Blackhat 2010 - Day Two

Welcome to the first blog post that I've ever written on an iPad in a casino, thanks to a delayed flight.

Day Two of Blackhat once again had far too many overlapping presentations so I was forced to skip a few that I would have liked to attend. For the most part, I chose to stick with some proven talent that I knew would keep me entertained.

Robert Hansen
Josh Sokol
HTTPS can Byte Me

RSnake and Josh chose to tackle a component of the web that I've always believed is misunderstood by the general web population - HTTPS. They went through a laundry list of ways that HTTPS can be abused, not so much because the technology is flawed but because users implicitly trust the 'lock and key' and assume that it is a silver bullet to solving security on the web. For me, the most interesting part of the talk dealt with passively monitoring encrypted traffic on the web to gain insight into what a user is doing, even if you cannot see the decrypted traffic. For example, by monitoring packet sizes you can determine if POST or GET requests are being sent. POST requests will generally result in more egress packets due to content being sent to the server while GET requests typically result in more ingress packets. The timing of packets can also reveal information with frequent requests suggesting AJAX traffic. Combine this knowledge from prior reconnaissance of the site being visited and a passive attacker may be able to determine with reasonable confidence, where you were on a web site and what you were doing - even without being able to access decrypted traffic. RSnake and Josh admitted that another group had already gone public with similar research but I certainly feel that it's a topic worthy of more investigation.

FX
Blitzableiter - The Release

FX, a longtime Blackhat speaker, released Blitzableiter (German for lightning rod), a tool designed to protect against malicious Adobe Flash files. Rather than take the approach of AV vendors and use a library of signatures to identify malicious content within a Flash File, FX has chosen instead to parse the Flash binary to ensure that the file is well formatted by looking for undocumented tags and length values that do not match the data that they contain. Blitzableiter is a command line tool written in C# which can be integrated with NoScript to provide in-line protection while browsing online.

Samy Kamkar
How I Met Your Girlfriend

Samy Kamkar, for those not familiar, gained fame for writing an XSS based MySpace worm when the Feds failed to appreciate his great sense of humor. What I love about Samy is that he's not a security guy per se, but rather a talented developer, intrigued by security. He delivered the funniest talk of the show and I found myself regularly laughing out loud throughout. The premise of his talk - detailing a variety of web based hacking techniques told through a story of how Samy might attack Robert 'RSnake' Hansen in order to steal his 'girlfriend'. Techniques that he discussed:

- How to reduce entropy in PHP in order to more reliably predict session cookie values
- Cross-Protocol Scripting (XPS)
- NAT Pinning
- XXXSS (aka 'Triple X-SS') - Samy's term for a series of attacks leveraging XSS to inject Javascript ultimately designed to use Google's GeoIP information to determine a victim's physical location

Rob Ragan
Francis Bacon
Lord of the Bing

Johnny Long's indispensable Google Hacking Database sadly hasn't been well maintained since it was first released years ago - fortunately, Rob and Francis have not only resurrected it from the dead, they've taken it to the next level and added Bing hacking to the mix. They discussed a variety of free tools that will be released, built around Google Diggity and Bing Diggity, two platforms that automate Goggle/Bing hacking and provide a repository for current and future hacking queries.

That's it for Blackhat 2010 - see you next year.

- michael