Black Hat 2008 USA – Overview
August 2008 by Michael Hayes CTO, B-4-U Inc.
During the Opening of Black Hat 2008, in Las Vegas, Nevada, there are a number of different focuses since the 2007 conference Notable points include the absences of the Business focused tracks of previous years, including the absence of a VC panels, no voice over IP track which is in stark contrast to the numerous sessions of the VoIP track of the previous year. An increased awareness of Wireless both from a Wi-Fi perspective and a mobile smart phone perspective and finally the buzz, a guest appearance of Mr. Dan, Kaminsky, for his discussion on current DNS vulnerabilities.
Michael Hayes CTO, B-4-U Inc.
Also, we cannot forget the arrest of one the largest Credit Card fraud groups in the United States, 40 Million Credit cards used in the largest Department stores, with notables like, TJX Companies, owner of TJ Maxx clothing outlets; Barnes and Noble; OfficeMax; Sports Authority and others were stolen. From a security perspective this was accomplished by War Driving un-protected Wi-Fi access points, Access via Wi-Fi and the planting of malicious code in the network to capture credit card info.
Looking through the rear view mirror:
The following is a summary of a few conference proceeding, more details will follow on selected topics.
Bad sushi, beating Phishes at their own game. Nitesh Dhanjani and Billy Rios. Great talk on Phishing, the biggest issue is the availability of Phishing kits, any business that uses financial or Credit Card info is at risk. Web sites are available that freely trade in stolen financial information. Banks, E-Commerce E-sites and other financial institutions need to pay special attention to Phishing, and double their efforts to protect themselves and their clients. Access technologies need to be implemented and maintained.
DNS Goodness by Dan Kaminsky, a key speaker and a key topic, DNS vulnerabilities and exposures are critical and need to be patched and closed now. DNS vulnerabilities when left open can create 10 to 20 major attack vectors. This is a very dramatic and frightening security issue. In simple terms imagine that every telephone call and mobile call needs to go to Directory Assistance for handling. If the Operator is 100% accurate and 100% honest all our calls would reach the correct destination. Now imagine that this same Directory Assistance operator is replaced by a dishonest operator, and now places calls on your behalf to another business or listens in to your conversations. This talk on DNS vulnerabilities and the exploits to take over or masquerade as a legitimate DNS needs to be fixed now.
Client-Side Security by Petro D Perkov. Interesting technical discussion based on the use of multiple technologies used together to exploit systems. Taken alone a simple tool like Flash, Java or CITRIX may pose a low risk of security or maybe even no risk. But utilized in concert, innocent tools can imbed complex attacks on the Client Side without the clients knowledge. Given the hardening of servers in an Enterprise, the client side is the now the most vulnerable part of an Enterprises’ Network Security.
Exploiting Google Gadgets by Tom Stracecener. New attack vectors are always appearing, but one of the major concerns occurs when a trusted vendor in-advertently opens a new attack vector. Google’s introduction of Google Gadgets is one of those occasions. Google gadgets, allow users to download small applications that morph overtime to improve the users experience on the WEB. This in itself is a benign issue, but what is not benign is that these applications do not get reviewed from a security perspective, there-by introducing a new attack vector to an enterprise. Hardware Track, focused on Access Technology, by various presenters This dedicated track on day two was an eye opener, covering everything from hacking ePassport, our newest international biometric passport information and storage system for $75.00 dollars of hardware and simple programs to a variety of vulnerabilities in various token, access hardware technology and systems. This track also covered numerous two factor authentication tools and how there are inherent weaknesses in them.
Through the looking Glass:
With the increased protection of the perimeter of corporate networks through firewalls, IDSs, and IPS, the ability to penetrate large Enterprises and Governments through a frontal attack is becoming more expensive. A number of Penetration testers have noticed the improvements over the last few years. Penetration testers and hackers now have to work harder to get by the front gates. The network perimeter still needs significant vigilance. However, the numbers of side doors have increased dramatically with both the uses of Wireless Devices and Wi-Fi, as well as a myriad of client side vulnerabilities. As security professionals we must still be ever vigilant to new attack vectors, and drive improved security to the end user both at work and at home. We also must alert and train our non-technical teams in the areas of safe computing.