After two days of intensive training with SensePost (“Hacking by Numbers”), the briefings started today. Jeff Moss opened the keynote session with fresh information about the conference. First, the number of registrations increased (+100) compared to the last year. This is a good news! The crisis did not affect the number of visitors and security stays a primary concern. New countries were present like Peru, Venezuela. What about Belgium? The official number (received from the BlackHat team) is height people. The keynote was given by Max Kelly – CSO of Facebook. Max started with facts and figures about the #1 social network website. Like most organizations, they started without a strong security policy and grew very quickly. At a certain point in time, they decided to strongly address the security issues. They performed a risks assessment and decided to play at legal level: Pursuing attackers was less expensive than buying new servers! Facebook focused on security and not on compliance. According to Max, “Compliance isn’t security“. They target the actors: frustrate them, make attacks expensive and difficult. A typical spam attack on Facebook is composed of the following steps: collect accounts, write software, perform the attack and take the users outside Facebook. From this point, it’s easy to make profit. An interesting statistic: today, around 20% of the Facebook team members (all inclusive) are doing security!
“Hardware is the new software” says Joe Grand. By using this title, Joe would like to insist on the fact that, like almost any piece of software, the hardware components used in the devices we all use on a daily basis are vulnerable. The manufacturers can’t ignore the security aspects (too often simply ignored). Hardware hacking can be used for good reasons (to verify if we can trust them, for education) but also for evil (theft, cloning, spoofing – good examples are SIM or credit cards). To do hardware hacking, you need tools. Most of them are easy to find and not necessarily expensive. eBay is your best-friend to setup your toolbox. Hardware have microprocessors which run code stored on on-board memory chips. Once the data/code has been dumped, an analyze can be performed. Note that most of product designer are not security aware (designer and developer, same fight?) and they don’t like to re-invent the wheel: most new generation devices are based on old versions (same chip-set or code). Components are not physically protected (easily identifiable and probe). And lot of devices ccan easily be accessed via debug/test interfaces. Some devices are especially targeted: e-voting machines, ATM machines, smart power meters, smart parking meters. As usual, if some profit can be expected, people are ready to take time to hack the system. To end the presentation, Joe explained in details how to compromised the brand new parking system deployed in the United States a few years ago.
The next talk was “Unveiling Maltego V3”. Do I need to present Maltego? If you don’t know this wonderful tool, just visit the website. The presentation started with some statistics about the version 2. Then, Roelof definitively closed the buzz about the release date of the new version: “Maltego V3 will be released… when it will be ready! And when will it be ready? I don’t know!“. After a review of the new features like a completely new look, new navigation and transformations, Roelof jumped into a cool feature of the version 3: NER or “Named Entity Recognition“. Basically, from a text, it’s possible to gather information about people. The data is processed like this: speech to text conversion, English translation, NER processing, DB storage and a correlation engine. Potentially all media can be scanned (radio, TV channels, SMS, websites, etc). A very nice demo was performed starting from a document about uranium enrichment. It was amazing to see how much information can be collected and correlated by Maltego. The second demo, even more amazing, was about the Facebook integration within Maltego. Facebook provides an open API but the Maltego developers decided to not use it. They chose the technique of screen scrapping. It’s much more complex to implement but so powerful! From an e-mail address, it’s possible to grab the facebook ID, profile and finally get friends. Combined with the other transformations available you have a great “big-brother” tool available. I suppose that Max Kelly was in the room to follow the demo. Note that Maltego won’t be released with the Facebook transformation for legal reasons. But, as said Roelof: “You saw its possible. If you want it, recode it“.
After the lunch, Stefan Chenette presented FireShark, a tool to link the malicious web. A fact: 225% increase in the number of new compromised legitimate websites in the last 12 months. Mass injections are hard to correlate, current de-obfuscation tools are not sufficient and attacks become more complex. Some public tools available today: Malzilla, Jsunpack or websites: Robtex, Wepawet, Virustotal.com. Stefan reviewed some of the tools available and showed their issues or missing functionalities. Fireshark is a Firefox plug-in associated to post-processing scripts. The goal is to have a better understanding of the injection attacks. Two modes are available: network mode (automated) or single-user mode (manual inspection). just install the XPI, put all your target URLs in a text file and let FireShark do the job. Once done, analyze the logs with 3rd party tools like graphviz.pl or IngressEgress.pl. Post run possibilities are endless! Just imagine: portscanning, ASN/IP mappings, Whois, webapp software running etc. Just an idea: why not link Fireshark with Maltego V3? 😉 Note that the data correlation is important: Sites are interconnected (ex: Youtube) with a lot of others. If one of them is compromised, chances to spread quickly are higher. Then, Stefan reviewed some example of injection.
“SCADA and ICS for Security Experts” looked interesting to me. James Arlen made a good presentation: simple slides with only a few words and well-chosen pictures. This was not a technical presentation. Whatever the SCADA protocols used, the important job is to protect the information (like any infosec job). The presentation was split in two distinguished parts: first, James came back on the computers placed in a SCADA system. It’s not because a computer is pwned that everything will be brought down. Like in the finance sector, SCADA systems are protected by many control to prevent incidents. Often, when a security incident occurs, it’s fully transparent for the “users”: people are still receiving water and electricity at home. SCADA is a strange world where people are quite old and rarelly welcome infosec guys with a smile. James also insisted on the fact that nobody can claim to be an “expert” in SCADA. In the second part of the presentation, he explained that computers are present and must be considered as a weak link: they must be protected using classic tools and techniques but in a reverse order: Usually, the CIA principle is applied (Confidentiality – Integrity – Availability) but, in SCADA environment it’s better to implement it in the reverse order: IAC. During the Q&A session, somebody asked if the scenario of Die Hard 4 could be real. According to James, the scenario is good way to increase the security awareness. But the whole scenario could never happen. Some problems could arise due to cascading failure.
And to close this first day, Peter Silberman and Ero Carrera presented the “State of malware: family ties“. They first explained the two type of malwares that can be detected: Mass Malware and Targeted Malware. The first type spreads across the internet – a large base of potential victms – while the second focuses on specific victims or networks. The study performed by Peter & Ero was to analyze and try to classify the malwares into families. Using families, the incident management could be performed with better results (example: to track the authors). They tried to discover if the different malwares were based on the same code or piece of code. In fact no but ,even if the code is not shared between mass malwares, there are some similarities: They are written in Delphi and use BZip2, OpenSSL, SFX indestaller. Same feature is programmed in several different ways.
The day ended with a reception and a lot of social networking (found back friends, make new ones).
Other links:
- Chris John Riley’s blog: blog.c22.cc, posts are published almost in real time! 😉
- Frank Breedijk’s blog: www.cupfighter.net
- #BlackHatEU Twitter tag