Blackhat Europe 2010 Barcelona – Day 01 | Corelan Cybersecurity ResearchCorelan Cybersecurity Research

Blackhat Europe 2010 Barcelona – Day 01

Published April 14, 2010 |

As some of you might know, I am currently attending Blackhat Europe (hosted in Barcelona this year). So I wanted to take the opportunity to fill you in on the details of this first day of briefings, and provide you with a short overview of the presentations I have attended today.

I am most certainly not the only person that will be blogging/writing about Blackhat, so I’ll just keep things short and give you my personal view on things. You can find more/other information about the briefings at Blackhat Europe (and some other excellent stuff) at http://blog.c22.cc.

Before I get started I would like to mention that, the day before the seminars started, I got the opportunity and pleasure to finally meet some of the folks I have been communicating with over the last few monts : Didier Stevens (and his wife), Xavier Mertens, Chris John Riley and Frank Breedijk.

(from left to right : Frank, Chris and Xavier)

In addition to that, I met some other nice and interesting people during the course of the day, so my day has been quite "fruitful" from that perspective as well.

Also, a half an hour before the seminars started, I had a chat with some folks from Core Security and they invited me at the Core Security party tomorrow evening. Too bad I won’t be able to stay at the party for a long time, because I’m flying back to Belgium tomorrow evening. Anyways, the party badge looks shiny and that’s half the fun I guess :-) – Thank you Core Security.

Day 1 kicked off with an introduction given by Jeff Moss (who basically explained that Blackhat Europe moved from Amsterdam to Barcelona because of ‘sizing’ issues).

As the number of attendees (and the number of speakers) is increasing (this is the first year with 3 tracks instead of 2), the location in Amsterdam was becoming to small to host the trainings and seminars… so Barcelona appears to be the next best thing :-). And I can’t blame them

Security – the facebook way

After the introduction, Facebook CSO Max Kelly took care of the keynote speech, in which he presented facebooks approach & strategy towards security.

The first part of the talk outlined some generic security concepts : Software and applications will always have vulnerabilities. Each vulnerability represents a threat. A threat can be targetted and results in an attack. The attach is always launched by a person, for a specific reason, with a specific motive. Sound fair to me.

What really got my attention in his presentation was the fact that the strategy (and perhaps a substantial part of their economic model so it seems) of facebook is based on filing lawsuits and going after the people that try to abuse vulnerabilities in facebook. Facebook doesn’t really care about the vulnerabilities themselves, but they have focussed their attention on detecting abuse and tracking down the abuser. It’s not all bad, because an important piece of the process is to discover what the motives are (spam=>making money=>somebody will pay the spammer), so they can try to take out the root originator of the abuse.

After all vulnerabilities will be there forever, Max says, no matter what we do.

So basically, the facebook security values are

diligently pursue attackes of any type
use al legal means to identify attackers
use all legal resources to protect the company and its customers
respect the trust that users put into facebook
move fast, focus on high-level problems
work with the security community

When translated into actions, they basically

don’t care about vulnerabilities (they are infinite, and trying to fix them will probably introduce new bugs)
accept that there are bugs, they know about the threats that result from the bugs, but they try to be realistic about it
monitor, detect and watch attacks
go after the attackets

I also noticed (on the second or third slide) a small statement about reporting vulnerabilities to facebook. Facebook seems to be open to researchers to report vulnerabilities, but only under certain (legal) circumstances… The fact that Max did not even mention it during his presentation (while the text was still displayed on the screens), it only emphasizes that they don’t really care about vulnerabilities. Facebook does not want to invest a whole lot of research and money to pro-actively find and fix bugs. In my opinion (just my personal view), they’re not really waiting for researchers to file bugs either. In fact, I’m pretty sure it will be almost impossible to report bugs to facebook in a legal way… after all, you would still be hacking into an application that is running on third party servers. So I’m not sure about their statement that they are willing to work with the security community. And if they are, it’ll probably be one way direction only :-)

To be honest, from a business perspective, there’s nothing wrong with this economic model. But I am afraid that, from a security point of view, it will only lead to more bugs and doesn’t really support the fact that developer education (about writing secure code) is extremely important.

So, not everything was "bad" of course. He mentioned that it is very important (for any web application if you think about it) to log interactions and CPU/memory cycles required for certain interactions. It will not only allow you to properly size and scale your servers, but it might also indicate if there is an issue (for example somone trying to take advantage of a bug in the application and has launched a scripted attack against a specific component of the application).

After the keynote, during Q&A, somebody asked if facebook has plans to deliberitely "plant" vulnerabilities into their applications to attract hackers … the (politically correct) answer was – of course – "no".

Defending the poor

The first real "researcher" talk I attended today was the one given by the legendary FX. (FYI : right before the meeting I got the chance to have a little chat with him and thanked him for reviewing my Unicode exploit tutorial. Although time was short, he really took the time to have a little chat, which is something I’ve very much appreciated) Anyways, this was the first time I saw a presentation by FX (or anyone else at a security conference such as Blackhat) that targets the defense-part of security. In "Defending the poor", he explained the history of how the flash player (or more specifically the SWF format) has evolved until what it is today, and how it is flawed by design. To cut a long story short, the file format has plenty of design errors and will continue to lead to system compromises all over the world. The install base of flash player is immense (although MS Silverlight is catching up real quick) and that leaves many users susceptible to security issues. While in the recent version of SWF an attempt was made to fix some of the issues, the reality is that the player still supports all downwards-compatible (and flawed) formats, and there’s nothing we can do about it … Well maybe there is.

