2007-09-01
Abstract
VB sent roving reporters (aka anti-virus miscreants) Andrew Lee and David Perry to the Nevada desert for five days of non-stop hardcore computer security at the Black Hat Briefings and hacker convention DEFCON 15. Andrew Lee reports on Black Hat, and David Perry rounds up the fun and games (and serious business) at DEFCON.
Copyright © 2007 Virus Bulletin
In a valley surely more deserving of the title ‘silicon valley’ than any other – surrounded as it is by nothing but solid rock and silicon dioxide – lies Las Vegas, a place so unreal it is equally deserving of the title ‘virtual reality’. A town through which millions of dollars pass daily, and therefore a town where security is ever present, Las Vegas somehow combines feelings of freedom, fun and security in a town where attempted fraud (and worse) is a daily reality. Sound familiar? I can’t help being reminded of the world wild web, where the constant struggle to protect and secure is matched by an equally energetic and opposite struggle to compromise.
Perhaps fittingly then, it is here that the largest computer security conference in the world takes place. Each year several thousand people meet over a few days in the height of summer, under the blazing heat of the sun, in the middle of a desert to learn about the latest happenings in the computer security world. Patrons of all stripe, from hackers, crackers and slackers (well, you have to have three rhymes) to feds, pros (and possibly a few cons!) and all the assorted personnel that you’d expect at a major security conference.
It’s hard to grasp the scale of the conference, dwarfed as it is by the simply huge Caesar’s Palace venue, but you start to realize it in the crowded corridors between presentations and the endless line to get into the lunch room.
The Black Hat conference is preceded by various training workshops, which are available for an additional fee. There is a good variety of topics on offer, and the quality is high, if a little pricey. This year’s offerings included workshops on everything from reverse engineering to building secure websites.
In a somewhat unusual move, the conference proper kicked off with two simultaneous keynote addresses (in different locations). I can only guess that a few stragglers heard Tony Sager of the NSA speaking, as it was standing room only (with overspill into at least two other rooms) during Richard Clarke’s keynote.
Richard Clarke, former US government member and advisor on security to four consecutive US presidents from Regan to G.W. Bush, was an engaging speaker and pushed all the right buttons, although ultimately he gave little more than an extended plug for his new novel. His vision of a dystopian (and less than secure) future was peppered with amusing anecdotes, subtle (and not so subtle) digs at the current US administration, and an exhortation to get involved in the debate – to depoliticize it so that real progress can be made. One point that I felt was right on the button (if rather obvious) was that many of the new technologies being developed are based on the assumption that ‘cyberspace’ is secure, and that as we build more of our economy to be reliant on connected systems, we face an increasing likelihood of more costly and more disastrous compromise.
So, with the tone set for the conference (and suppressing a smile at the irony of there being no copies of Mr Clarke’s novel in stock ready for signing after his speech), I headed off to the first session I’d picked from the day’s eight-track program.
One of the features, and probably the greatest appeal, of Black Hat is that it is unashamedly hardcore in its technical depth. None of the sessions on offer are for the faint of heart, and the wares on offer here range from the presentation of new exploits to forensics designed to discover exploitation. The first session I attended, Dan Kaminsky’s excellent ‘Design reviewing the web’, introduced the rather wonderfully named ‘Slirpie’, which enables DNS rebinding attacks, and effectively allows VPN access to protected networks via a lured web browser. This session also brought with it my favourite quote of the conference: ‘When something wasn’t designed to be a security technology, don’t be surprised if it doesn’t act as one.’
Another feature of Black Hat is the frequent conflict one experiences in choosing sessions. With so much on offer, it’s impossible to see everything and, as with the famous Las Vegas resort buffet meals, one must pick and choose – but sometimes the choices are hard. Fortunately, Black Hat records all of the sessions on professional audio visual equipment, and makes the unedited footage available. For the next session I was torn between the unveiling of Phil Zimmermann’s Z-Phone technology – a method of securing VoIP – and the next shot in the escalating spat between Joanna Rutkowska and the anti-malware industry with her pills of various colours. In the end, I reached a compromise and briefly attended both – most presentations are an hour and fifteen minutes long, which makes this more feasible than at other conferences.
