parameters set for anyone wanting to partake in these activities.  Any deviation from this underlines you are performing malicious activity.

Parameters

1. Engagement – before performing any task including a basic vulnerability scan, you must agree first and obtain the asset owner’s buy-in.
2. Disclosure – any vulnerability found must be disclosed to the vendor/owner, if attacks are being found in the wild, government agencies must be informed.  Ethical disclosure is paramount.
3. Remediation – never attempt to remediate or attempt to test your findings such as attempting to exfiltrate data…ethical hacking requires control and basic principles of notification only.

To summarise, we can consider ourselves at a pivot point with grey hats.  They have access to resources and rewards, we share content in the community that can aid them, they use this shared information and their own intelligence to identify bugs and flaws in our networks and websites which when ethically disclosed is great.  In rare cases however they are similar to Mr Grey, they can become very passionate individuals that sometimes get a bit too carried away.

Welcome

Hi and welcome to security-exposed.com.  A site and podcast series with the primary aim to focus on security news and the industry to demystify the complex world of information security.  A fortnightly podcast will be run with regular presenters and guests from around the world of infosec.  We will discuss the top news stories, some best practice and also a gadget/app of the fortnight.  We look forward to welcoming you.