Whats in store for Black Hat Feb. 28-March 1?
Weve got digital forensics—will Jim Christy, forensics expert to the DOD, challenge attendees to break the encryption of the hardware encryption chip used by Vista? Maybe—stay tuned, because he tells me theres definitely going to be some kind of challenge!
David tells me were going to be hearing about new Oracle attacks that didnt even make it to his most recent book, “The Oracle Hackers Handbook.” That includes such sins as advanced PL SQL injection, exploitation, cursor snarfing, defeating virtual private databases and indirect privilege escalation.
For all you data seepage fans, theres Errata, with CEO Robert Graham set to show use of a tool theyve cooked up to pick up all the supposedly trivial data youre seeping wirelessly or even wiredly—along with how it can be used for corporate espionage and other fun hobbies.
Meanwhile, Dr. Jose Nazario, Senior Security Engineer at Arbor Networks, is going to share lessons learned from trailing botnet attacks. All this and more, more, more!
But before we delve into the details I shamelessly weaseled out of presenters, heres the conference lineup you can see for yourself. Now, this isnt the big Vegas Black Hat in July—this is the smaller DC one (Arlington, Va., actually), focused on government and enterprise issues.
That means weve moved away from pure Vista, pure rich-sponsor Microsoft, back to the basics: hardware/sub-OS, enterprise impact, software security and binary analysis, and forensics (thats what Jim Christys doing, with the opening keynote, “Cyber Crime and the Power of Digital Forensics.“
You might remember that the last big Black Hat was pre-Vista, and it was more or less pure Vista.
This time around well see much fewer pure Vista sessions, one exception being Symantec Research Scientist Ollie Whitehouses two-part session on GS (a compiler option introduced in Visual Studio 2002, used in some binaries in Windows Vista 32-bit as a defensive mechanism) and ASLR (Address Space Layout Randomization) in Vista.
The second section deals with ASLR implementation in Vista, about which Symantec promises “some surprising results.” That sounds a bit too tantalizing to pass up, so stay tuned to Security Watch to hear what those surprising results might be.
I chatted with Jim Christy—the director of Futures Exploration for the Defense Cyber Crime Center, responsible for the research and development and test and evaluation of forensic and investigative tools for the DOD Law Enforcement and Counterintelligence organizations—about his keynote.
His presentation will be similar to his last Black Hat presentation, as he tries to get across how ubiquitous digital forensics are today, as well as how desperately we need law enforcement professionals trained in the techniques of digital forensics—techniques that are now recognized and regulated internationally.
Hes also after the private sector to come up with better tools to struggle through the oceans of data people like him encounter during investigations into child porn, phishing, computer intrusion and just about any flavor of crime nowadays.
That gets us back to his challenges. And back to Vista. During his last presentation, Christy threw out this challenge to the audience: Come up with a way to read data over a CD thats been physically broken into pieces. To date, the center has received solutions from 11 teams. This year hell throw out another challenge. He hasnt figured out what that will be yet, but Vista and hard drive encryption could be the theme.
“Vista is a major challenge for security purposes,” he told me. “Now, it matches your data to the motherboard on the computer. Theres a chip on board that will do hardware encryption. For law enforcement, it will change how we do forensics. If a hard drive is encrypted and we get a dead box … it will remain dead unless you have the key to get into it. … Were being told by government agencies and Microsoft that you cant break the encryption. Obviously, thats going to be one of our challenges. We want somebody to break that puppy for us.”
Errata CEO Graham, for his part, is looking to drill into some enterprise skulls how seemingly trivial information can be used quite satisfactorily by hackers. This is data seepage were talking about: the exposure of data that seems innocent. That differs from data leakage: i.e., sensitive information that companies know they dont want to have stray away.
A recent example of data seepage is how reporters found out about the Iraq war before it happened. Namely, they managed to extract information about the rate of pizza delivery from workers at pizza shops near the Pentagon. Lots of intense meetings, lots of pizzas.
An example of digital data seepage closer to enterprises hearts would be this scenario: Your CEO is in the airport lounge. She was previously logged in to the companys network. When she sits down for a drink, her chatty laptop starts looking for access points so that it can reconnect.
A hacker with the right tools could find out where shes been, physically, by looking at the access points shes trying to connect to. An eavesdropper could map the corporate network and within moments build up a complete picture of who this person is by monitoring the wireless network, Graham told me.
The answer? It isnt a question of a silver-bullet security product, nor is it a question of user behavior modification. The problem is that activities such as reconnects are happening automatically, Graham said, with users being unaware of whats happening.
“Its more a tradeoff,” Graham told me. “You have the ease of use of the laptop, with things happening automatically, versus making the laptop harder to use.”
Graham will be demonstrating how the data eavesdropping can be done, and hell be showing just how much eavesdroppers can find out.
Renowned security researcher Joanna Rutkowska, for her part, is presenting on “Beyond the CPU: Defeating Hardware Based RAM Acquisition Tools.“
Rutkowska last year became the Black Hat lightning rod when she demonstrated a prototype of the Blue Pill—an example of “Stealth by Design” malware that uses virutalization/hypervisor techniques to take over a system without leaving any trail whatsoever—i.e., undetectable malware. This Black Hat star will be a big draw for sure.
“Bypassing NAC,” presented by Ofir Arkin, CTO of Insightix, is a must-attend to my mind, given the continuing question of the flawed security of NACs (network access controls). Arkin promises to present flaws associated with each and every NAC solution presented.
“These flaws allow the complete bypass of each and every network access control mechanism currently offered on the market,” his session description reads.
Stay tuned: The conference runs Wednesday and Thursday, and well be there reporting on as much of this as we can cram in.
See something on the schedule you think is a must-attend? Let me know what and why at [email protected] eWEEK Senior Editor Lisa Vaas has written about technology since 1997.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.