Let me start by saying that Vegas Rules!!! And, I am currently up about $10,000. And I have this nice piece of land to sell you. Anyway, the first day of Black Hat was superb, as usual. It retains its title of the best security conference available, if you have to pick just one a year this should be it. I plan on writing at least two more articles on the topics covered but wanted to get out quick summary today for you all. Here was my agenda for today
- Bad Sushi: Beating Phishers at their own game - Excellent session that went into detail on how phishers think, act, and make a profit. Nitesh Dhanjani and Billy Rios (the speakers) showed us how phishers create sites, share info and code, and basically are lazy. I will definitely be blogging on this subject in more detail in the coming days but the highlights were that Phishers are storing their stolen data (credit card numbers, SSNs, ATM cards with Pins, etc) on websites that they have hacked into or on sites like guestbooks. And even worse they are not protecting their stolen data at all from access. No passwords, no encryption, no hardening of the compromised server they are using to store this on, Nothing! This means that all one need do to find this info for themselves is reverse engineer a real phisher’s website, look at their php script, and find out where they are storing the data. Then simply go there and grab the stolen data. Anyone can find an active phishing site by visiting http://www.phishtank.com, a well known site that hosts info on known bad phishing sites, similar to a URL blacklist site. To sell things like credit cards, they showed a site called vipdump where you can buy a stolen US credit card number for $20 each. Vipdump is just one of hundreds of such sites, all of which use some form of anonymous payment system like egold or WU. And in case you didn’t know phishers call their stolen account numbers “dumps”. So one card number is one dump. They went on to talk about skimmers, the phishing community network, code sharing, etc. But I’ll leave that for another blog.
- Leveraging the edge: Abusing SSLVPNs (Michael Zusman) – Michael started his talk by detailing how he was able to purchase a certificate from a major CA with a FQDN of an existing fortune 500 company’s website! How you ask is this possible, well when filling out the request form he simply checked the box that stated that the certificate was not going to be used on the internet and was for internal testing only. Luckily, Michael also stated that most CA’s rejected his requests. But it only takes one CA to spoil the party. What does this mean to you, well picture this: A user has their DNS cache poisoned on their client so that the website (that correlates to the new shiny cert you have) points to a http proxy. During the live demo the proxy used was TSeep Proxy. Not the attacker is in the middle. User goes to the website in question, is proxied through TSeep who hands the user the shiny new cert you have. The users browser looks at the cert and because the FQDN and other fields are perfect and the CA is trusted it never pops up anything, proudly presents the lock icon on the bottom of the page, and is fat, dumb, and happy. So now the MITM proxy forwards all the requests to the real website and back again to the user. Walla!!! The attacker sees everything the user sends or receives from the real website in the clear and neither the client nor the real server have any idea. Scary! The rest of the talk was about ActiveX vulnerabilities that can be exploited on the sslvpn client side of the house. An live exploit was demoed using a non-cisco sslvpn vendor during the session. The Vendor in question has recently posted a patch for it. So more to come on that topic too, mostly because I have to figure out how Cisco’s SSLVPN protects against these attack vectors and get back to you on it.
Well, I am short on time and will have to post later about the other sessions I attended. But real quick here are their titles: The four horsemen of the virtualization security apocalypse, and Malware detection through network flow analysis.
This blog is my own opinion and not that of my employeer