Black Hat 2009 conference report

2009-09-01

Andrew Lee

K7 Computing
Editor: Helen Martin

Abstract

Andrew Lee reports from Caesar's Palace on the mammoth 15-track Black Hat conference.


Table of contents

Black Hat USA is really two things: first, a series of workshops and training sessions, followed by a two-day technical conference, which also has an exhibition floor where vendors can display their wares. It draws some of the top security practitioners and speakers in the world, and the keynotes and sessions are usually of a high quality. It is certainly one of the most well-attended conferences in the security industry, and is followed by the cheaper, scruffier (but some would argue, more useful) DefCon hacker conference. Black Hat takes place each year in Las Vegas at the huge Caesar’s Palace casino complex – a place so wonderfully bizarre that, upon visiting, one is reassured that the rest of the world is not quite as crazy a place as one suspected.

The advantage of Caesar’s Palace is that it’s big – really big. It’s big enough to have its own shopping street complete with animated fountains and an aquarium in which you could sink a large warship, and it’s big enough to accommodate the 4,000+ attendees and 15 tracks of conference programme that make up the Black Hat conference. The disadvantage of Caesar’s Palace (at least to someone who is currently mobile only with the assistance of crutches) is that it’s big – really big. Big enough to mean a five- to ten-minute walk between sessions (not to mention the 20-minute walk from one’s room – in the same hotel), for which task one will also need to consult the map supplied in the programme.

Fortunately, the sessions are of reasonable length, meaning that most finish within their allotted time, leaving sufficient time to get to the next session (although you may, even then, be too late to find a space inside the room of a popular session). What’s more, the entire conference proceedings can be bought on DVD, as good quality audio/video recordings showing both the speakers and their presentations. My suggestion to anyone attending is to purchase the DVD to give you the flexibility to pick the sessions you really want to attend (and that might be within reasonable walking distance), while not having to worry about conflicts.

Before any of it starts, though, you have to navigate the very long queues to pick up your delegate badge. This year an RFID badge was supplied along with the printed badge, and was duly hacked in the RFID workshop. As I was handed mine it was suggested that a few seconds in a microwave would prevent any problem. However, since ‘Andrew’ and ‘K7 Computing’ was the extent of the information contained in my badge I didn’t spend much time on that solution, preferring instead to risk the consequences of having my name exposed via RFID (if, for some strange reason, it couldn’t simply be read from the printed badge itself).

Although it was tempting just to place my DVD order and go and sit by the wonderfully tasteless Roman-themed pool, I resisted this urge (the 40C+ heat was also a deterrent) and bravely plunged into the programme.

Presentations

As mentioned, there are 15 conference tracks; eight tracks on the first day, seven on the second, and a keynote each day. Past keynotes have been very good, and are always well attended, and this year was no exception. I couldn’t get in the door for David Merrill’s (EMI, Google) speech but there were relays to several other rooms with screens. The crux of the presentation was that most companies get security wrong because they assign the responsibility to the security team, rather than making security the responsibility of each person. The second keynote was by Robert Lentz from the US Department of Defense, but unfortunately I was unable to attend due to a prior appointment with a pillow and warm bed. But, back to day one…

Unfortunately, the first session of the conference proper turned out to be a rather damp squib. Although the speaker has since garnered quite a bit of publicity for some hacking activities in Zurich airport (http://peterkleissner.com/?p=34) and for getting fired from his position in an AV company (http://web17.webbpro.de/index.php?page=peter-kleissner), Peter Kleissner’s talk on the ‘Stoned’ (yes, he really did call it that) bootkit, was pretty uninteresting in terms of new information. While the fact that he showed that you can bypass disk encryption (at least, pass information across) and infect files from outside the OS was an interesting twist, there was little else new in this. It is pretty obvious that you can patch things offline, and as Kleissner admitted, the technique he is using is 20 years old. The fact that technical problems meant that his demos didn’t work was also a factor, though one can’t really blame the speaker for that. It is also unfair to criticize an 18-year-old for his presentation technique, particularly in a second language, but his inexperience generally made for a very difficult-to-follow presentation. The paper itself is clearer, and can be found on the Black Hat website.

After that, things picked up considerably and I managed to hit a run of great presentations for the rest of the day. Andrea Barisani and Daniele Bianco, two Italian students, gave what was probably the funniest presentation of the conference, including a video performance. Their boundless enthusiasm for the subject was refreshing, and the audience responded warmly as they explained how you could use cheap electronics to monitor keystrokes remotely via the power grid. Not content with one cool hack, they then showed how they could use cheap lasers to remotely read what someone is typing on a laptop – a feat which gains extra points for the use of laser beams.

After lunch I took in a smattering of a couple of different presentations, including the rather good ‘Netscreen of the Dead’ by Graeme Neilson, whose presentation included screenshots from many classic zombie movies, providing a good accompaniment to his discussion of creating a trojaned OS for Juniper’s Netscreen appliances.

Heading back to the Rootkits stream, Jeff Williams (not the Jeff Williams many of us know from Microsoft, but rather the CEO of Aspect Security) gave an excellent talk on the dangers of Java applications in the enterprise environment; particularly financial institutions that are highly reliant on such applications. He showed how little code it would take to steal data, cause damage or install other malicious programs inside Java applications – something that could be achieved by bribing or coercing a dissatisfied developer.

The second day started out with a great presentation on attacking SMS by Zane Lackey and Luis Miras. It seems I wasn’t the only one interested in their exploits of SMS on iPhone and Google’s Android, as the room was packed with people standing five deep outside the doors trying to catch what was being said. Their talk centred around problems caused by the phone operating systems failing to validate the source of SMS service messages, meaning that they were able to set up their own servers, and have phones pick up the messages from there rather than the legitimate servers. This was only one of several excellent presentations in the ‘Mobile’ track.

Throughout the two days there is also a Panels track, which is always worth a quick look. I took in a few minutes of the ‘Hacker Court’ which examined a fictitious but legally accurate case in a mock trial, which was entertaining if nothing else for the use of a rather amusing British pejorative as the nickname of one of the defendants.

Unfortunately, I had to leave for the airport at lunchtime, so missed the afternoon sessions, but rather fittingly, the conference was rounded off with Mikko Hyppönen speaking on Conficker in the Turbo Talks stream. If nothing else, Conficker has taught us that the security industry will be around for a long time, as we’re still suffering the same problems as we have faced for the last 20 years. I’m sure Black Hat will be around for a long time too, and I hope to see some of you there next year.

The papers from this year’s conference (as well as audio and video material) can be found at http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

Aditya Sood & Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited to compromise the C&C panel in order to gather threat intelligence, and present a model of mobile AppInjects.

Cryptojacking on the fly: TeamTNT using NVIDIA drivers to mine cryptocurrency

TeamTNT is known for attacking insecure and vulnerable Kubernetes deployments in order to infiltrate organizations’ dedicated environments and transform them into attack launchpads. In this article Aditya Sood presents a new module introduced by…

Collector-stealer: a Russian origin credential and information extractor

Collector-stealer, a piece of malware of Russian origin, is heavily used on the Internet to exfiltrate sensitive data from end-user systems and store it in its C&C panels. In this article, researchers Aditya K Sood and Rohit Chaturvedi present a 360…

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.