Impressions from Black Hat, Defcon, BSidesLV and IOAsis

A week has passed since the Las Vegas craziness and we've had some time to write down our impressions about the Black Hat, Defcon and BSidesLV conferences as well as our own IOAsis event.

By Cesar Cerrudo @cesarcer

It was great for me to meet lots of people—some of who I only see once a year in Las Vegas. I think this is one of the great things about these events: being able to talk for at least a couple of minutes with colleagues and friends you don't see regularly (the Vegas craziness doesn't allow long chats most of the time). I also got to meet people personally for the first time after working together and/or communicating just by email, Twitter, or chat. The IOActive team delivered a lot of successful talks that were well received by the public, which makes me proud of our great team and reflects well our constant hard work.
  

By Fernando Anaboldi

Fwknop at IOAsis:

The “Single Packet Authorization” term was first mentioned by MadHat at the BlackHat Briefings in July 2005; however, the first available implementation of SPA was the release of fwknop in May 2005 by Michael Rash. Basically, it grants access to a service upon receiving a particular packet.

We had the opportunity at the IOAsis to attend a fwknop presentation given by Michael Rash. The tool is currently capable of performing several useful things:

·         It allows you to hide a service on a “closed” port.

·         It lets you create a “ghost service” where a port switches for a short period of time to whatever service is requested within an SPA packet (e.g. SSHD)—and it doesn't seem to be susceptible to replay attacks like a normal port knocking implementation would.

·         And the list goes on.

Hidden and obscuring available services on external networks looks like a first interesting line of defense, and fwknop seems to be the leader in that field.

By Ian Amit @iiamit

BlackHat/BSides/Defcon Week: Finding My Peace

After finally recovering from a week (which felt like a month) in Vegas, I can safely say that I found my peace. Although it was one of the more hectic weeks I've had this year—and the most successful BlackHat/BSides/Defcon personally—I managed to find myself in a better place professionally, socially, and generally. How did this come about?

Although BlackHat has been wandering the past few years between what it used to be—a highly professional security conference—and what it started to become (for me at least)—a vendor dog-and-pony show—I thought the new format of tracks focused on different security elements made a difference in how attendees approached the topics. Additionally, the arsenal pods allowed more free-form presentations and discussions on new technologies and ideas while capitalizing on the hallway-track that conferences so famously miss out on.

My schedule really put me in a position to appreciate the entire spectrum of our amazing community: speaking at BlackHat first thing in the morning after the keynote, switching gears to volunteer for the security staff at BSidesLV, and then speaking at BSides. From the more polished feel of BlackHat to the relaxed atmosphere of BSides, from a stressful speaking slot to giving back to the community, it just made perfect sense…

Having a chance to get together with people I consider friends online and offline was another critical aspect of my week in Vegas. Although some of these meetings were ridiculously short, the energy, and the relationship boost they gave was invaluable. A critical part of being in information security is the ability to work with industry peers in ways that nurture critical thinking, innovation, and peer-support (and criticism). Being able to throw around research initiatives; explore new elements of the information security world; and talk about business, government, international relations, law, economics, physical security, and other crazy aspects that we all need to take into account is a must-have in an industry that has almost zero-tolerance for failure.

Wrapping it up with a massive Defcon attendance, talks, and of course the occasional party was the cherry on top. Although some nights felt more like work than play, you won't hear me complaining because even though party hopping between 4–5 venues to catch up with everyone really took its toll physically, I got to see a beautiful sunrise over the desert.

Last but definitely not least, getting the chance to meet with co-workers from around the globe was a great experience made possible by working for a company large enough to have people in almost every time zone. So, being able to do that against the backdrop of an amazing Freakshow party (thanks again to Keith Myers and Infected Mushroom) just made all the talks about exploits, kernel space vulnerabilities, counter-intelligence, and social engineering that much more appropriate :-)

Until the next Vegas, stay safe!

By Eireann Leverett @blackswanburst

This blog post (or is it blog posts?) isn't about the talks we gave, and IOActive gave plenty. No, this is my chance to point you to a few key talks you missed. Maybe you were there and busy doing your own talk. Maybe you couldn't afford to fly to Vegas. But whatever the reason, here's three talks you should be aware of.

STIX by Sean Barnum.  Information Sharing is all the rage in ICS security and there are many complaints that we don't get enough threat intelligence. Personally, I know plenty of people doing good intelligence sharing, but it is informal. In a related blog post, DigitalBond rightly asked last week, 'What do you want?' (1) with respect to information sharing. (Be sure to read the comments as well.) Well, I want metrics from information sharing. I want to know the numbers of vulnerable systems, and I want to know the numbers of threat actors and attacks. I want this information generalized and sanitized so it is easy to read, and I want it to be based on verifiable and empirical data. Most importantly, I want to watch change over time so we can scale our defensive resources accordingly.

