Paid Advertising
web application security lab

Blackhat Pics and Roundup

I’ve been absolutely buried since I got back. Let me try to race through the highlights. Firstly, if you haven’t seen Llana Grossman’s take on the con I suggest you do. It’s pretty funny actually. If you just want to jump to the pics, and avoid all the jibber jabber click here. So where to start?

id and I flew in on Tuesday, managed to find our way to our ghetto hotel (I do not recommend anyone stay at the Imperial Palace - although they do have a good Chinese place on the third floor). I ditched id who had to do work, and found my way over to Jeremiah’s room which vastly outclassed the Imperial Palace.

We all went down and got our badges, and managed to meet up with some Mozilla guys, some more WhiteHat guys and Robert E Lee from Outpost24 for dinner. Mozilla bought sushi for the table, as we talked about breaking the Internet. The speaker party was pretty fun, although I think a lot of people just wanted to bail to get a good night’s sleep. I know I did - we were second in the morning.

The talk went great - it was standing room only, and a few dozen people rushed the stage after it was over to ask questions. It was a really good audience actually. We showed how we could use a lot of the same old tricks we came up with a year ago without using JavaScript. I wanted to get an 0day up and running to explain why I could enumerate files on a Windows box without JS but I couldn’t get the demo working in time. Anyway, what I was able to show is how split VPN tunnels are dangerous. There’s a write-up on a potential (but fairly flawed) mitigation technique here. It’s flawed because it assumes you can block the things that bad guys are going to want to hack (like http://intranet/). To do so would break tons of functionality. But I encourage people to keep thinking about it.

There was another good thought that came out of it here, talking about safe cookies although cookies are only part of the problem. Kerberos, NTLM, basic and digest auth are all huge problems as well. Plus in many cases I don’t need any form of authentication whatsoever - that’s how my demo worked as a matter of fact. So good thought, but it’s a long way from getting us to where we need to be.

After it was over, id and I were having some interesting conversations about some of the other information leakage problems. I’d like to propose that we consider getting plugin manufacturers (noscript seems like a likely candidate) that have a concept of an intranet zone that prohibits referrers from being sent to Internet zones. Just a thought. It could also work in the browser, but I have a feeling it would break stuff.

I saw some good speeches - DNS pinning galore. I was actually pretty impressed by Billy Hoffman’s take on detecting DHTML malware. In talking with some hardcore AV guys, I think it’s kinda a lost cause, but it was a good take on a tough problem that not a lot of people have put much thought into.

As I’m sure you saw if you read my last post, we spent quite a bit of time talking with the Mozilla guys. They were much more interested in talking about Content Restrictions (if you’re unfamiliar with it, it’s basically a way to programmatically tell the browser not to trust your site - a concept I came up with 4 years ago and asked Mozilla to implement). They did, however, ask for me to come up with a few good things to implement. I’ll start another post on this in the next day or two when I collect my thoughts on the most valuable portions of that.

I hung out quite a bit with Dinis Cruz and a number of the other high level OWASP guys. I’ll probably end up doing a few OWASP talks and maybe a whitepaper or two with Dinis, but that’s gotta wait for some of the other stuff to settle down. The Microsoft party was a lot of fun - they got the entire top floor of Pure. I met a lot of interesting people and probably will be working on some interesting projects there. Btw, they also mentioned us on their security researcher thank you page for some of the vulns we’ve disclosed to them.

I also met Lance James (author of the anti-phishing book) for the first time. We’ve exchanged lots of emails and both belonged to APWG, but it was good to put a face to a name. Likewise with Portswigger (who built Burp Proxy) and I had a good long talk. Hopefully there is a lot more being built into the tool in a not too distant future. Rain Forrest Puppy and I chatted a bit about disclosure stuff. I think there may be more coming there in the not too distant future. Lots to be done!

Anyway, I came back with a fist-full of business cards, about 200 urgent emails, three new tricks, four new things to research and a ruined liver. All in all, it was a great time. More follow-ups to come.

13 Responses to “Blackhat Pics and Roundup”

  1. Anurag Says:

    I just want everyone reading this post to know that rsnake is the biggest prankster that you will ever meet. There is a devil behind that innocent face. please be very careful when you are around him. He almost got me twice. :)

  2. Spyware Says:

    Grats on the talk, and the whole thing in general! Are there any videos available?

    Anyway, thanks for the blog! Not everyone sacrifices a fill liver for their blog. You’re dedicated.

  3. RSnake Says:

    @Anarag - what do you mean “almost”?

    @Spyware - I hereby donate my liver to the hundreds of drinkathons I will attend in my life, for the greater good of internet security. ;)

  4. Ryan Says:

    Do you still have that card Anurag? Drop me an email if you still have it………….:)

  5. Jeremiah Grossman Says:

    Its not RSnake that you have out for, its Arian. :)

  6. hackathology Says:

    Nice event to both Rsnake and Jeremiah

  7. Billy Hoffman Says:

    Wow! And here I thought I was working for HP, but apparently I work for WhiteHat! Well, at least until Arian fixes the glitch.

  8. Ronald van den Heetkamp Says:

    Ah the conspiracy unfolds Billy… finally the truth you Whitehat! :)

  9. David Jacoby Says:

    rsnake is a little prankster, i tought him everything he knows :)

  10. anathema Says:

    Glad to hear that RFP is still about, I’ve not heard anything from him in ages. (another scene great).

  11. Thierry Zoller Says:

    Split tunnel ? Euhm, get your routes in shape. Your not supposed to route directly to the internet when you have an VPN Connection. A concept know for well a decade?

  12. RSnake Says:

    Completely agree, Thierry - but you’d be surprised how many people don’t get the risks! People haven’t gotten the memo yet.

  13. MustLive Says:

    Nice photos - yours and Llana’s pics too ;-).

    It was fun as I see.