Black Hat Conference puts spotlight on NAC, Vista and rootkits

The annual Black Hat Conference, which opens July 29 at Caesar’s Palace in Las Vegas, brings together security researchers and vendors in a freewheeling atmosphere aimed at laying bare the risks and vulnerabilities in IT products.

Like Vegas itself, Black Hat is a gamble where anything can happen, and this year will be no exception, with security specialists taking well-aimed shots at two of the industry’s biggest targets: Microsoft’s Vista software and myriad vendors with network access control (NAC) products.

The Security Standard: first of a four-part series

With Vista still in beta, Microsoft, a key sponsor of Black Hat this year, is inviting Black Hat attendees — 3,000 are expected — to identify any security shortcomings they can in the Vista code. In a novel and candid way, Microsoft product managers and engineers will present six sessions on Windows Vista and its security during the conference, challenging anyone there to rip Vista security apart.

Microsoft will find more than enough takers for that challenge.

Joanna Rutkowska, senior security researcher at Singapore-based security firm COSEINC, will demonstrate a new rootkit for Vista during her presentation “Subverting Vista kernel for fun and profit.” A rootkit is software that hides malicious code or computer processes, making it a danger to users.

Called Blue Pill, Rutkowska’s rootkit is based on Advanced Micro Devices’ Storage Virtualization Manager Pacifica’s virtualization technology. She says Blue Pill is undetectable and easily installed, and doesn’t require the perpetrator to exploit a weakness in the underlying operating system.

In addition to demonstrating Blue Pill, Rutkowska will show how it’s possible to circumvent Vista security by loading only digitally signed code into the kernel. “It’s very impressive,” says Marc Maiffret, founder and chief hacking officer at eEye Digital Security, who saw the Blue Pill rootkit and technique for bypassing Vista’s security in Singapore a week ago at the SyScan Conference, where Rutkowska first made them public.

Her bypass technique might not be a flaw Microsoft can fix easily with a software patch, says Maiffret. “It seems to be an architectural problem with Vista,” he says. Rutkowska agrees it’s a design issue and will propose a few ways Microsoft might consider changing Vista to eliminate the security-bypass problem. Vista’s code-signing protection was devised as a way to stop malware, such as kernel rootkits and back doors, from being loaded into the Vista kernel, says Rutkowska, but her Black Hat presentation will show Vista is as vulnerable to the same kernel malware threats as its predecessors.

Although the first version of Blue Pill she developed is for Vista, there’s no reason a Blue Pill couldn’t be made for other operating systems as well, she says. She adds neither she nor her firm will release the code, which could be used for malicious purposes.

Microsoft said it couldn’t comment about Rutkowska, Blue Pill and the Vista security-bypass technique until it has seen her presentation. Black Hat will present other sessions on rootkits, including ones by Greg Hoglund, founder of the, Jamie Butler, CTO at Komoku, and Komoku’s president, William Arbaugh.

Among the other sure-to-be-controversial conference topics: Ofir Arkin, CTO of Insightix, is expected to detail the risks inherent in using the array of NAC products on the market today. NAC is a term now used to describe an array of methods to determine and enforce endpoint security. (Read about what Pitney Bowes is doing with NAC technology.) Cisco and Microsoft are prominent among the scores of companies offering NAC products, and the Trusted Computing Group has devised standards for it.

Arkin’s session at Black Hat, “Bypassing network access control systems,” is expected to cover the “flaws associated with each and every NAC solution” and how “these flaws allow the complete bypass of each and every [NAC] mechanism currently offered in the market,” according to the Black Hat agenda’s description. He says he won’t mention specific NAC products in his talk but will explain the various categories of NAC products and point out potential bypasses, so customers considering buying them will recognize there may be holes to plug. “The purpose of the presentation is to educate people that they need to look better into this market and understand what they are receiving from [NAC] solutions so they can fill the gap they might currently have,” Arkin says.

Insightix itself makes NAC software that Arkin says gets around some of the problems, but he says he will refrain from making a product pitch. Some vendors could see his talk as denigrating the competition while boosting his own fortunes. Cisco, for one, which expects to monitor the Arkin talk, says it’s reserving comment until Arkin’s presentation on Wednesday.

Arkin says he will detail NAC’s inherent problems by discussing the broad categories of technical elements NAC schemes typically use, including DHCP proxies, broadcast listeners, 802.1x and endpoint security assessment. For example, he says he will point out that the DHCP proxies used to enforce network access controls can be bypassed by a network insider issuing a static IP address to a malicious device that wouldn’t have to deal with DHCP, or spoofing the device as a printer, switch or other device likely to be exempt from NAC assessment.

“As long as users understand these solutions are not perfect and take other measures, then I do my job right,” Arkin says.

Learn more about this topic

Juniper hires researcher who highlighted Cisco router flaw


Controversy surrounds Cisco IOS router exploit talk at conference 08/04/05


Furor over Cisco IOS router exploit erupts at Black Hat


Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies