Friday, July 31, 2009

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

Las Vegas Strip at Night from the International Space Station (NASA)

Seem like every time you stop and turn around
Something else just hit the ground
Broken cutters, broken saws,
Broken buckles, broken laws,
Broken bodies, broken bones,
Broken voices on broken phones.
Take a deep breath, feel like you're chokin',
Everything is broken
– Bob Dylan

From Parking Meters to the Cloud, from SMS to Smart Grids ... Is Everything Broken? -- Report from Black Hat Briefings (Las Vegas 2009)

-- Richard Power

From legendary billionaire Howard Hughes to legendary Gonzo journalist Hunter Thompson , Las Vegas has worked its strange magic on many talented people, including cyber security conference entrepreneur Jeff Moss. Back in 1993, Moss held the first DEFCON hackers convention in Las Vegas, and a few years later, in 1997, spun-off Black Hat Briefings, which has, arguably, become what its hype trumpets, the "world's premier technical security conference." And although BlackHat now go on tour to Tokyo, Amsterdam and Washington, D.C., Las Vegas is still home to the main event, both for DEFCON and Black Hat.

Robert Lentz, Chief Security Officer for the US Department of Defense, was one of BlackHat's 2009 keynote speakers. Lentz articulated the goal of a "resilient cyber eco-system." Lentz cited the need for "culture changing in cyberspace." He stressed the role of education in achieving this goal, citing not only the CAE but also Cyber U.S. Cyber Challenge and the Dc3 Digital Forensics Challenge. He even alluded to the green movement, and the passion it evoked, and called for "a cyber-green movement." "That is something we could all rally around," he added. It was encouraging to hear the bold vision and the high values, but of course when working within an entity as huge, complex and long-established as the US federal government, delivering is the challenge.

The sessions in the body of this year's Briefings ranged from sessions on attacking everything from SMS to "the Smart Grid," and from parking meters to "the Cloud."

Dan Kaminsky, a cyber security researcher typically breaks news at BlackHat, not only broke news this year (see Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat) was himself breaking news this year:

Two noted security professionals were targeted this week by hackers who broke into their web pages, stole personal data and posted it online on the eve of the Black Hat security conference.
Security researcher Dan Kaminsky and former hacker Kevin Mitnick were targeted because of their high profiles, and because the intruders consider the two notables to be posers who hype themselves and do little to increase security, according to a note the hackers posted in a file left on Kaminsky’s site.
The files taken from Kaminsky’s server included private e-mails between Kaminisky and other security researchers, highly personal chat logs, and a list of files he has purportedly downloaded that pertain to dating and other topics.
Wired, 7-29-09

Carnegie Mellon CyLab's Alessandro Acquisti spoke on his team's recent headline-grabbing revelation on the accuracy of predicting of social security numbers, using publicly available information.

Acquisti's message --

The vulnerability presented here is not based on some secret bug hidden inside some software. It is based purely on publicly available data . This reflects the unexpected/unintended consequences of the interaction of complex information systems (i.e., combination of SSN issuance patterns, SSDI, EAB, SSNVS, and availability of personal information) and highlights the need to think past SSNs as authenticators.

(For more on this research, see There is an Elephant in the Room; & Everyone’s Social Security Numbers are Written on Its Hide.)

Moxie Marlinspike offered "More Tricks for Defeating SSL."

His conclusions --

We have a MITM attack that will intercept communication for almost all SSL/TLS implementations.
In the case of NSS (Firefox, Thunderbird, Evolution, AIM, Pidgin) we only need a single certificate.
We've defeated the OCSP protocol as implemented.
We've hijacked the Mozilla auto-updates for both applications and extensions.
We've got an exploitable overflow.
In short, we've got your passwords, your communication, and control over your computer.

(Marlinspike recently spoke at CyLab, see CyLab Seminar Series Notes: The Evolution of A Hacking Tool, Moxie Marlinspike on SSLstrip)

There were two other sessions that I found particularly interesting: Nathan Hamiel and Shawn Moyer on “Weaponizing the Web -- More Attacks on User-Generated Content," and Cormac Herley and Dinei Florencio on “Economics and the Underground Economy.” More on them can be found in my full report on Black Hat, available only to CyLab partners in the Intelligence Briefing section of the partners-only portal.

I will also have more to say about Black Hat 2009 as well as the upcoming USENIX Security Symposium in my article for CSO Magazine (August 2009).