Black Hat

As you are reading this, my flight back to ATL should be climbing up through 10,000 feet on my way back home. Another year, another Black Hat, another set of things that are sure to kill us somewhere down the line, another few parties, and another frantic ride back to the airport.

Day 2 was a bit more sedate than Day 1, though that may have more to do with my hangover (that I finally chased away about 3 PM). I also skipped the keynote, though I heard it was pretty good. Here's a brief rundown of the sessions I did today.

• Satan is on my friends list: This session went deep into some of the tricks you can use on Facebook, MySpace, and LinkedIn to make the application do unexpected things. The most interesting thing is that the attacks were shockingly simple. No wonder these social network sites are such havens for malware, leveraging XSS, CSRF and all sorts of other attack vectors. Shawn Moyer and Nathan Hamiel also ran a little experiment in adding Marcus Ranum (with his permission) to LinkedIn and added about 60 connections within a day. One of the last recommendations was to make sure you had a profile on each of the sites. Not because you plan to use it, but because you should get one out there before the bad guys do. At least the inimitable Ranum now has a profile.
• No More Signatures: Defending Web Apps with ModProfiler: I was pretty disappointed with this session from Breach's Ivan Ristic and Ofar Shezaf. They spent the first 45 minutes explaining what a web application firewall is and some specifics about ModSecurity (the open source version). I was there to hear about ModProfiler, which is a new project focused on more effectively leveraging a positive (if it's not explicitly allowed, then it's not allowed) web application security model. They only spent maybe 30 minutes on that and didn't show the code or a demo or anything. Maybe they did in the last 15 minutes, but I left before then. You shouldn't make people wait for an hour to get to the technology mentioned in the title of the pitch.
• Get Rich or Die Trying: Jeremiah did a great job going over quite a few scams that really leverage web technologies, kind of. Most took advantage of weaknesses in the web application, as opposed to actually security flaws. And to see some of the real simple stuff (like having press releases accessible before they hit the wire by figuring out the naming sequence), and how one woman made about $400,000 by selling merchandise that QVC shipped her even after she canceled the transaction. So, the moral of the story is that company's should probably pay their Q/A people a lot more money (or get new ones) to find this stuff before an application goes live.

And that's all she wrote. Back to a regular publishing schedule next week. Enjoy your weekend.

Day 1 of Black Hat 2008 is in the books. It's great to see a lot of old friends, and it seems this year (more than the last two) many of the folks I'm talking to are more focused on the networking than on the session. Not me. I'm still fired up about seeing really smart guys discuss what they are up to and give me a lot of food for thought about how we need to continue protecting ourselves.

I ended up hitting almost all the sessions I wanted to, so let me go through some quick observations.

•  Keynote: Ian Angell, Professor London School of Economics - Professor Angell is a pretty engaging character and I enjoy his systematic skewering of the common knowledge about risk and what we can really control. Which is basically nothing.
• Bad Sushi: Nitesh Dhanjani and Billy Rios - As mentioned on Tuesday, I was looking forward to this session and it was a lot of fun. Especially when they pulled the RickRolling prank on the phishers and to see how many of them fell for it was great. Sometimes it's nice to strike back, although it doesn't have much of an impact on how we do things.
• Kaminsky's DNS talk: It was packed. I mean PACKED. And Dan delivered the goods. The thing that resonated the most is how dependent we are on DNS for pretty much everything, and if DNS is not trustworthy, we've got a real problem. Lots of innovative ways to comprise stuff assuming the bad guys own DNS and plenty of other goodies. I have some larger thoughts about the DNS topic, which I'll write up for Monday, but the only conclusion you can really draw is that we're screwed. But isn't that what Black Hat is all about? Giving security folks that uneasy feeling of not being able to keep up with all the attacks?
• Hoff's Four Horseman: The Hoff delivered the goods as well. First of all, the slides were very pretty. You should check them out. But aside from the aesthetic beauty of the content, Chris really put into question a lot of the assumptions many folks are making about securing the virtualization layer. Rich did a good write-up of Hoff's pitch and other Black Hat topics.
• Network Monitoring, Bruce Potter: I hadn't seen Bruce speak before and it was very entertaining. But most interesting was the very compelling case he made for why you need to monitor your networks using something like Netflow. He also talked a bit about a new open source tool called Psyche that his team is releasing and it looks pretty cool. It's nice to see the idea of network monitoring being discussed on the big stage. Of course, there are folks like Bejtlich that have been beating that drum for years. But given all the other stuff we're seeing at the show this week (basically we're screwed), the idea of figuring out everything isn't going to happen. So we need to REACT FASTER and monitoring is the way to do that.

