Thursday, August 1, 2013

Blackhat 2013 Debrief

In what is becoming an annual summer tradition of mine, I recently had the opportunity to venture out towards the scorching deserts of Nevada to meet up with thousands of white, grey and black hat hackers to attend what are perhaps the two most well-known security conferences in existence, Blackhat and Defcon.  This year marks my 4th consecutive year of attendance for both events.  For those not familiar with the conferences, I like to say Blackhat is a ‘professional’ style conference which is pricey and sponsored.  Vendors bring out their best to impress the industry.  The other conference, Defcon, is held the Thur - Sun immediately after Blackhat wraps up.  Defcon is known to be very low cost for attendance and takes on a bit of a wild atmosphere, much more casual.

Welcome to Blackhat 2013
This year was my first chance to attend the training portion of the Blackhat security conference.  I opted to attend the Bypassing Security Defenses: Penetration Testing Secrets hosted by Mr. David Kennedy.  Dave is a well-known individual in the security community as he heads his company TrustedSec, and has created many well-known utilities such as the Social Engineer’s Toolkit and various others.  Having seen Dave talk in years past, I knew I would be in for a real treat.  For me, the goal of the class was to expand my anti-virus evasion techniques and privilege escalation attacks.
The first part of training served as a smash-course in reconnaissance utilities such as recon-ng and the Metasploit framework.  I was relatively surprised to see that a large portion of the class had never spent time in the framework before, however I was pleased to see that the pace of the course progressed as promised.  After lunch, we began diving into exploitation secrets and evasion techniques such as EXE::Custom and EnableStagedEncoding advanced payload options capable of landing memory resident payloads (i.e. meterpreter) which traditional anti-virus mechanism are unable to detect.  I had heard of a few of the tactics we covered in the past; however with day to day work and engagements, I find it hard to always be on the bleeding edge and have tools prepped and tested.  I found this training to be the perfect ‘sharpening’ of my skillset that I needed.  As we were walking through examples and landing shells, I quickly became excited to try these techniques on real-world scenarios. 

Reverse meterpreter shells evading anti-virus, and clear text admin password dumps!
Day 2 of the training focused on navigating Kennedy’s popular Social Engineer Toolkit utility which fortunately I’ve had quite a bit of experience with.  We spent time in using python to craft our own custom reverse shells and meterpreter payloads using pyinjector which resulted in payloads which would easily evade any common anti-virus software.  The class was treated to a surprise when famed hacker Kevin Mitnick showed up to discuss his past stories of hacking (and getting caught), in addition to providing some reconnaissance tips.  Lastly the class walked through an older stack based buffer overflow attack.  This walkthrough was a bit of a recap to me, however anytime one is able to tear through the stack in a debugger serves as a good recap.  I was pleased with the course and thought it was well worth the value, if nothing else, to learn directly from a leader in the industry.

Kevin Mitnick shares his experiences with the class
Day 3 of the Blackhat conference started the briefings portion of the conference and to kick things off,  Gen. Keith Alexander (chief of the NSA and USCYBERCOM Commander) was put on the podium to deliver the Keynote speech and defend a tarnished image of the NSA in light of the Prism document leaks.  The General delivered a good and intriguing keynote address about how we came to these programs and what the intent of these programs are.  In addition, he went into depth regarding Section 215 (Telephone metadata monitoring) and Section 702 Prism (or communication content monitoring).  Much of the talk was wrapped around attacks against the US and recent thwarted attacks due to these monitoring programs.  Some individuals in the crowd called “bullshit” and voiced their distrust with the General’s comments; however it is up to each to make their own opinions regarding the balance of privacy verse security.  The General did go into details about who is being targeted and the auditability that goes into each query, along with protections in place to ensure no wrongful or unwarranted monitoring is taking place.  He mentioned that while the NSA may have capabilities of eaves dropping on everyone’s communication, he stated the NSA has rigorous checks and balances in place along with no intent to do, “That’s no bullshit, those are the facts”.  I particularly enjoyed one of the General’s open ended question where he asked “If those 54 thwarted attacks had been successful, what do you think the state of our civil liberties be?”

Gen. Alexander delivering a tense keynote address to the Blackhat audience
Other talk highlights included a run down on the Computer Fraud and Abuse Act (CFAA) and how it can be applied to security researchers.  The takeaway from this talk is that the law is written so vaguely and loosely that it can be interpreted in nearly any way a court chooses to.  There were numerous examples of past high profile cases where it was deemed defendants violated the CFAA resulting in exorbitant penalties and prison time for the minor security research and offenses, most of which was publically available information.  It was quite eye opening in light of our IP Camera Confessional talk we presented at BSides Iowa.  After the talk, I immediately ventured to the booth of the EFF (Electronic Frontier Foundation) to pledge my support for their work in defending our civil liberties in a digital world. 

In another talk, a team of researchers from iSec Partners gave an incredible presentation about hacking personal cellular tower extenders (i.e. femtocells).  The researchers were able to root the femtocell device, install and compile code to essentially snoop on any Verizon CDMA cell phone within range.  Prior to the talk, they laid out a red line of tape designating the ‘danger zone’ in which they cautioned audience members inside the zone that they could be subject to snooping.  Live demonstrations were given of the researchers recording voice calls, text messages and data snooping.  Lastly, they were able to clone a victim’s phone allowing them to receive the victim’s phone calls, text messages, data plans and use their minutes.  All of this was unknown to the victim and required no user interaction other than being within range.  Quite a compelling and eye opening talk as mobile devices are so common in today’s world with zero protections against these rogue femtocell attacks.  Well done iSec.

Warnings posted prior to entering the conference room

Day 3 (Wednesday) is always a real treat.  My fellow #madsec pals arrived in town and we prepped for our first night out.  The vendors at Blackhat bring out their best to impress the industry, so this year we visited 3 events.  First off, we ventured to the Mirage to attend Tenable’s gathering at Rhumbar.  Paul Assodorian (Pauldotcom podcaster) served up some terrific cigars while we mingled amongst security professionals enjoying complementary drinks.  I had some very interesting conversations with folks from Booz Allen Hamilton in light of the Snowden fiasco, really nice to get their take on things.  From Tenable’s party, we ventured inside the Mirage to the Revolution Lounge where Fishnet was holding a social.  My pal Drew and his company are in close with Fishnet so we were treated to drinks and snacks while we talked with people in the industry.  We then ventured over to the Palms for the annual Rapid7 party which is always quite a show.  They take over the Rain nightclub with live DJs inside and a pool deck outside for mingling.  This year, I was able to meet some awesome individuals in the industry such as JDuck, theLightCosine and bumped into Rel1k again for some hugs and drinks.  It was nice to show appreciation to the people who have contributed so much to the industry.  

Enjoying the Rapid7 Party with David Rel1k Kennedy
Hanging with USCC and madsec, JDuck and theLightCosine!

I hope to get the motivation for a future write up of my Defcon experience, however the conference is controlled chaos.  From presentations, to lock picking villages, contests and games, there is just so much going on.  For me, the highlight again was awarded to David Kennedy and his talk regarding how advanced modern day defenses can easily be beaten and the education which needs to happen.  I'll leave you with a snippet of his talk where he and Kevin Mitnick do a live onstage demo of social engineering a user on the phone and gaining complete SYSTEM level access of his computer, allowing them to pivot and pwn the organization.

As with years past, this week was an incredible experience, I'm humbled to be around so many bright minds in the industry and deeply enjoy this line of work.  Thanks for checking out the post.

No comments:

Post a Comment