Monday, 6 August 2007
Creme de la BlackHat
After much ranting and shouting, not to mention Googling and reading, I'm starting to get a slow trickle of some of the best content from BlackHat. The cream always rises to the top, and here's what I've discovered so far...
Ivan Arce from Core Security emailed me his teams' entire presentation, and now I wish I'd been there even more. This is clever stuff, and what surprised me most was that the attack has been possible for as long as databases have been around. I guess it just took someone a lot of thought and studying of databases before they came up with something so intricate.
I said on here last week that all I could find was an article which "sounded like a marketing ploy for Core" to me. Well, the presentation definitely isn't, there's far too much technical content. Anyone holding the purse strings would have walked off to count their money long before the techies stood up to applaud. I should make it clear that I have no beef with Core, Ivan has in fact proven to be a kind and generous man, my criticism lay with the reporting, and my frustration at not being able to see what everyone else was getting excited about.
Well, now I have it in pdf, and you probably don't, and I can't let you have it because Ivan's asked me not to publish it as it's property of BlackHat. Did you prefer frustrated, or smug? :)
I also did some digging into Dan Kaminsky's talk on DNS hacking, mainly because Martin McKeay said he'd been really drunk. Drunk people are often extremely clever because of Darwinian theory. Survival of the fittest.
Let me explain: In a herd of buffalo, the strongest lead at the front, the rest of the herd behind, that's just the way it works. When a lion/tiger/predator of some sort (I'm not a naturalist you may be able to tell) attacks the buffalo, it is the weakest that it catches, and so the strength of the herd is improved. And so it works with brain cells. Alcohol kills "millions of brain cells", so every time we get drunk, we are killing off the weak and useless stragglers, leaving a finely tuned engineering machine.
I stopped drinking 3 years ago to give my liver a chance to recover, and never took it up again, in that time I have become decidedly more stupid. In fact I have become a product manager, and a director, having been an engineer, read into that what you will. (Probably that I used to turn up drunk at work, which isn't true.)
Back to the story. Dan's talk is available on his DoxPara website, and it makes very interesting reading. I used to train customers on DNS (amongst other things), so I may have a slight advantage without the background talk, but I found the slides very interesting. Again, I wish I'd been there to hear what Dan had to say, and again, they don't seem to be using anything new, just vulnerabilities that have always existed, and are becoming more prevalent due to the way we are using the web. Web 2.0 is tearing holes in security which I hadn't even considered until I read this, so I am thankful to Dan for this, and would like to buy him a drink.
The really interesting part of his slides was at the end however. A side project of his has been messing about with audio files, presenting them visually in an array picture of varying hues. They are very pretty. Talking to a friend of his, he came up with the idea of using them to "listen" to audio captchas. It worked. The picture at the top of the page is the number 8.
The thing I appreciated most about both Ivan and Dan's work was simple though. After all the "here's how you can break it", there are some simple ideas around how to stop it happening. I hope the db/DNS/audio captcha people are taking note. I also hope to find a few more nuggets like this. I've really enjoyed myself, and may even crack a smile later on.