Blackhat Briefings 2009 – Las Vegas, NV – Day Two

Day Two of Blackhat

(aka. The Day of the Cloud)

Day two of Blackhat was definitely “The Day of the Cloud”. That and possibly also “Revenge of the Mobile Handset”, but I don’t know enough movie titles to really make this as witty and as crowd pleasing as possible…

In all seriousness, day two was just a tough as day one to do the whole “I want to see X” game. Before we get into that in too much detail it’s worth mentioning the size of Blackhat for those who didn’t get to go. I realize I should have done this for day one, but alas I’ve never really followed a check list. Blackhat was held at Caesars Palace. There were 8 tracks on day one and 7 on day two so getting to see everything was nigh on impossible. They were selling DVD’s of the whole show but the only one really worth getting (Blackhat + DefCon Combo) was $499 !!! For someone coming from South Africa, already on a shoe string budget (read company per diem) this was just a non starter. I guess we will just have to wait the 4 months or so before they release it to the public and download…

Moving swiftly forward…

Great talks for day two:

Fuzzing the Phone in Your Phone: Charlie Miller and Collin Mulliner

Yes, they dropped 0-days. Yes, they provided great technical details and yes, I was able to follow most of it even though I know a dangerous amount about the mobile platforms. Charlie and Collin dropped a huge amount of really great info on the iPhone, Windows Mobile and Android platforms. Their talk on how they actually fuzzed the phones to get the required data for the 0-days was not only technically useful enough to do the work required but got me very interested in the topic. Needless to say, people were turning off their phones in the audience and the live demo worked like a charm. Being an iPhone user (read fanboy) I am more than a little concerned. Yes, Apple did patch the SMS vulnerability the day after, but really, how many people are THAT efficient at patching their phones. This is definitely a talk to check out when it’s available…

Clobbering the Cloud: Haroon Meer, Nick Arvanitis, Marco Slaviero

I was fortunate enough to not only catch the SensePost guys at this years ITWeb Security Summit and again they proved why they’re at Blackhat year after year. Haroon and the guys gave not only a very technical but entertaining talk on how they simply broke a number of the main stream “cloud” applications. I won’t go into too much detail as it was a fairly technical talk with some very scary demos done. If you think the main stream cloud applications are secure and you don’t really need to worry about putting your “stuff” into the cloud, watch this talk. Then lock all your data in a nuclear bomb shelter in Alaska. This talk just re-enforces my lack of trust for “the cloud”. Charl and the guys from SensePost did South Africa proud. Keep up the great work guys…

I did attend most of the much hyped Cloudburst: Hacking 3D and Breaking out of VMware but to be honest the speaker wasn’t very engaging and I did lose interest. We know that Cloudburst works and is available for a fairly significant fee in the CANVAS Framework by Immunity. It does change the game again completely but this goes with the whole theme I took away from Blackhat, EVERYTHING is broken in some way or form and to some degree we’re building “secure” protocols over very insecure protocols…but that’s a story for another day.

Wrapping Up

In all Blackhat Briefings 2009 was very very cool. For someone coming from South Africa, the WOW factor was huge, not only in coming to Las Vegas, but simply the scale of the talks. Having 8 tracks on the go at the same time in some very big rooms AND having them fill up to the brim with some of the most intelligent people on the planet was simply awesome. What I find coming away from events like this isn’t just all the “cool tech” and great talks, it’s that feeling of “wow, I actually know NOTHING.” and that’s not a bad thing. It revs me up to get back into learning, reading books, listening to podcasts and generally expanding my base of knowledge. I’m hoping to use what I learned not only in giving talks to anyone interested in Durban but also to people in my workplace. Security awareness is of vital importance in this day and age and going to Blackhat gives me fuel for this engine.

Will I be back next year ?

You better believe it.

Blackhat Briefings 2009 – Las Vegas, NV – Day One

Getting Started

Late July I was lucky, nay privileged enough to be one of the few South Africans making the yearly pilgrimage out to the hot as hell desert of Las Vegas, Nevada for Black Hat Briefings ’09. It’s the more “corporate”, main stream version of DefCon (which I will talk about later). There were some great talks and looking through the program on the Tuesday before the con opened officially I realized doing the “pick and choose” was going to be akin to choosing between Angelina Jolie and Scarlett Johansson.

Here’s a quick tip for you. Pitch up the day before registration. You will get your badge and bag and all the accompanying goodies and you won’t have to sit in huge queues for the majority of the opening day. This theme was to be repeated for the entire weekend of DefCon. With that said, the registration and general running of the entire conference was handled much like the Swiss make watches. Very well done there guys…

Now I’m not going to go through everything, simply because there is just too much to go through.  What I will do is pick some of my favourite moments or talks and share that madness with you. Needless to say the vendor area was huge. There were more free t-shirts, free bags and other detritus with a logo or witty saying on it than you could shake the proverbial stick at.

Overshadowing Themes

There were a number of themes that seemed to take focus over the course of the two days that make up Blackhat. Yes there were the usual privacy, exploitation and legal type talks but above this came these topics. I believe it’s because of the way we as an Internet using community are going but perhaps there is something more to be said. I’ll leave that for you to decide..

• Rootkits – not your run of the mill rootkits either. Advanced rootkits for Mac OS X comes to mind.
• Mobile – Aside from Charlie Millers talks on the iPhone/SMS vulnerability
• Cloud / Virtualization – Not just a generic overview

Day 1 Highlights :

I went to: Veiled – A Browser Based Darknet        (I wanted to go to: Stoned Bootkit)

While Billy and Matt didn’t release any code which was a little disappointing, their talk was technical enough that anyone with more than two braincells (the entire audience) could come up with some workable proof of concept. The general idea was to use web browsers to create a darknet without the need for a central server that isn’t under the control of the darknet operators. It also allowed for the quick construction and destruction of the darknet. Very cool ideas and with some very interesting real world applications. Let’s hope the guys can get through the HP red tape and release their code sometime.

Note: The 11:15-12:20 slot was impossible to go to simply because out of the 8 tracks I wanted to go to 6 of the talks. This was the first time this happened, but it was by no means the last. All I can say is thank GOD for DefCon17

I went to: Weaponizing the Web            (I wanted to go to: See note above)

Nathan and Shawn gave a great talk on CSRF and how it’s still in use today. There were some great examples and they also released their tool MonkeyFist. There were examples on SocNets, blogs and the various Wikis floating around the ‘net these days. Aggregated news also featured in their rants on the general fail of user generated content.

“Complexity breeds exposure…”

Awesome talk of the day: Moxie Marlinspike – More Tricks for Defeating SSL

This was one of those talks where he builds you up, feeding you enough to keep you interested until it hits you in the face and you go “Daaaammmmnnn….there it is. We’re screwed.” There was talk about sslstrip and the new improved sslsniff. Both very cool tools to check out, if only to re-enforce the “Oh my god SSL is very broken” feeling. Add this talk to the one Dan Kaminsky gave directly after and you have a very good case for not trusting the foundations we seem to build all of our security houses on.

End of Day One.

I was going to put all of Blackhat into a single blog post, but looking at this length of this post, I see that’s not going to be possible. Tune in later for Day Two.