Subscribe in a reader
Black Hat: The Sessions
Submitted by Mike Rothman on Fri, 2006-08-04 15:01.
If there was one major takeaway I got from the sessions and my conversations at Black Hat, it's that we're pretty much hosed. I've always said that if someone wants to get into your network, they can. But to see it right there in front of you and seemingly so easy is quite an experience. Yeah, I've seen those dualing hacker courses - but for some reason this felt different. It felt real. It was a reminder of the dangers lurking out there in the wild.
I only got a chance to attend three of the sessions, so I tried to split them between understanding the threats and cleaning up the mess with forensics.
I went to a session by Thomas Ptacek and Dave Goldsmith of Matasano about the risks of systems management products. Basically the point here is management "agents" are basically bots (or zombies). This is trusted code that can pretty do whatever it wants on the managed devices. Thomas and Dave explained 6 or 7 different ways to break these systems, which would provide access to 1000's of devices in a target network. Bet you didn't think of that, eh?
But it underscores the need to pick software carefully. Though they broke into pretty much everything they tested, there were differences in security model and capabilities. Users are still justifiably focused on capabilities for their management applications, but I bet that sooner rather than later - having a verifiably secure agent starts to become a point of differentiation.
I also saw two forensics sessions, since I don't know much about that discipline and it's becoming pretty important. If only to know what kind of data you need to gather and store from the security perspective and understanding the process the investigators go through.
I saw Chuck Willis and Rohyt Belani of Mandiant do a good session about web application forensics and use a couple of real case studies to make their points. There is nothing like real life situations to illuminate the points they were making. I also saw Johnny Long do kind of an intro to Forensics, which was interesting. As Johnny pointed out, computer forensics folks don't typically get the blood trails that their CSI counterparts to, but following the evidence is key to success.
I also had a number of conversations about the virtualization topic and suffice it to say, it's non-trivial. I'm still familiarizing myself with the nuances of hypervisors and device drivers and the like. The only thing I know for sure is that it will change how we think about security, which is a good thing.
Finally it's also clear to me that we need to start some discussions about how to blow up the status quo of security. If there was one thing that was abundantly clear is that fixing holes is not the answer. The people presenting their research can break networks and applications in MINUTES. We've got to start from a blank slate and really rethink the problem space.
Stay tuned on this. The discussion will be starting soon. But don't call me, I'll call you. The last thing I need is a hundred vendors telling my why their product breaks the status quo of security. That would be so un-Black Hat, after all.
I only got a chance to attend three of the sessions, so I tried to split them between understanding the threats and cleaning up the mess with forensics.
I went to a session by Thomas Ptacek and Dave Goldsmith of Matasano about the risks of systems management products. Basically the point here is management "agents" are basically bots (or zombies). This is trusted code that can pretty do whatever it wants on the managed devices. Thomas and Dave explained 6 or 7 different ways to break these systems, which would provide access to 1000's of devices in a target network. Bet you didn't think of that, eh?
But it underscores the need to pick software carefully. Though they broke into pretty much everything they tested, there were differences in security model and capabilities. Users are still justifiably focused on capabilities for their management applications, but I bet that sooner rather than later - having a verifiably secure agent starts to become a point of differentiation.
I also saw two forensics sessions, since I don't know much about that discipline and it's becoming pretty important. If only to know what kind of data you need to gather and store from the security perspective and understanding the process the investigators go through.
I saw Chuck Willis and Rohyt Belani of Mandiant do a good session about web application forensics and use a couple of real case studies to make their points. There is nothing like real life situations to illuminate the points they were making. I also saw Johnny Long do kind of an intro to Forensics, which was interesting. As Johnny pointed out, computer forensics folks don't typically get the blood trails that their CSI counterparts to, but following the evidence is key to success.
I also had a number of conversations about the virtualization topic and suffice it to say, it's non-trivial. I'm still familiarizing myself with the nuances of hypervisors and device drivers and the like. The only thing I know for sure is that it will change how we think about security, which is a good thing.
Finally it's also clear to me that we need to start some discussions about how to blow up the status quo of security. If there was one thing that was abundantly clear is that fixing holes is not the answer. The people presenting their research can break networks and applications in MINUTES. We've got to start from a blank slate and really rethink the problem space.
Stay tuned on this. The discussion will be starting soon. But don't call me, I'll call you. The last thing I need is a hundred vendors telling my why their product breaks the status quo of security. That would be so un-Black Hat, after all.
Recent comments
16 hours 41 min ago
3 weeks 4 days ago
3 weeks 5 days ago
3 weeks 6 days ago
3 weeks 6 days ago
4 weeks 11 hours ago
4 weeks 11 hours ago
4 weeks 1 day ago
4 weeks 5 days ago
5 weeks 41 min ago