Black Hat DC 2010: Using the Dark Side for Good
The Black Hat Briefings came to the Washington, DC area (Arlington, VA) last week, drawing roughly a thousand representatives from the black and white hat communities together to learn how to attack and defend our systems. With a keynote by Greg Schaffer from the Department of Homeland Security and three tracks of briefings that covered everything from "the big picture" to tricks you can play with metasploit, this hackerfest took on the global perspective on hacking while simultaneously drilling down to the nitty gritty on various attack methods.
Some of the more interesting take homes from this conference are 1) Many of us are missing the boat when it comes to securing our enterprises. We fail to realize that some of the original exploits are still very much in use (like exploiting default passwords) while we also fail to grasp that many of the tools we use routinely may be completely unable to deal with the more virulent threats we face today. 2) The Russian and Chinese hacker communities are far better organized and capable than many of us might like to believe. If I hadn't recently read "Inside Cyber Security", it would have been shocking to hear what those who have penetrated these communities have to say. I also learned the basic difference in the focus between these hacker communities --- the Chinese are primarily going after military secrets and commercial know-how with money falling behind nationalism as a major theme. The Russians, on the other hand, are primarily focused on money. In both cases, corrupt and/or indifferent governments are not cracking down as most of us would wish they would. These hacker communities provide cover up for other activities and are easily recruited into nefarious campaigns to harm or discredit opposing regimes. 3) I also learned that ISPs are decidedly NOT all the same when it comes to how they police their customers. Some take down sites that don't follow the rules; others just look the other way. GoDaddy, for example, has a zero tolerance spam policy that it takes very seriously. This means that they "whack" domains as needed, even though they may be sued by the site owners when these sites are found to be spewing spam or malware. None of these suits has been successful to date, but that doesn't mean there aren't costs associated with the defense and I, for one, fully appreciate companies like GoDaddy that refuse to be part of the problem.
Spam is even more prevalent than I ever imagined. According to one speaker, 98% of it never reaches our systems. Where is it all coming from? A big registrant might process 5,000 newly registered domains in a single morning. Many spam and malware sites, when they are blocked or suspended, simply pick up and move to another domain. Even so, 90% or so of spam and malware sites are not malicious, only infected. Factoring this into the "who's bad?" decision makes the analysis and response far more complicated.
GoDaddy, after getting a complaint about a domain and investigating, will often suspend a domain. Interestingly, the distinction between suspending a domain and permanently shutting it down is an important one. A suspended domain cannot immediately be re-registered elsewhere. A suspended domain can also be made to point at something like "SUSPENDED-FOR.SPAM-AND-ABUSE.COM", making it clearer to those that care to check that there is or was a problem.
I was not surprised to see myself staring at lists of obvious phishing domains with strings like "irs.gov" and "bankofamerica.com" buried within their names to give them a modicum of legitimacy in the eyes of naive visitors. I easily recognized this ploy from the many phishing attempts that arrive in my own inbox.
On the second day of the two days of briefings, I learned about Zeus -- malware that targets financial websites. Zeus is one of the password-stealing trojans that is extremely difficult to detect. One study says that it is detected by only 23% of anti-virus software, even when they are working with the latest signatures. Someone said that Zeus has already claimed more than 600,000 victims.
The Shape of the Conference
Black Hat offered two days of intense training (separately priced) followed by two days of briefings -- talks by notable security experts. I'd signed up only for the briefings and was deeply impressed by the skill and insights offered. I found it quite difficult to select between the simultaneous offerings. Should I learn how to enhance ZFS or hack into satellite downlinks? Should I learn how to break Oracle 11g or predict vulnerabilities on my own network? Since I couldn't be in two, never mind three, places at once, I put in an order before I left for a DVD that will allow me to observe all of the sessions from the privacy of my office. I expect it will arrive in the next two or three weeks.
I ended up picking sessions from each of the three tracks and was relieved to know that I'd be able to catch up with the content of competing tracks later.
I've only just discovered that some of the presentations already online with handouts and sometimes the videos too. Go to http://www.blackhat.com/html/bh-dc-10/bh-dc-10-archives.html to look over this material.
The Trade Show Floor
On the small trade show floor, some of the premier vendors of security products discussed their various offerings and handed out t-shirts and pens.
The small show floor was packed with big names in the security industry. I ran to it during breaks between sessions and wolfed down my delicious lunch on day one so that I could spend a little time talking with the company reps and collecting a few handouts for my comrades back at the office who didn't get to tag along with me. It wasn't nearly enough time, but I got some handouts that I'll be able to read in the next few weeks and had my badge scanned so that marketeers can follow up with me later. I made a point of stopping by the Qualys booth to chat with the reps there about their vulnerability assessment tools -- like QualysGuard.
I also stopped by booths manned by representatives from Palantir, Core, Fortify, Harris, loglogic, SAINT, Solera, splunk>, StillSecure and TrustWave. I could have spent an entire day just on the floor, but all I had were breaks between sessions and the second half of the time set aside for lunch.
I didn't have time to talk with Novell, ArcSight, Berico Technologies, Intel, IOActive, LookingGlass, Microsoft, netForensics, netwitness, nitrosecurity, pico, RedSeal, Blackberry, rovi, Rsignia, SecureWorks, SRA or TippingPoint -- or even to verify that each of these sponsors was actually present. A full day just on the show floor would have suited me just fine, but the vendors were gone when I looked for them on day two and I was still popping in and out of briefings.
I did stop by and chat briefly with the folks from Johns Hopkins University (yes, that's "Johns" not "John") about their part-time graduate degree and certificate programs for working professionals. Years ago, I worked in the JHU Physics and Astronomy Department and am still in love with the Homewood campus and all the brilliant minds I got to know in that department.
And there is so much more to be discovered in the talks that I didn't attend and the handouts I tossed into my little Black Hat conference bag. The nice-looking little was not nearly big enough, by the way. If you attend a Black Hat conference, you should bring a large bag of your own so that you can carry home all the handouts you will want to read over when the conference is over.