This blog reflects the thoughts and views of me alone. Not my employer.
Its mostly just news and what I have learned on my travels through the interwebs.
Thursday, December 15, 2011
Black Hat Abu Dhabi Recap
The 'front door'
As my first visit to the Middle East draws to a close-- I figure I would get down my thoughts on the talks presented at BH Abu Dhabi before the hustle and bustle of the holiday season. It's hard to think about Christmas when you are basking in beautiful 70 degree weather....
So the venue (the Emirates Palace) is absolutely amazing. It is just gigantic, and the staff will bend over backwards to get you what you need, be it AV cables or just more watermelon juice. The food was amazing beyond belief and very plentiful. I didn't miss pork too much :)
Anyways to the talks:
General Hayden was the keynote speaker. He discussed the ever hard to distinguish line between security and privacy in our digital world, and how now US Government Agencies have come to accept that they are hacked and now focus on managing egress outside the network . He also talked about the power of the online communication, in both a good and bad perspective.
I am not sure I agree with the whole 'accepting we are hacked thing', as being a security person I find it utterly depressing. Although I do agree we need to be realistic, we can't just give up entirely in defending our perimeters and retreat to further inside the network. Security in depth is so crucial here, and we need to begin not only worrying about traffic coming in, but traffic going out. How do we detect exfil? How can we make traversal inside our network more difficult for our attacker? If our hacker friends pop one box thats a shame, but if they are not allowed vertical or horizontal traversal on the network it greatly limits the fruits of their labor. Why not have an IDS sitting within your network perimeter montoring network traffic? Why would you allow desktops to have trust relationships with other desktops if it is not necessary? Just limit trust relationships to servers they need access to, and closely monitor those. VLANs are also an idea here-- I know all of these have flaws but again its the layered model approach to contain attackers and limit the information they can receive.
Traditional Arabic Food... amazing!
Being both the former CIA and NSA director, I am pretty sure Gen Hayden knows a lot more about the reasoning for a lot of the topics he discussed, even touching on Stuxnet and CNA/CNE. Did you know most people think America is the most dangerous in terms of hacking (not China or Russia)? The opinion pool? Americans. Thats kind of surreal.
Insulin Pump Hacks
Barnaby Jack of McAfee gave a talk about hardware hacking insulin pumps-- describing the steps needed to be done to gain access to the hardware and assembly code. Hint, it is not just plugging in a USB. Apparently insulin pumps have RF capabilites, and Barnaby was able to create an exploit which would reveal to him the unique serial number and then allow him to either dispense insulin or suspend the device completely. Without any notification to the user, and then he showed a demo of this. Dispensing too much insulin to a person can be lethal, so the implications become quite clear. It seems a la Jason Bourne but given enough resources and dedication, Barnaby shows the threat is real. He then mentioned this could be patched via another vulnerablity he found... great.
Framework Level Securtiy Profiling & Monitor
Trustwave demo'd a framework for catching the subtle web hacks. So in general many web hacks are easy to spot, you see them doing recon using some tool, traversing to the vulnerable page, uploading an exploit, and then them heading to retrieve their payload (in this case login credentials for users). However, what if they use Google for their reconaissance, and use different IPs to make it difficult to trace, and inject php's with fake data so it simply looks like a normal (and not a password file getting larger and larger). Their proof of concept framework FLSPM tries to address this issue.
Vivek R. of SecurityTube fame also gave a 2 hour lecture on WiFi Hacking. He mentioned how WPA Enterprise can actually be easier to hack if server names are not enumerated for the enterprise servers. If this is the case, the hacker simply needs a valid certificate to present to the users-- doesnt matter what the servername is. No warnings or anything as it met the criteria set by the system administrators. Oops.
Did you know you can use Windows 7 to be a wireless AP even when you yourself are on a wireless network as a client? This has been around for a while, just has not been highly publicized and discussed. What are the implications? Well besides being super convenient for the road warriors, it also has serious security implications. Windows does not inform you about this new AP (you can see it if you click on the network icon in the task bar-- but how many users do that?) NOR does it tell you when people connect to it. Rogue APs anyone? Can one create a PDF whose payload is a simple little batch file setting up this AP network? (at least you need admin privileges, but that's not a reassuring defense at all, especially if the carrier file is a malicious PDF which can probably gain admin rights anyways)
So I leave you guys with the commands to make your Windows 7 box a wifi access point. Be sure you are running as admin when executing these commands.
As you see, I have set up my SSID and password in order to gain access to the network. Next you need to go in and enable internet sharing on your current network connection. When choosing the Home Networking Connection, select "Wireless Network Connection 2". Then, head over to the properties for Wireless Network Connection 2 and only enable IPv4 (or IPv6 depending on your device). Save this. Finally head back to your command line and enable the interface.
I have a screenshot of my iPhone showing my connection. Sweet. This is great when you are roaming, have an ethernet connection in a hotel but not wifi and you want to browse on your mobile devices... like me right now. To disable use the following.