The rather provocatively titled ‘Don’t tell Joanna, the virtualized rootkit is dead’ was really an extension of Peter Ferrie’s excellent paper presented at last year’s AVAR conference, in which he demonstrated a multitude of attacks against virtualization software. Here, the speakers (rightfully acknowledging Peter’s work by including him on their panel) presented what seems to be a very reliable way of detecting virtualized rootkits. I didn’t see the culmination of this presentation, but it was enough to raise my interest in the presentation later in the day by Rutkowska and Alexander Tereshkin on subverting the Vista x64 kernel, promising new details on virtualized malware. Ultimately, Rutkowska and Tereshkin’s presentation was to prove a little disappointing, as it did not directly answer the questions raised by the earlier presentation, but it did serve to show that there are plenty more fireworks to come from that department.
Other presentations of note were a marathon two-and-a-half-hour session on tactical exploitation given by HD Moore and Val Smith, in which there was pretty much standing room only, and an interesting examination of the ‘Tidal waves of malware’ given by Stefano Zanero.
The second day kicked off with a speech by one of my favourite authors, Bruce Schneier. Always controversial, provocative and amusing, Schneier presented some fascinating facts and figures garnered from experiments in human psychology and economics. What does that have to do with computer security, one might ask? Almost everything – the rather cogent point being that the way in which people behave has a huge impact on how they react to situations. A feeling of security does not equate to security, and vice versa. Some of the results Schneier showed were so counter-intuitive that there were occasional audible murmurs of surprise as he presented them. You may or may not agree with Schneier on everything, but we ignore him at our peril.
With a nine-track program, there was even more to choose from on day two than on the first day, and I kicked off with a duo of presentations in the Reverse Engineering track, the first – ‘Covert debugging’, featuring Danny Quist and Val Smith of Offensive Computing – demonstrating a tool for removing armouring from malware, and the second, on a similar theme, presented by IBM ISS’s Mark Vincent Yason, looking at some advanced unpacking techniques.
Later in the day I took in the Anti-Spyware Coalition panel discussion, an interesting presentation on how Microsoft is using the knowledge it gains from exploits to improve its MSRC updates, and Mikko Hypponen’s presentation on the status of cell-phone malware.
Discussion of the content and good and bad points of each presentation I managed to get to would be redundant, but I hope that I’ve conveyed the flavour of the conference, and encouraged more VB readers to attend.
When I go to Black Hat, I feel challenged, and constantly stimulated by the incredible inventiveness of people in this industry and the wider security world. Such events can take us out of the everyday of work that so often blinkers our view of the world, and can put us right into the boiling flow of technology, innovation and madness that erupts from the volcano of modern computer technology.
Such conferences are also excellent opportunities to network, meet new people and rediscover old friends. In some ways, as much can be learnt over a frozen Margarita taken in the fractionally cooler late Las Vegas evening as in the most technical sessions. Finally, I have to thank the person who got me the rarer-than-hens’-teeth entry pass to the Microsoft party in the exclusive Pure nightclub – cheers!
Black Hat is traditionally followed by DEFCON, which is pretty much the same as Black Hat, but with a scruffier T-shirt – I’ll leave it to fellow anti-virus miscreant David Perry to provide the details.
I was addressing a company meeting at the Hard Rock Hotel in Las Vegas on the morning of August 2nd, the day before DEFCON began. ‘We have to discuss how to handle this,’ I said, ‘Who is going to pick up the badges?’
DEFCON badges are a sight to behold. Each year they are different: stamped metal, electronic, liquid-filled, holographic, lensatic, anime, and for the last couple of years they have been in limited supply. You have to get up early to acquire the genuine article, or end up with a lovely, but surely second-rate substitute.
The second interesting thing about DEFCON is the registration. Those who have attended many COMDEX, CeBit and N+I shows in the past will recall mighty questionnaire-style registration forms, intended to determine how best the organizers can sell your soul to marketing departments: What hotel are you staying at? How many people work in your company? What is your shoe size? What really happened on grad night? It’s like a Russian visa application, only more intrusive – but not at DEFCON.
Waiting in line to register for DEFCON, you notice that nobody is wearing a tie. Most are wearing T-shirts (printed with slogans like ‘ALL YOUR BASE ARE BELONG TO US’ and ‘THE SUN IS TRYING TO KILL ME’) and jeans or shorts. Hair is in evidence of colours not found in nature. There’s a guy dressed like Gandalf, multiple utilikilts, lots of unusual sunglasses. This crowd is dressed for a rock concert, or a Burning Man, and then you get to the end of the line.
