Black Hat: Networked systems are putty in the hands of a good hacker

VoIP security holes, virtualization root kits, botnets, hot topics at conference

LAS VEGAS --  If Las Vegas is a place to expose all, then that notion worked for the security experts who spent two days here at the Black Hat Conference laying bare the security weaknesses of everything from VoIP, to rootkits, and cell phones.

For the roughly 3,700 attendees who packed the conference held at Caesar’s Palace, it was a walk on the wild side as some security practitioners shed their reserve and gloried in the naked truth that the computer systems in use today are pretty much just putty in the hands of a good hacker. At one session, speaker Nick Harbour, senior consultant at security services firm Mandiant, went so far as to educate his audience on how to write better malware.

Being able to find more clever malware that can evade forensics will "make my job more interesting," said Harbour, who gave a presentation titled "Stealth Secrets of the Malware Ninjas." Harbour went on to describe in detail techniques for Live System Anti-Forensics, Windows hook injection mechanisms, Library Injections and more that he assured his listeners could take evasive malware to a new level. "This talk is mostly about evil," he said.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

LAS VEGAS --  If Las Vegas is a place to expose all, then that notion worked for the security experts who spent two days here at the Black Hat Conference laying bare the security weaknesses of everything from VoIP, to rootkits, and cell phones.

For the roughly 3,700 attendees who packed the conference held at Caesar’s Palace, it was a walk on the wild side as some security practitioners shed their reserve and gloried in the naked truth that the computer systems in use today are pretty much just putty in the hands of a good hacker. At one session, speaker Nick Harbour, senior consultant at security services firm Mandiant, went so far as to educate his audience on how to write better malware.

Being able to find more clever malware that can evade forensics will "make my job more interesting," said Harbour, who gave a presentation titled "Stealth Secrets of the Malware Ninjas." Harbour went on to describe in detail techniques for Live System Anti-Forensics, Windows hook injection mechanisms, Library Injections and more that he assured his listeners could take evasive malware to a new level. "This talk is mostly about evil," he said.

Much in keeping with the theme of Black Hat, where honesty is not the best policy but the only policy, iSec Partners security experts Himanshu Dwivedi and Zane Lackey took the stage to deliver the bad news: VoIP systems based on H.323 and the Inter Asterisk eXchange (IAX) protocols can be fairly easily compromised and brought down.

“There are a lot of known problems with SIP,” said Dwivedi, principal partner at iSec, referring to the VoIP Session Initiation Protocol. “But we are here to say H.323 and IAX are just as bad.”

In case anyone doubts their revelations about how weak authentication and authorization design in H.323 and IAX can let attackers compromise VoIP systems and launch denial-of-service (DoS) attacks, they have made available exploit tools on the iSec Partners Web site to prove their claims.

Returning to Black Hat to take up the theme of virtualization rootkits, Joanna Rutkowska, the noted expert who brought the topic to worldwide attention last year with her virtualization rootkit malware called “Blue Pill,” acknowledged that researchers are getting closer to detecting her creation. At the end of her technical presentation, she announced she was posting Blue Pill  —and its nested hypervisor variant New Blue Pill — for general download.

That evoked some concern at Symantec, which had been begging her to share a Blue Pill sample prior to the conference because Symantec, Matasano Security and Root Labs are teaming on a project to detect virtualization malware, and the only virtualized malware they had tested was on something they already had in hand, Vitriol, created by researcher Dino Dai Zovi.

“We think it’s actually quite dangerous to release code like that to the public,” said Oliver Friedrichs, director of Symantec’s Security Response division, about the release of Blue Pill. While the stealthy Blue Pill is intended for research purposes only, Symantec anticipates it could quickly become a new attack vector. He said there were no plans to release Vitriol, a similar type of virtualization rootkit.