BlackHat/Defcon 2012 takeaways

BlackHat/DefCon 2012 Report (Draft)
July 30th 2012
Scott@globalizenetworks.com

Abstract:  I attended my first Black Hat/DefCon conference this year and it was pretty amazing. I spoke with a bunch of great people ranging from senior security managers to pentesters and other sysadmins.   Many of the people at the conference were dedicated security specialists which really means that they operate in the enterprise and government space.  I didn’t really meet any other people working with small and medium sized businesses.  This report will focus on the issues most relevant to SMBs.

I will start with a skeletal outline of the top issues from talks that I personally attended.  In the coming weeks I will flesh out each topic with dedicated articles and I will add in analysis of other topics from internet sources.

Outline:

  1. Java
    1. Problem
      1. Java is being attacked a lot these days (J. Oh BH2012).  83% of successful BlackHole exploits are Java/Windows7 and BlackHole is the number one web exploit toolkit. (J. Jones BH2012).  Sometimes business critical Java applications require older versions of Java.
    2. Immediate action
      1. Patch or disable Java where possible.
      2. Consider terminal services where we can’t patch or disable Java.
    3. Project work
      1. Reduce browser attack surface overall.
        1. flash blocking and ad blocking
        2. javascript restriction
        3. restrict plugins and addons
      2. Patch management for 3rd party software including browser plugins.
  2. NTLM
    1. Problem
      1. NTLM is a weak, deeply broken authentication protocol which is still widely deployed and difficult to remove from more complex Microsoft environments.  NTLM is receiving renewed attention from the security community.  (Duckwall & Campbell BH2012, Z. Fasel DC2012).  New tools (ZackAttack, WCE)  simplify the exploitation of NTLM.  Zack Fasel pointed out that it took FireSheep to force wider SSL adoption by reducing the technical skills required to intercept HTTP traffic.  He wants to speed the removal of NTLM from corporate networks by providing a similar tool for NTLM which could supposedly work even externally (if 445 is allowed outbound).
    2. Immediate action
      1. Block tcp port 445 outbound on the firewall.
    3. Project work
      1. Start auditing NTLM
    4. On the horizon
      1. Blocking NTLM where possible (if possible).
  3. Intrusion Detection
    1. Problem – John “Four” Flynn gave an excellent talk at BH2012 on  how ineffective current Intrusion Detection Systems are.  He suggested using the kill chain conceptto improve IDS: “If you can figure out a way to tag each event with the stage they are part of, you can stack the events in a way that lets you analyze them in terms of potentially part of a kill chain.”Verizon’s 2012 Data Breach Investigations Report shows that only 5% of data breaches are detected by internal mechanisms.  Mandiant’s 2012 M-Trends report reveals a similar percentage.  The good news for SMBs here is that only 30% of attacks are aimed at organizations with less than 1000 employees (per Verizon’s report cited above.)
    2. Immediate action
      1. Understand the limitations of IDS and start treating internal networks as hostile.
    3. Project work
      1. begin collecting  and aggregating more data
        1. Snort
        2. Splunk
        3. Nagios?
      2. Consider projectnova.org to hinder and possibly detect the internal Reconnaissance step of the kill chain (this deserves another article for sure.)
      3. Start building alerts that correlate low priority signals based on their relevance to kill chain steps.
    4. On the horizon
      1. New sources to categorize network and host signals into kill chain buckets
  4. Hardware backdoor
    1. Problem – J. Brossard gave a presentation  at DC2012 of his hardware backdoor PoC Rakshasa.  This was a very plausible exploit whereby the bios of a computer is replaced with an open source stack of Coreboot, SeaBios, and iPXE.  The payload would be loaded at boot time over the internet , possibly using an ad hoc wifi or wimax to completely bypass internal networks and IDS.  (i.e. connecting to attacker SSID broadcast from parking lot)  This sort of exploit would be injected directly into memory and would never touch the disk making it difficult to detect.  This particular PoC is of limited scope in that the most recent Intel chipset supported by Coreboot is 5 years old.  However, it does show that this is a real threat.Brossard does not believe that this can be done perfectly without simultaneously flashing them all with hardware firmware equipment.  However, in this imperfect world, using a floppy or boot CD to flash one BIOS or firmware at a time is probably the only practical precaution we can take.  Brossard also thinks using open source bios is the way to go since you can examine the code.  This would be a great idea if we could dedicate a team of software engineers to reviewing the code line by line.   Then again, think of the help desk nightmare of system failures caused by non-standard BIOS problems.  I guess Brossard probably never had to do tech support.
    2. Immediate action
      1. Routinely flash all system BIOS and PCI firmware with latest versions. Project work
      2. Make BIOS updates part of regular system maintenance for servers and clients.


  1. SOHO routers
    1. Problem – A lot of attention at BlackHat/DefCon 2012 was focused on compromising SOHO routers (Cutlip DC2012, Purviance & Brashars BH2012)  Purviance & Brashars demoed an unlikely scenario in which javacript was used to locate the SOHO router used as a default gateway, crack the password, and then replace the firmware with DD-WRT.  Now if you have played with DD-WRT you know how fiddly it is to get working: you need to match the image with the hardware version, unplug the power, etc.So this specific demo wasn’t too convincing.  However, it seemed that a lot of the talks were shying away from really cutting edge exploits.  Arguably there is too much money to be made by keeping the best secrets to yourself.  Therefore, it’s safe to assume that they or someone else has a more reliable version of this exploit and that it will start to appear soon.I don’t really love the idea of a hacker owning the home routers of my corporate users.  I also would find it distasteful and deeply shocking to discover any of these SOHO routers in place on any corporate network that I help manage.  But crazier things have happened.
    2. Immediate action
      1. Audit corporate networks for SOHO routers.
    3. Project work
      1. Check and update the firmware of user’s home routers
    4. On the horizon
      1. It might actually make more sense to build out a hardened DD-WRT image, deploy it to a standardized hardware router, and provide this to corporate users for use at home.
  2. VMWare
    1. Problem
      1. Weaknesses are being exposed in VMWare’s vSphere suite.  Some of the fixes are incomplete.  Researchers are picking around the edges of existing patches and finding similar vulnerabilities in other parts of the suite.  Old problems like directory traversal are still being exposed in web apps. (A.Minozhenko DC2012)
    2. Immediate Action
      1. Fully patch vCenter.
    3. Project work
      1. Remove or disable unused packages to reduce attack surface

3 thoughts on “BlackHat/Defcon 2012 takeaways