Black Hat Europe, Day 2: The day that wasn't and Black Hat Europe, Day 3: Begin the presentations

If you haven't seen it yet, you can check out Day 1 of my coverage of Black Hat Europe 2008 here.  So, for those of you looking forward to a Black Hat Day 2 update with some more from the training sessions... I'm afraid it didn't happen. I had intended to hook up with Adam Laurie for a discussion of his "Invisible Network, Invisible Risk" training course which is a focused wireless security class, but I just couldn't make it happen as there was too much to do around Amsterdam, and seriously, I needed the day off. So for me, this was the Black Hat day that wasn't, but I did get a chance to speak with Laurie late yesterday and will create an update to Day 2 later.

Onto Day 3, and we're into the presentations. I bounced back and forth between PDP's talk on "Client-side Security" and Christopher Tarnovsky's "Security Failures in Secure Devices". I found both talks to be interesting with PDP's talk more directly applying to the research that I'm involved in, and Tarnovsky's talk more focused on something I have not looked into.

Tarnovsky discussed attacks against various semiconductors, which was quite interesting. He used Hydrofluoric Acid to eat away areas of the chips so that he could connect pins to the devices and begin reading the EEPROM (Electrically Erasable Programmable Read-Only Memory). While I didn't find this particularly useful to myself, it was certainly an entertaining talk about the security of semiconductors.

As I said, PDP's talk more directly related to research that I'm interested in and focused on a lot of the various attack vectors that PDP and his Gnucitizen group have been involved with throughout the last year. I'd recommend people take a look at his slides once they are posted, as his talk had a lot of good places to look for those involved in Web application assessments.

For the next round of talks, I attended Feng Xue's (aka Sowhat) talk on "Attacking Anti-Virus Software", which I found to be entertaining and completely what I expected. He started with some interesting thoughts on the use of AV and its role in the security arena:

• Over 80% of people use Anti-Virus products
• Most of those people believe that their Anti-Virus is a key component of protection

After this, "Sowhat" got into a discussion of what these flaws are and where to look:

• There are numerous areas to look for flaws
  • Local Privilege Escalation attacks
    • Such as attacks attacks against weak DACL
    • Numerous driver issues
    • See Examples:
      • Panda Antivirus Insecure Default Directory Permissions
      • Panda Platinum Internet Security Insecure Default Directory Permissions
      • Symantec Products IOCTL Handler Privilege Escalation
      • Symantec Windows LiveUpdate NetDetect Privilege Escalation

  • Attacks against ActiveX controls
    • Think of all of those "free" registry and virus scans online companies want
    • We're looking at the typical buffer overflow type issues that ActiveX has become so famous for
    • Some examples:
      • Kaspersky AV
      • Norton Personal Firewall ISAlertDataCOM ActiveX Control Buffer Overflow

  • Attacks against the AV engine
    • At the core of the AV is the engine which powers all of the parsing of files and searching them through for attacks
    • Many file format parsers = many vectors for attack
    • File format flaws have been huge for a number of years now and are well understood and more importantly easy to fuzz
    • Also consider all of the sources that will take in files that need to be scanned:
      • E-mail
      • P2P
      • Instant Messaging
      • The web, etc.

    • Some examples:
      • Symantec Multiple Products UPX Parsing Engine Buffer Overflow

  • Attacks against management software for the AV, see the following CVE's for reference:
    • Symantec AntiVirus Scan Engine Administrative Interface Buffer Overflow

So, as the talk got to flowing, "Sowhat" made it clear that he had a couple of 0-days that he was going to show us, but not release; however, when showing the demo, I think a few of us (David Weston, Rob Carter, and I) saw it as pretty clear what was happening and were a bit surprised as to the ease with which a little fuzzing could yield a bug on these highly critical applications.

After "Sowhat's" talk I moved on to the "CrackStation" talk by Nick Breese, which turned out to be fairly interesting. Breese has taken advantage of the Vector processing and multiple SPU's that have made the PS3 a very powerful gaming machine and used that to make it a very powerful password cracking machine. One of the key claims made that showed the huge upside of this setup was, "The current upper limit on Intel-based systems is 10-15 million cycles per second, but on the CrackStation, we can get up to 1.4 billion cycles per second." There was no detailed mathematical proof of this number that I saw during the presentation, but the claim if true is astounding.

Day 3 wrapped up into a night out on the town with several good friends, Billy Rios, Nitesh Dhanjani, Rob Carter, David Weston and his girlfriend, and Tiller Beauchamp and his girlfriend; which unfortunately had to be cut short for Rob and I as we were speaking first thing in the morning the next day and had our talk trimmed from 70 minutes to 50 minutes.

Check back for more on Day 4 of Black Hat as well as my interview with Adam Laurie from Day 2.

-Nate