The Mogull and I recorded a quick podcast yesterday as well. We talk about Kaminsky and Hoff's pitches and come the conclusion that basically we're screwed. You can check it out at the Network Security Podcast site.

Before I head off to Day 2, I have to relay my latest Vegas star sighting. To wrap up the night Shimmy, Mitchell, Adrian Lane and I are catching a little late night breakfast at Caesars. Sitting right next to us is Jeff Dye, one of the finalists on this season's Last Comic Standing. You all know what big fans of comedy the Boss and I are, so it was great to see him in person. He's a very nice guy and he really is that pretty. They are announcing the winner of the show tonight, so I told Jeff we'd be pulling for him.

Only in Vegas...

Hard to believe, it's time for another Black Hat conference. This is my third, and as I sit in the airport waiting to head out to Vegas, I'm eagerly anticipating the show. For lots of reasons, but mostly because it's the only show I attend to actually learn something. It's not like RSA or CSI are big on "education." I certainly know that I don't know it all, but Black Hat is a place where I can hang out with guys a lot smarter than me. And that's a good thing.

Even if the show has gotten a bit corporate. 

As others have mentioned, Black Hat/DEFCON are not the places to be careless about your computer security. Now that BH is doing the Wall of Sheep as well, no one is safe. I was at Rob Graham's session last year where he pulled up some poor saps Gmail through his sidejacking attack. That ain't going to be me.

So what do I do? WiFi is OFF. Period. Until I get back to ATL on Friday, WiFi is off. I'll just rely on my Verizon card for the few times I'm in my room and connected. I don't carry my laptop at the show, rather relying on good old fashion paper and pen to take notes. I may do a quick post or two from my iPhone (3G, I upgraded over the weekend), but for the most part I'll be mostly disconnected.

Speaking of my iPhone, WiFi is off on that as well. I'm also turning off Bluetooth. That means I'll be the silly one with the wired headset. But I'm not sure what new attacks have emerged, so I'll suffer the wired life for a few days. I'm also turning off the GPS. It's not like I'm going to get lost in Vegas, and again although I haven't heard of specific GPS attacks, why risk it?

Yes, clearly it's paranoia in full effect. But better to be safe (if a bit disconnected) than sorry. That's for sure.

In terms of sessions, a few caught my eye:

1. Bad Sushi: Beating Phishers at their Own Game (Wednesday, 10 AM): I'm going to see my friend Nitesh Dhanjani and Billy Rios do their anti-phishing talk. Clearly there are both process and technical defenses against the phishermen.
2. DNS Goodness (Wednesday, 11:15) - Obviously Kaminsky's session is going to be a circus. They should probably move it into the keynote room to accomodate everyone. Not sure I want to fight the masses to attend, but I'm sure it will be interesting.
3. The Four Horsement of the Virtualization Security Apocolypse (Wednesday, 1:45) - I've got to be there to support my boy Hoff and I'm actually interested in how he's evolved his pitch. I also heard (from the horses mouth) that the slides are real pretty, so I'll probably take a few presentation pointers from the Rational one.
4. Malware Detection through Network Flow Analysis (Wednesday, 3:15) - Since part of my schtick is REACT FASTER, Bruce Potter will be previewing a new version of his flow analysis tool, and that may fit the bill. Lord knows a lot of the NBA tools are way to heavy and high end for the mass market, so an open source alternative could be interesting.
5. Exploiting Google Gadgets (Wednesday, 3:15) - I'll also try to swing by RSnake's pitch, where he and Tom Stracener will be exploiting Google Toolbar and discussing a zero day. Woo Hoo.
6. Satan is on my Friends list (Thursday, 10) - I'm fascinated with this social networking thing and figuring out how to exploit it is pretty interesting. There is a lot of cutting edge research happening around this area.
7. No More Signatures: Defending Web Applications from Zero Day Attacks (Thursday, 11:15) - Yes, I plan to go see Sir Ivan and Ofar Shezaf discuss how profiling traffic can help defend web apps. This sounds like a positive security model and I think that's a pretty important aspect of defending the web apps.
8. Get Rich or Die Trying (Thursday, 3:15) - I'm also going to see Jeremiah do his logic flaws pitch. These are very interesting attack vectors and I'm looking forward to seeing how Jeremiah and Arian go through an pwn applications via the developers own mistakes.

I'm sure there are others, or maybe not. I tend to like to keep my schedule pretty fluid at Black Hat. I'll be hitting the party scene as well, so I hope to see at least some of you in Vegas.

Safe Travels.