Code breaking, party going, and general electronic mayhem. These phrases describe the seemingly one constant in the world of information security: the passing of the annual DEFCON and Black Hat hacker conferences. Both held the same week of July 29, 2009 in blazing hot Las Vegas, Nevada, these conferences are the life blood of the industry and hobbyist communities alike.
Black Hat offers professionals the opportunity to catch up on the latest security threats and grab copious amounts of vendor swag. DEFCON shows many of the same presentations as Black Hat, but it is less corporate, with contests involving lockpicking, hardware hacking, and wifi antenna construction.
Since 1997, the pair of conferences provide a general yearly overview of computer underground and information security activities. Jeff Moss, the founder of both of the conferences, was recently sworn in to Barack Obama’s Homeland Security Advisory Council.
The briefings portion of Black Hat began on July 29 and lasted until July 30. DEFCON officially began on July 30 and lasted until August 1.
As has been the trend in the previous few years, the conferences emphasized the following: remotely exploiting server vulnerabilities is a lot harder than it used to be, and soft targets are either very close to the hardware or very close to the user.
Another direction is using memory corruption techniques against code that works with hardware in a low-level manner. This type of code generally has not undergone as much testing as the applications we commonly associate with the usage of a modern computer system.
Secure website vulnerabilities
A man calling himself “Moxie Marlinspike” introduced new methods for performing man-in-the-middle attacks against encrypted network traffic, enabling an attack to both read and modify data once thought private.
His methods abuse a specific flaw in the way a certain piece of software matches a website’s identity with its cryptographic key, such as with https. The file that provides this key-to-identity mapping is called an SSL certificate. He described many ways how an attacker could form an SSL certificate that Firefox and other web browsers would consider valid for any given domain.
Think of going to paypal.com and having your browser show a lock icon enabled and no special alerts. Despite the security icons are enabled, someone in reality is pretending to act as paypal.com and reading all of your authentication credentials and transaction data. Moxie’s tool to implement this attack can be found at: http://www.thoughtcrime.
Apple keyboards hacked
When booting up a computer system, most people never expect their keyboard to be hacked. K. Chen, a student at the Georgia Institute of Technology, proved that this assumption isn’t always valid.
Due to Apple’s lack of cryptographic verification done on the software that keyboards run internally, or firmware, Chen was able to insert malicious code into the keyboard itself.
This enables an attacker to capture a victim’s keystrokes and store them on the keyboard instead of the computer. While this generally does require administrative privileges, this technique proves that one can’t simply trust that a computer isn’t compromised even if all critical systems files appear safe.
The attack also offers a chilling opportunity for law enforcement to log encryption software passphrases to be recovered during an on-site investigation. While this attack specifically targets Apple’s keyboards, many other pieces of hardware are likely vulnerable to a similar security breach.
VMware host vulnerability
Virtualization technology to run multiple operating systems on one computer at the same time is increasingly popular, in the form of software like VMWare and Xen.
Most people take for granted the fact that whatever happens inside of that virtual system stays inside of that virtual system. Kostya Kortchinsky, a security researcher at Immunity Inc., challenged this assumption with CloudBurst, a VMWare host infecting utility.
By abusing poor memory management in VMWare’s 3D graphics software, CloudBurst is able to inject code into the operating system running the virtual machine allowing it to be controlled from the compromised guest OS.
VMWare issued a security advisory on this issue months before the Black Hat presentation, along with patches to fix the vulnerability. Both the advisory and links to the patches can be found at: http://www.vmware.com/security/advisories/