White Hat Hacker

It seems every Black Hat there's a talk about Tor. And every talk ends with a Q&A during which various defenders of Tor state this isn't a new problem, it's already been addressed or mitigated or it's just part of the design.
 
He stepped through how a Tor connection is made and torn down, each message (called a cell in Tor) that is sent.
 
Then he presented his research showing how easily someone who controls both the entry and exit node can identify the circuit, breaking the anonymity.
 
He also showed that by providing free Tor nodes (it's volunteer driven so they won't turn you away) an attacker can increase the chances of holding both the entry and exit node. His research indicates that control of 9% of the routers will result in tracking 60% of the circuits. Small investment with a big return.

Paul started with a discussion of the Kaminsky bug, then described how this is being used.
 
He addressed some of the issues with hotspots that capture DNS to provide the login page, and how these mini-DNS servers have software faults as well.
 
A good overview of DNSSEC and some of the confusing parts.
 
He's got a signed DNS server to let people test against.

This was also presented at ShmooCon a few weeks earlier.
 
She is one of 4 developers at HP for an internal tool, SWFscan. She did not know if this would become a commercial product, released as open-source, or kept internal. Seems odd since it must be running $1M annually.
 
Good overview of many Flash vulnerabilities and poor practices by code generation tools.

His Summary: "DNS is thus the cause of security issues and our inability to scalably fix them"
 
He discussed the Metasploit bailiwicked_host module and why the bailiwicked_domain is more effective. How attacks against targets behind the firewall can use mail servers. The challenges of federation and why everyone is using DNS.
 
He wrapped up with discussing DNSSEC, which he supports but not enthusiastic about.

Excellent overviews of anti-debugging and anti-reverse engineering evolution. A step through the protections and attacks.
 
He then discussed his emulation sandboxing research, part of his PhD program at AFiT.
 
The project is open source, available as SecureQEMU on SourceForge.
 
Select portions of code are encrypted. From the guest OS the code remains encrypted, even during execution. It is decrypted by the Host OS during execution by the emulator.
 
By decrypting and executing in a trusted out-of-band host OS the guest OS does not need to be trusted as much.
 
It's still research, so while it works there is more effort needed. But it does work now.

A follow on to their talk at Black Hat USA, extending that research with additional implementation bugs and design bugs.
 
Good discussion of the TPM chip and how this is being used for trusted boot.
 
They desoldered the memory chip on the motherboard, but did not use this approach. Instead they used the Q35 chipset bug to gain read/write access to the SMM.
 
Details about their new bug (CERT #127284) will be released at Black Hat USA.

Good overview of how executables on the Mac OS are launched.
 
He demonstrated a tool that leverages this to run an arbitrary executable.
 
On the client he ran a listener which opened a port and waited for a binary.
 
On the attack machine he sent the modified binary which the listener executed.
 
The results are running a binary without a trace on the HD, or awareness by the kernel.
 
Should be interesting to play with.

Moxie released sslsniff in 2002, which enabled attackers to execute a Man in the Middle attack against an SSL session.

Now, seven years later, he's releasing sslstrip at http://www.thoughtcrime.org/software/sslstrip/index.html to update and extend these attacks, even though the original tool is still very effective.

The issue is with the implementations of SSL and specifically how it is used for web sites.

His summary was that a lot of security depends on SSL, but SSL depends on HTTP which is not secure. Note this means use of SSL for HTTPS and not the SSL protocol itself. That also has issues but it doesn't depend on HTTP.

During the Q&A he thought DNSSEC may help, but so far there is no solution. Two other talks at the conference focused on DNS and spent a lot of time discussing DNSSEC.

Several news sources have picked up on his talk so we'll hear more about this.

His sites are http://thoughtcrime.org and http://blueanarchy.org. The paper behind his talk should be at

https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

His slides should appear at https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html

He stated up front that he has a lot of techiques but was only releasing some of his older ones.

Sessions attended at Black Hat DC on Wednesday, 18 FEB 09

"New Techniques for Defeating SSL in Practice" -- Moxie Marlinspike

"Let Your Mach-O Fly" -- Vincenzo Iozzo

"Attacking Intel Trusted Execution Technology" -- Joanna Rutkowska and Rafal Wojtczuk

"Emulation-based Software Protection Providing Encrypted Code Execution and Page Granularity Code Signing" -- William Kimball

Sessions attended on Thursday, 19 FEB 09

"DNS 2008 and the New (old) Nature of Critical Infrastructure" -- Dan Kaminsky

"Blinded by Flash: Widespread Security Risks Flash Developers Don't See" -- Prajakta Jagdale

"Defending Your DNS in a Post-Kaminsky World" -- Paul Wouters

"One Cell is Enough to Break Tor's Anonymity" -- Xinwen Fu

Updated presentations at https://www.blackhat.com/html/bh-dc-09/bh-dc-09-archives.html

From a talk on insecurity in social networking sites, presented at ShmooCon 2009.

Summary: Security is not a priority. These sites have many attack vectors.

Slides are online, and a description of the talk.