Cenzic 232 Patent
Paid Advertising
web application security lab

Blackhat Head’s Up

Blackhat is coming in about a month and a half. Normally I don’t even talk about conferences until a week or so before I arrive, but Blackhat is a bigger event than most and there’s almost always a lot more going on there than the other cons. So, for those who are interested, here’s what I know and here’s what I’ll be attending.

Firstly, although Dan Kaminsky’s speech deoesn’t look like it, I talked with him last night, and he will actually be doing a pretty relevent speech to a lot of the stuff I talk about here, specifically anti-DNS pinning and fingerprinting applications. Definitely worth sitting through, even though I’d love to also see Jon Callas’ speech on traffic anaylsis - so I may have a spy go to that speech to take notes for me.

Of course I’ll be attending Jeremiah Grossman’s talk on Intranet hacking without JS - I maaay also make a special guest appearance during the talk if I can get some demo code together in the next month. No promises. If people really twist my arm I may sign some books too.

If I had to pick one of the two speches that Billy Hoffman will be doing I’d probably chose the one on web worms because I think that is far more cutting edge and new, as only a few web worms have surfaced. Although at the same time as that speech is Ariel Waissbein’s speech on ways to dynamically stop attacks using morphing web applications (a topic near and dear to me). So as a result I’ll probably end up going to Billy’s other talk on Premature Ajax-ultation instead of the worm one. I gotta show my support!

I’ll definitely be going to Widow Snyder’s talk on Making and Breaking the browser. If nothing else it’ll be interesting to hear her take on it. However, I also want to hit Stephen Patton’s power talk on social networking data mining, so I might float back and forth between those two talks.

I’ll probably hit up Scott Stender’s talk on blind security testing instead of David Byrne’s talk on anti-DNS pinning, because I don’t think there’s anything new in that speech, even though it’s definitely on-topic. After that David Coffey’s speech on creating a shoestring application security practice might be fun. I always like doing things on the cheap.

Lastly, if I’m not totally burnt out on Blackhat I’ll probably go to Rohyt Belani’s talk on the difficulty of intranet forensics (another topic near and dear to me because we are getting into more expert witness gigs). Plus I think Rohyt will give a good talk because it’s all anecdotes.

And when the doors close is when the party begins - namely the Breach sponsored OWASC/WASC party. If you haven’t already RSVP’d you may have trouble getting it as I heard 200+ people have already asked to come. I don’t have any idea how they are going to fit that many people into the Shadow Bar, so they may have to end up moving it, or spilling out onto the casino floor. If anyone hears about any other good parties, please let me know. Anyway, it’ll be fun and I hope to see a lot of you there!

9 Responses to “Blackhat Head’s Up”

  1. christ1an Says:

    I’m looking forward to see some pictures or short clips :)

  2. Acidus Says:

    There are some cool people working on the mutation issue. I wish I could have seen Jose Nazario talk at CanSec. Websense and Finjin focus on basic stuff for dropping browser vulns, not true XSS malware. Aviv’s working on VoMM, but I’ve only see some high level “this is what we want to do with it”-style details on blogs. John and I are actually demoing code. Of course RSnake, you already know our techniques because I stole this idea from your diary after that night of drunken debauchery at RSA ;-)

    All joking aside, Source code mutation has been an interest of mine for a while now, and I’m glad the submitting the talk gave me an excuse to finally sit down and accomplish some pretty cool things with it.

    Knowing you, I think you’ll get more out of the worm talk. If you leave unsatisfied, you can punch me in the face.

  3. RSnake Says:

    Can you switch the time of the two of them? That would be the best of both worlds! ;) I’d probably enjoy punching you in the face and all but I think as my present to you guys for getting bought I’ll forgo that one this time around. It’s like your birthday and you didn’t even know it!

  4. RSnake Says:

    It just occurred to me that the primer on anti-DNS pinning comes before the talks on how to do stuff with anti-DNS pinning. Someone wasn’t paying attention while putting together the line-up.

    perl -e ‘print “I must not nitpick\n” foreach(1..100);’

  5. zeno Says:

    Se you in Vegas RSnake, and at the wasc party ;p

  6. SyN/AcK Says:

    Too bad the paper Billy Rios submitted on DNS Pinning wasn’t excepted… I think it would’ve been the most interesting one. In any case, I also look forward to seeing Jeremiah’s talk as the DNS Pinning topic is such a cool area of attack.

  7. webapp developer Says:

    “Blackhat is a bigger event than most”

    Actually cons like Shmoocon and even CCC is vastly bigger.
    They weigh in at several gigabytes per year, because they have realized it’s a new millenium and you can actually take the talks to the listener (internet!) instead of vice versa.

  8. RSnake Says:

    @webapp developer - I didn’t say it was the biggest. But thanks for playing. :)

  9. David Byrne Says:

    Youíre mostly correct that thereís nothing new in my anti-DNS pinning presentation. Anyone familiar with the topic can probably find a better session to attend. The bulk of the talk will be demonstrations: using Firefox to proxy HTTP requests with the XMLHTTPRequest object and proxying any TCP or UDP protocol with LiveConnect. Iíll finish the demo by getting root access on an unpatched internal server, proxied through Firefox. Not completely relevant, but it helps drive the point home.

    However, there are a few small new things Iíll be touching on (at least I think theyíre new):

    The standard method for out-of-band control for JS malware is intentional XSS, a la Backframe (http://www.gnucitizen.org/projects/backframe/). I can imagine scenarios where the XSS could be blocked by some type of filter, although I donít think it comes up very often. Iíll outline two alternatives using cross site image requests or cross site Cascading Style Sheet (XSCSS?) requests.

    Iíll also describe how a Princeton style attack (http://www.cs.princeton.edu/sip/news/dns-scenario.html) is still possible when combined with DNS cache poisoning.

    Iíve also been playing around with anti-DNS pinning and proxy servers, but I donít know how much Iíll have ready to present. At the very least I will show how an improperly deployed proxy server can allow the JVM to connect to any TCP service on the internal network. I doubt that is new, but I havenít seen reference to it.

    David Byrne