Thoughts from Black Hat and DefCon

August 2, 2012 - By Chris Larsen

Last week was pretty busy. Several folks on the malware research team headed to Las Vegas for either Black Hat, or DefCon, or both.

Since trying to summarize several days of security presentations in depth would be futile, I decided to mention some highlights:

 

1)  In general, I always get the feeling, "Man, I'm sure glad I'm not a network admin!" whenever I go to one of these. My favorite new thing to worry about is HP Laserjet rootkits. (I hadn't heard about this research before. It's impossible to keep up with everything these days....)

The researcher is a PhD student at Columbia named Ang Cui. He's interested in embedded systems, and has found  vulnerabilities in Cisco IOS, Cisco IP phones, and HP LaserJets. (Essentially, if you put in the time, you can reverse-engineer their official firmware downloads, build an authentic-looking replacement with your "goodies" in it, and load it onto the box...)

 

2)  Next thing to worry about: Good presentation on "SNSCat", which is an open toolkit that you can use to set up data exfiltration and command-and-control channels using various social network sites as vectors. And if you're not satisfied with the built-in encryption and steganography tools, you can hook in your own, because hey, it's open source. (Did I mention that I'm glad I'm not a network admin?) Maybe it's time to go back to just blocking access to Social Networking...

 

3)  ...and let's all go back to plain old dumb cell phones while we're at it. Lots of folks discussing various ways to abuse iOS and Android devices. So those sure aren't safe. But hey, neither are Windows 8, Chrome, Linux, or any other hardware, OS, software, or protocol known to man...

 

4)  Which brings us to the Black Hat keynote from Shawn Henry, ex-FBI cyberguy (who I think of as being the "everyone's been hacked" guy). One of his big common-sense points was (paraphrasing) "everything doesn't need to be on the network" -- in other words, consider the value you get from some piece of data being electronically accessible, versus the cost in trying to secure it, versus the cost if it were accessed by whatever Bad Guys might want it. Some things are too important to put where the Bad Guys can get them...

(He also encouraged people to set up fake/honeypot servers, applications, directories, and files. Make them easier for an intruder to find than your real stuff. Then keep an eye on the fakes. There shouldn't be any legitimate traffic going there, so anything you see poking around is worth investigating. This is the same idea that came up in a group discussion at Shmoocon earlier this year on how the Good Guys can actively make life harder for the Bad Guys. It's worth giving some serious consideration...)

 

5)  Normally, I stick to the research presentations, but occasionally I'll wander over to the Exhibitor section. This trip, I picked up a copy of the Data Breach Investigations Report (DBIR) from our friends at Verizon. While I've heard about the DBIR several times in the past, and seen some fun statistics from it, I hadn't actually read all the way through one of them. (Basically, the DBIR summarizes investigations into data breaches, gathering stats from Verizon's own teams and also several government organizations in different countries. Then they try to make sense of it all.)

Lots of good stuff; well worth a quick read. My favorite stats: 58% of data theft last year was via hacktivism (think Anonymous and Lulzsec); 96% of the attacks studied were "not highly difficult"; and therefore, unsurprisingly, 97% of attacks were "avoidable" via simple-to-intermediate controls. Sadly, 92% of attacks were discovered by a third party, not the actual victim...

 

6)  Finally, a bonus tip. Block all ".gadget" files coming into your network. These are the cute little widgets that started showing up in Windows Vista's sidebar, and have since migrated to the Windows 7 desktop. The presentation (given at both Black Hat and DefCon) covered several serious weaknesses in gadgets and how they're implemented and used.

Executive Summary: they just aren't worth it. (In fact, if I understood the presenters correctly, Microsoft is basically pulling the plug on these, rather than attempt to fix the security model.)

So do that, and at least there's one less thing to worry about!

 

--C.L.

@bc_malware_guy