‘I’d like to register for DEFCON, please…’ is barely out of your mouth when the goon (people working at DEFCON are designated goons) sticks out their hand. ‘Hundred dollah’, they intone, and you drop the Benjamin into their waiting mitt. ‘Here,’ they reply and shove a whole fistful of stuff at you. There’s the badge, batteries for the badge, a CD of the presentations, a schedule and a collectable sticker.
The badge is a printed circuit board, painted white. The three logos of DEFCON (skull and crossbones, telephone dial and diskette) are visible as board cladding under the white paint (these are actually capacitance switches), as is the word ‘DEFCON’ across the top. Right down the middle is a scrolling LED display and at the bottom the word ‘HUMAN’ (or ‘GOON’, ‘VENDOR’, ‘SPEAKER’, etc.) is cut out of the board in bold letters. On the back are electronic components and available circuit pads for other components. When powered up, the badge lights up with the phrase ‘I [♥] DEFCON 15’.
The badge itself is hackable. There are technical notes available for the badge and the keynote is all about it and what other components are available for sale so as to make a more complicated badge. There is a prize for the best hack. Some attendees spend the whole conference at a table drinking soda with a smoking soldering iron in one hand, hacking the badge. Others get involved in digital capture the flag (hacking a secured server). Still others compete at picking locks, or play ‘spot the fed’, a game where one attempts to identify one of the many federal agents lurking at the show. Others hang out at the dunk tank, play hacker Jeopardy or buy surplus electronics, hacking tools, black T-shirts and lockpicks in the best dealer room ever.
But this is a technical conference, and a damn serious one at that. Six separate tracks run non-stop for 12 hours each of the first two days, and six hours after that. Too many speakers for anyone to see – six times over! There is a wide range of topics, from ‘Security by politics: why it will never work’ to ‘SQL injection and out-of-band channelling’ to ‘Creating and managing your security career’. Big names behind some of these include Dan Kaminsky, Gadi Evron, Steve Christy, and a large percentage of those who have just presented at the smaller, more sedate, more expensive (and, just entre nous, less fun) Black Hat Briefings. There are panels of federal agents, the EFF and disclosure experts. There are also some presentations by people who don’t know they are repeating decades of other people’s work. This field of study attracts more people every year, and DEFCON welcomes N00BZ, and then PWNS them to the Wall of Sheep!
Best noted trend: more malware was discussed and analysed this year at DEFCON than in years past. Once considered the lowest form of hacker life, malware (in all its many forms) and the prevention, detection, removal and analysis of the same has, in many ways, become the lead story at DEFCON. My favourite presentations included those on trojans, botnets and web-based threats. But, as noted before, there was too much to see.
The best answer for this is the conference DVD. I went for the ultra deluxe total coverage DVD, which covers every presentation of both Black Hat and DEFCON with synchronized audio. This left me free to cover all my (daunting) bases on both shows. The DVD costs around $500.
A show like this is great for networking, for meeting old friends and making new ones. To quote Linux guru James Dennis ‘the real action is always in the hallway track’, and I spent a good deal of time there as well. It’s amazing how many people have made computer security their life’s work, and how many newcomers join our ranks each year. DEFCON is not a commercial trade show, and it is not an academic conference. It is an unabashed celebration of the hacking world and all that it entails. I surveyed many people, and asked their opinions about both Black Hat and DEFCON, and the consensus was clear. DEFCON is more bang for your buck, but Black Hat is better for the professional connections you can make.
Everyone’s favourite thing at this DEFCON was the outing of an undercover NBC Dateline reporter, who was then followed out to the parking lot by jeering geeks with video cameras. All good fun, to be sure, and for those who missed it there are several YouTube videos of the excitement (such as http://youtube.com/watch?v=nCvmkxO5hoQ). But there is something here that just doesn’t seem right. Remember that DEFCON doesn’t want to expose or even know the identity of any of its attendees, protecting the anonymity of the ‘hacker community’. So, the question looms: why can’t an undercover reporter have anonymity, too? It’s popular to deride and blame the media nowadays (not without reason), and hackers as a group have been misrepresented to a fantastic degree, but is turnabout really fair play?
A famous engraving from Francisco Goya bears the following inscription:
THE SLEEP OF REASON BEGETS MONSTERS.
Persevere,
David Michael Perry