BlackHat Europe Review, 0day Patch bogus

Today, I will actually get to covering BlackHat Europe 2008, which came to a close on Friday of last week.  The four day convention consisted of the usual training and briefings from some of the top technical experts in the security field. 

With the increasing frequency of security/hacker conferences, such as BlackHat and Defcon (and every other event that ends in "hat" or "con), there is a greater overlap of "new" research and discoveries.  The repetition of presentations at sequential events, is commonly observed in most scientific fields.

Therefore, many of the talks included repeat performances from this year's BlackHat DC.  Still, most were noteworthy, and deserve mentioning. Billy Rios and Nitesh Dhanjani reproduced their Bad Sushi talk, and I think anything that addresses "beating phishers at their own game" should always be included.  Felix Linder presented his talk on Cisco IOS Forensics again, and if you're not familiar with the work of Recurity Labs, then do so now.  Their Cisco Information Retrieval (CIR) framework for network forensic analysis, is available as a free online service for anyone wishing to dump their crash dumps.  David Hutton repeated his talk on GSM security, which he will need to repeat several more times before I fully understand the cracking of the A5 algorithm.  Is it just a matter of time before my Zfone is compromised?

Additional reruns from BlackHat DC consisted of, Security Failures in Secure Devices, URI Use and Abuse, Side Channel Analysis on Embedded Systems, and the talk on DTrace.  Actually, DTrace is a very cool tool for looking at everything under the kernel hood, as well as RCE.  I'm currently writing an article on DTrace for the InfoSec guys at TechTarget, and it appears that a crippled version comes with OSX, much to the dismay of the USENIX community.  Can someone make a cross-platform version, for those who are not Solaris geeks?

There were some new presentations of notable interest.  Security researchers from Microsoft spoke about LDAP injection attacks, emphasizing, once again, the need for proper input validation with dynamic web apps.  Nick Breese, from Security-Assessment, presented his cryptographically pimped PS3, dubbed "CrackStation".  He uses the vector processing architecture from the PS3, to improve calculation time for password cracking.  While scalar (I'm assuming he meant superscalar?) processing, limits instructions to operate on singular data, vector processing, allows for instruction execution on multiple data sets.  He leveraged this concept, towards number crunching MD5 calculations, demonstrating a three-fold increase in calculation speed.  I'm not sure if he breaks it down to relative MIPS or MOPS ratios, or if he mathematically analyzed time comparisons, per core, or by concurrent threads.  I guess I should read his paper.

The Iron Chef challenge has been blogged about enough, so I'll skip that one.  The topic of fuzzing was discussed in both, Attacking Anti-Virus, by Feng Xue and the Exposing Vulnerabilities in Media Software, by David Thiel.  The former demonstrated the crashing of AV software from filetype fuzzing, whereas the latter, used the fuzzing of codecs and media file formats as exploits (check out iSEC Partners' Fuzzbox and RTPInject)

There were too many interesting presentations to discuss in one sitting, but I will say that I appreciate that Eric Filiol has introduced me to the concept of PDF coding attacks, and am eager to dig into the specs of Mathew Lewis' Biologger.  Although, as an expert on biometric technology (ex-hacker + mechanical engineer + physician = me), I'm sure to have some criticism for the guys at IRM.

Lastly, I will say something controversial, about the most publicized talk from this year's BlackHat Europe, 0-Day Patch Exposing Vendors (In)security Performance, by Stefan Frei, Bernhard Tellenbach, and Bernhard Plattner.  Despite, what appears to be a much welcomed, new security metric, the 0day Patch, and its reflective criticism of Apple Computers, I say it is flawed.  There could be some substance to their concept, although a careful analysis of their paper, reveals inadequate data for their claims.  Aside from my suggestions, of using a spellchecker and some statistical software before publishing scientific findings, I recommend a thorough evaluation of their publication, before its community acceptance.   I'm not afraid of the Zurich ETH (but I am of spiders).

I know that I may be alone on this one, but I'm always happy to publicly refute anything that seeps misinformation.

Disagree with me?   Bring it on to:

Copyright © 2008 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022