Thursday, August 7, 2008
BlackHat Day 1 -- DNS: Dan Kaminsky and Research Persistence
Black Ops 2008: Its The End Of The Cache As We Know It
Dan Kaminsky
I just have to say how happy I am that Dan Kaminsky found this vuln and handled it the way he did. This guy has playfully danced all over DNS for much of his career and finding a problem like this gets to the heart of how the Internet works. This just might even top streaming video over DNS! The amazing thing about DNS is that's it's highly resistant to change, so it hasn't exactly been evolving rapidly. Anyhow, this talk had the normal level of Dan enthusiasm and was packed -- standing, sitting, in the aisles. Dan exhaustively demonstrated what can happen when you can own DNS at the highest levels. When you think about it, it's really insane. He also went into depth about the massive patch orchestration effort that went on behind the scenes. Kudos to everybody involved for making it all happen.
Dan Kaminsky
I just have to say how happy I am that Dan Kaminsky found this vuln and handled it the way he did. This guy has playfully danced all over DNS for much of his career and finding a problem like this gets to the heart of how the Internet works. This just might even top streaming video over DNS! The amazing thing about DNS is that's it's highly resistant to change, so it hasn't exactly been evolving rapidly. Anyhow, this talk had the normal level of Dan enthusiasm and was packed -- standing, sitting, in the aisles. Dan exhaustively demonstrated what can happen when you can own DNS at the highest levels. When you think about it, it's really insane. He also went into depth about the massive patch orchestration effort that went on behind the scenes. Kudos to everybody involved for making it all happen.
BlackHat Day 1 -- Bad Sushi and Phisher on Phisher Crime
Bad Sushi:Beating Phishers at Their Own Game
Nitesh Dhanjani and Billy K Rios
These guys easily infiltrated a bunch of phishing forums by pretending to be a young kid wanting to learn how to do it. They were very quickly "helped out" and handed tons of phishing kits, after claiming they couldn't afford the exorbitant prices for the kits. Some of the observations from the presentation were quite comical. The phishing scene (sub-culture?) is one of bravado and backstabbing. They even found lists of other phishers that will rip off other phishers. They called it "phisher on phisher crime." One phisher generously gave the two a bunch of kits, but had clearly attempted to obfuscate something in the primary php uploader code, so that each stolen identity would also have a copy sent to the author. Another hilarious example, was a guy that was giving "instructions" on how to hack yahoo. There were pages of completely fake instructions -- that only someone non-technical would write or believe -- but at the end, to get it to work, you had to enter a working credit card number! When they e-mailed the guy that it didn't work, he simply told them that they "did it wrong" and "do it again". They also talked a bit about the various pricing they saw for stolen credit cards and what some of the likely return rates were. Very fun, stuff.
Nitesh Dhanjani and Billy K Rios
These guys easily infiltrated a bunch of phishing forums by pretending to be a young kid wanting to learn how to do it. They were very quickly "helped out" and handed tons of phishing kits, after claiming they couldn't afford the exorbitant prices for the kits. Some of the observations from the presentation were quite comical. The phishing scene (sub-culture?) is one of bravado and backstabbing. They even found lists of other phishers that will rip off other phishers. They called it "phisher on phisher crime." One phisher generously gave the two a bunch of kits, but had clearly attempted to obfuscate something in the primary php uploader code, so that each stolen identity would also have a copy sent to the author. Another hilarious example, was a guy that was giving "instructions" on how to hack yahoo. There were pages of completely fake instructions -- that only someone non-technical would write or believe -- but at the end, to get it to work, you had to enter a working credit card number! When they e-mailed the guy that it didn't work, he simply told them that they "did it wrong" and "do it again". They also talked a bit about the various pricing they saw for stolen credit cards and what some of the likely return rates were. Very fun, stuff.
Wednesday, August 6, 2008
BlackHat Day 1 -- Wake Up, Register, Eat, Get Punched in the Face
I was up early this morning and off to Ceasar's, where I quickly registered, grabbed a bagel, coffee, and took the lay of the land. There seems to be a lot more people this year and quite a few more vendors. I saw a few folks I know and managed to call one person by the wrong name. So, I hit the Intro and the Keynote.
Key Note Speech -- Complexity in Computer Security
Ian Angell, Professor Information Systems, London School of Economics
This was a really great knock-in-the-jaw speech (Okay, I was speaking metaphorically!). One of the main points he made was that our instincts to use statistics and risk analysis to simplify complex systems is doomed to fail by its nature, especially when that system has human pressures applied to it. When people ask me about info security risk, I often make a similar point by drawing a standard bell curve with lines for two standard deviations from the mean. For some instinctive reason, people seem to be very comfortable trying map to this distribution world view of risk. Then I draw an arrow pointing to around 2% with a snarky caption like, "Owned". The problem is that, things just don't follow simple models when dealing with emergent systems, because the rules of evaluation can change at any time. There really are no rules that can fully work. I'm going to have to think about it some more ... seriously.
More on Day 1 talks as I get them written up.
Key Note Speech -- Complexity in Computer Security
Ian Angell, Professor Information Systems, London School of Economics
This was a really great knock-in-the-jaw speech (Okay, I was speaking metaphorically!). One of the main points he made was that our instincts to use statistics and risk analysis to simplify complex systems is doomed to fail by its nature, especially when that system has human pressures applied to it. When people ask me about info security risk, I often make a similar point by drawing a standard bell curve with lines for two standard deviations from the mean. For some instinctive reason, people seem to be very comfortable trying map to this distribution world view of risk. Then I draw an arrow pointing to around 2% with a snarky caption like, "Owned". The problem is that, things just don't follow simple models when dealing with emergent systems, because the rules of evaluation can change at any time. There really are no rules that can fully work. I'm going to have to think about it some more ... seriously.
More on Day 1 talks as I get them written up.
Welcome to Vegas
Alright! Well, I did not get hung up by airport security, as I usually do. I think I've got a clear path figured out, now: if you're on the list, use the frequent flyer programs! I sat next to a guy on the airplane that was wearing grey and also going to BlackHat -- oddly, once we established this fact, we hardly spoke to each other. Prepare to experience Homo Securitas. Upon arrival, I hit the ground running, got to my hotel, checked in, and was immediately off to Ceasar's Palace, where I hooked up with Cvoid and Lara for dinner. I met and hung out with a couple of his co-workers on the InfoSec team at Ebay and then tried to register for BlackHat, but was too late. I swear, some people are payed to be grumpy. I saw a kid in a stroller wearing a toilet-seat-looking neck-pillow, so that his mom could drive him around the hotel, while he slept. She said, very matter-of-factly, "He IS still alive and that's all that matters." The above picture is Cvoid and I crashing the Qualys party (though honestly our crashing didn't last very long). I ironically clinked glasses with a few folks there as we attempted to find Mike Murray (where's Waldo?), but never succeeded. We subsequently failed to crash the BlackHat presenter party, though we had a good shot at it. I got to greet Kingpin in the elevator on the way up to the penthouse. After more hanging out at Ceasar's, I headed back to my hotel and received a nice profanity laced tirade from my cab driver for taking too short a ride. "Why don't you take a #$%ing bus next time," he said. When I started to settle in my room for the night, I got a text and was back off to the yearly, pre-BlackHat, midnight at Denny's with the nCircle VERT team, which I finally was able to make. Now, I've got to be up early to register. Welcome to Vegas!
Tuesday, August 5, 2008
Subscribe to:
Posts (Atom)