FX is working on a tool called BlitzaBleiter, which will basically

parse a swf file when it’s presented to an end user browser, and check for strict SWF specification compliancy
drop the original swf file
verify the code inside the swf file
recreate a safe file
present it to the end user
do some runtime analysis (and block certain API calls by looking at arguments on the flash player stack)

The utility is created in .Net (C#, which has many advantages, as it has built-in protection against many overflows), and works on both the Windows and Linux platform).

The downside is that, while this browserplugin will already stop a substantial range of attacks, it still won’t stop all malicious code, and it’s not going to be easy to close this final gap. Stay tuned on this one, because it looks promising already. And for other security researches : this is a good example of added value for business people like me ! Knowing about the vulnerabilities is really necessary… but spending a decent amount of time to work on creative, inexpensive solutions, is even more important to get management buy-in in this time of economic recession.

Unveiling Maltego 3.0

To be honest, I haven’t really played with Maltego 2.x yet… but what I have seen in the (not yet released) 3.0 version of Maltego, I felt sorry for myself and obviously got impressed at the same time (to say the least).

It’s hard to describe in a few words what Maltego is, because I would probably end up disrespecting the concept and added value of this tool. Maltego positions itself as an open source intelligence and forensics application, but in essence it is "just" an awesome data mining tool, that uses various "transformation" to get more data about certain objects, from various sources (websites, google, whois, network scans, DNS, and even custom integrations with for example your own databases etc)

The power behind the product is the data mining and correllation engine, and it’s beautiful graphical representation, which will allow anyone to build relationships and links between all kinds of objects (people, computers, keywords, etc)

Roelof Temmingh from Paterva demo’ed his new "baby" with pride and emotion and impressed the entire room with the new features of the product :

Look & feel updates :
- Dynamic graphing
Improved "Entities" :
- Custom entities
- Manual linking
- Bookmarking & annotations
- entity display/edit
Improved navigation :
- EWV fully interactive
- Set transform settings on the fly
- detailed view
etc

Especially the NER (Named Entity Recognition), using API’s from OpenCalais and AlchemyAPI, will add a lot of value to this utility. You can basically feed a text/webpage/… into the API and it will extract entities (names, facts, places, events, topics, etc), so you can use that as part of your mining exercise.

Version 3 is not released yet, and Roelof stressed that they won’t release it until it’s ready.

If you want to follow up on Maltego, make sure to subscribe to the Maltego Beta blog. The whitepaper and slides can be downloaded from the Blackhat website.

Next generation clickjacking

The "Next generation clickjacking" talk, presented by Paul Stone from Context Information Security was really interesting. Based on research from Jeremy Grossman in 2008, Paul took things to a new level and showed a couple of new techniques that can be abused on malicious websites to trick users to clicking on certain parts of a web site, in an attempt to steal information from that computer. In fact, using a technique that combines hidden iframes with drag & drop api in a java applet, and end user does not really have to click on a button or link anymore to trigger the malicious code. Very neat finding !

The speaker also demonstrated a tool (works fine with Firefox 3.6) he wrote which will help you test your own applications (or basically build Proof of concept webpages) for various clickjacking techniques.

Finally, he indicated that most browsers are currently not able to provide real protection against this form or exploitation. The only thing you can do is try to keep your website from running inside a frame. You can do this by

– setting X-Frame-Options parameter (which will only work on newer browsers such as IE8)

On apache, you can do this by setting the following value in your httpd.conf file :

Header always append X-Frame-Options deny

Header always append X-Frame-Options sameorigin

(if you want to allow the functionality when you still want to allow framing from the same URL that is hosting the webpage)

– using some javascript code (which will obviously only work when javascript is enabled) to prevent your website from running inside an iframe. An easy way to do this is adding this to every webpage on your website :

  

7ads6x98y


		

  
    
      
        

  We are using cookies to give you the best experience on our website.
You can find out more about which cookies we are using or switch them off in settings.

        

  
  
      
      
    
    
  
  

	
				

















  



  
    
    
      

  

      
        

  


  
    
  




  
    
  
      
      

  
    
    
    
      
         
      
      
      

        
          

      Privacy Overview
    
  	a. Corelan respects your privacy. Most information accessible on or via the

Corelan Website is available without the need to provide personal information.

In certain cases you may however be requested to submit personal information. In

such case your personal information shall be treated in accordance with the General Data Protection Regulation and any amendments hereof.
b. All personal information made available by you will be treated solely for

the purpose of making available to you the requested information or services.

Your personal information will not be shared with third parties, but it may be used for authentication, support & marketing purposes in relation with services provided by Corelan.
c. We will only keep your personal information for as long as is required to

provide you with the requested information or services, or for any longer period

as may legally be required.
d. It is our goal to reasonably protect the personal information made

available by you from third parties.
e. You have the right to consult, correct, adjust or have removed your

personal details by written request to Corelan.  If you decide to get your information removed, you understand and accept that you will lose all access to any resources that require the use of these personal details, such as parts of the website that require authentication.
f. When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of Corelan Websites. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices.   Cookies may be used to display advertisements or to collect statistics about the use of the Corelan website.
g. This privacy policy may be amended by Corelan at any time.
  	  
  


          
  
    Strictly Necessary Cookies
    
      Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
      
        
          
                
              Enable or Disable Cookies        
              
              
            
          
          
        
        
      
      
              
          If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
        
        
                                              
    
    
  
  
          
          
          
  
    Cookie Policy
    
      When using the Corelan Website, cookies may possible be used. You do not have to accept cookies to be able to use the publicly accessible parts of the Corelan Website. If you have an account and you log in to this site, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser. When you log in, we will also set up several cookies to save your login information and your screen display choices.
We may use third party cookies to show ads and to collect anonymous information such as the number of visitors to the site, and the most popular pages.  The ability to show ads is an important source of income to cover the hosting fees to keep this website alive. If you prevent ads from being displayed, this website will eventually disappear.

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::