Skip to main content

Black Hat USA 2008

So my first Blackhat is in the books. I thoroughly enjoyed it and got to learn quite a bit and get some networking done as well. My only two complaints would be first, that it was completely overcrowded on the 4th floor and that made getting to a session very difficult. The second being that classic conference paradox. A lot of the great topics with new material were presented by people with poor public presentation skills, whereas alot of the great speakers presented either old stuff or no real useful content. That aside it was a hoot.

I started the week attending a Malware Analysis class by Mandiant which was excellent. They basically crammed a 4 day course into 2 days, so it moved very quick and had lots of content and labs. The teachers were extremely knowlegeable and were able to convey the material well. My only suggestion would be that they should have spent more time on Ollydbg, but with the labs I can do that on my own time. They did spend extensive time using IDAPro, which helped me understand assembly code structures much better. I would highly recommend this course.

The first keynote speech by Ian Angell was very funny, but essentially preached an anti technology message which I think is mostly pointless considered the techno-geek audience. He did have some really fascinating quotes though. My first presentation was Bad Sushi: Beating Phishers at Their Own Game. While presenting nothing new, they did provide much comedy and insight into how spammers routinely try to rip each other off. They also showed an insane toolkit that traffics in the spam underground that basically contains knock off sites for every large bank in the world. Of course the next session was the highly anticipated DNS Goodness by Dan Kaminsky. This has already been covered to death, so I will only add that it was worth the wait and Dan is the man. Next I attended The Four Horsemen of the Virtualization Security Apocalypse by Chris Hoff. This was probably the most useful and timely presentation I attended. Chris is a good speaker and I enjoyed how he detailed the current shortcomings of virtualization, while also pointing out VM myths as well. In a nutshell, the HA functionality is not there to do anything more then server/desktop virtualization. Beyond that, you are rolling the dice with your availability and network capacity.

After that I hit up Bruce Potter's presentation on Malware Detection Through Network Flow Analysis. This guy is a bad ass and a very good speaker, but he provided nothing relevant in his talk, unless you didn't know Net Flow existed. My last session of the day was Reverse DNS Tunneling Shellcode by Ty Miller. Ty debuted his dns tunneling tool and also a very cool project to create a consolidated framework for shellcode. Once it gets up and running it, check it out at http://projectshellcode.com/ . I liked his talk alot, especially how he demonstrated various attacks through a corporate DMZ. The day ended with beer and pizza, yay!!

Leading off the second day was a keynote by Rod Beckstrom of the newly created NCSC. His talk was very interesting and had a historical twist to it. I agree with him 10 million percent that the best chance to make a security significant impact is to upgrade our protocols which are mostly outdated. My first session of the day was No More 0-days by Ohad Ben-Cohen. He showed off a cool new tool called Korset, which will basically create a control flow graph for any Linux compiled binary which prevents anything out of the ordinary from occuring. I like this technology and would like to see it integrated into a windows based AV suite. My only issue with the tool is that it only works based off system calls and doesn't check parameters. So it would be easy to circumvent by creating your own CFG and passing malicious parameters. Very good work though. My second talk of the day was Visual Forensic Analysis and Reverse Engineering of Binary Data by Greg Conti and Erik Dean. They debut 2 new cool tools aimed at shortening the time it takes to inspect a huge file at the hex level. Basically it helps you quickly find areas of interest in a file, as well as lending it self to repeating patterns that can be used in the future once identified. Next I attended Secure the Planet! New Strategic Initiatives from Microsoft to hear the latest from Redmond. I only heard the first half, but they are expanding their vulnerability research efforts to include 3rd party products and adding an exploitability index to their black tuesday reports. I LOL'd when they referred to black tuesday as something stupid like feature upgrade day. I had to cut this meeting short to head over to Deobfuscator: an Automated Approach to the Identification and Removal of Code Obfuscation by Eric Laspe and Jason Raber. Its a very much needed IDAPro plugin that can save us tons of time. I wrapped up the conference by listening to Bruce Dang's talk on Methods for Understanding Targeted Attacks with Office Documents. Bruce is smart as hell, but talked way too fast. He walked through a few of the office documents headers and structure and demo'd an attack. Also, he did mention that many of the current attacks could be avoided by either installing MOICE, Office 2K3 SP3, or Office 2K7.

On Friday, I was able to make it to most of Defcon. Those badges are freaking sweet. The talks there were mostly the same, but had a much more relaxed, less corporate feel. For only 125 bucks, Defcon is a steal when compared to 1500 for Blackhat. Thats all for now and back to your regularly scheduled programming.

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...