Tuesday, August 12, 2008

Black Hat USA 2008

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off. They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most useful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity.

After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

Leading off the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occuring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. They debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd an attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming.

No comments:

Post a Comment