Will these metrics be perfect? No, but to use a metaphor, crime statistics are imperfect too, and yet we measure our policies and policing by them. So, instead of sending emails to friends, what can we do as an industry to progress systemically? Enter STIX (2). This is a long-term vision project, but I hope it gathers steam and I will be watching the project carefully. Unfortunately, all these projects will follow Metcalfe's Law, which is why when I see something I like I try to encourage early adopters. Good luck to MITRE and Sean Barnum—this will be long, hard work, but if they find a format of automatable and structured information it will help immensely.

(1) https://www.digitalbond.com/2012/08/02/information-sharing-what-do-you-want/

(2) http://measurablesecurity.mitre.org/docs/STIX-Whitepaper.pdf

DivaShark by Robert Deaton.  The next piece I want to bring to your attention is an open source project called Divashark. It's meant to replace WireShark for one very specific task: *LIVE* network analysis. The author of the code, Robert Deaton, said in his talk that everyone used WireShark in the Capture The Packet contests at DefCon. While it's the standard, it's too noisy for rapid live analysis. I tend to agree.

While Wireshark is brilliant at completeness and providing every protocol I could possibly need, sometimes I want fast filtering and re-filtering. I want to see the traffic as close to live as possible and I change my mind about what I'm looking for as the situation progresses. This means I need fast and easy filtering instead of completeness. If you're interested in live network forensics, keep an eye on this project. Unfortunately, the code has not been released yet, so all I have for you is this abstract (3).

(3)  http://khanfu.org/m/plain/21/event/1370

Hackers + Airplanes by Brad "RenderMan" Haines.  I want to credit Brad for an excellent and thought-provoking discussion of Air Traffic Control Systems (4).  The talk can be summed up succinctly for security folks: unencrypted and unauthenticated standards in commercial aircraft identification. I think that's worth repeating: UNENCRYPTED AND UNAUTHENTICATED COMMERCIAL AIRCRAFT LOCATION AND IDENTIFICATION SYSTEMS.

I think it spoke volumes that the nervous guy sitting next to me was from the FAA. One of the other fantastic things about this researcher is all the credit he gave to others in the community who preceded him or did similar research (which you can see in the slides). I respect that, and so tip my hat to him.

(4)  http://korben.info/wp-content/uploads/defcon/SpeakerPresentations/Renderman/DEFCON-20-RenderMan-Hackers-plus-Airplanes.pdf

By Stephan Chenette  @StephanChenette

Not everyone starts off their first week at a new security research position in Vegas, at BlackHat, drinking, networking, and meeting up with some of the top security consultants and research minds in the industry, but that's exactly how my first week at IOActive went down as the new Director of Security Research and Development.

There were a ton of great talks and tools at BlackHat and Defcon, but here are a few personal highlights and favorites:

· Presenting at IOActive IOAsis: “The Future of Automated Malware Generation.”  A shorter version of a technical/philosophic presentation about where I believe malware defense, detection, and offense are headed

· The “Occupy Burp Suite” presentation by James Lester and Joseph Tartaro “Informing the 99% of what the 1%'ers are knowingly taking advantage of”

· Neil Stephenson’s BlackHat keynote. How cool was it to have Neil Stephenson as a keynote speaker!

· Charlie Miller’s NFC presentation.  Charlie shares some of the cooler application layer bugs he found while researching the NFC attack surface.

· Dan Kaminsky’s BlackOPs presentation “The Reality of Defense…Not enough science”

· Iftach Ian Amit's “Sexy Defense” presentation.  “Can’t defense be as sexy as offense?”

· Cody Brocious’s presentation on hacking into key card-protected hotel rooms.

· Shreerah Shah's HTML5 Top 10 Threats presentation.  Be aware of the potential malicious use of XHR object, allowing cross origin request and binary upload/download.

· •Ivan Ristic's presentation on WAF evasion and accompanying tool.  Both this and the HTML5 presentation remind me of my Script Fragmentation presentation in 2008, but Ivan’s work is much more advanced and definitely worth checking out!

· Rodrigo Branco's "The Empirical Study of how Malware Employs Anti-Debugging, Anti-Disassembly and Anti-Virtualization Technologies."  Good stats on malware and anti-detection techniques.

· Microsoft’s Bluehat competition and prize winners prize.

· The BlackHat Tools Arsenal.  Although there are great tool lists on SecTools.org, BlackHat Arsenal always has a good list of new tools to check out. I plan to test the following tools more extensively:

oPeda [slides] - exploitation with python/gdb

opeePDF - tool to explore PDF files

o..cantor.dust.. - interactive binary visualization tool

oKautilya - toolkit and framework which allows usage of USB Human Interface devices in penetration tests

oNishang - powershell for offensive security and post exploitation

oVega - open source web application scanner

oWatobo - web application toolbox

oDiggity – Google hacking tools

Overall, it was a good experience. How couldn’t it have been—I spent my first week on the job drinking in Vegas!