On Thursday and Friday, Microsoft will once again gather select security researchers in Redmond, Wash., for its seventh annual Blue Hat talks.
The conference, by invitation only, has gained a reputation for providing Microsoft engineers with a first-hand opportunity to hear from and question leading security researchers. There will be an executive event on Thursday, with general sessions on Friday. Microsoft has more on the Blue Hat schedule here, and a blog here.
Among those invited to present is Cesar Cerrudo, of Argeniss, who will update his Hack the Box talk on Token Kidnapping. Cerrudo defines an access token as "an object that describes the security context of a process of thread," which includes the identity and privileges of the user account. He will show, according to Microsoft, "how it's possible in Windows XP and Windows Server 2003 to elevate privileges to Local System from any process that has impersonation rights."
What's interesting is that Microsoft issued a pre-patch advisory shortly after Cerrudo's April 17 Hack the Box talk. CVE-2008-1436 states that "Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the NetworkService and LocalService accounts, which might allow context-dependent attackers to gain privileges...related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services. " Look for a Microsoft patch announcement regarding this in May.
Other presentations at Blue Hat worth noting are Alex "Kuza55" K. of Sift on "Web Browsers and Other Mistakes"; Manuel Caballero and Fukami on "A Resident in My Domain, plus, Unweaving Silverlight from Flash"; SoWhat of Nevis Labs on "Attacking Antivirus"; and Billy Rios and Nitesh Dhanjani will reprise their Black Hat D.C. talk, "Bad Sushi: Beating Phishers at Their Own Game."
Security researcher Bill Rios reported Monday that a cross-site scripting (XSS) attack against Google Spreadsheet could have exposed all of Google's services. XSS can occur whenever a legitimate site accepts input from the user but does not filter that input properly and could allow the injection of potentially malicious instructions. In this case, however, once an attacker gained access to any xxxx.google.com site, they would have access to other Google services, such as Gmail, Docs, and Code.
In an e-mail to CNET News.com, a Google representative confirmed that the flaw as described by Rios has been fixed. "Google takes the security of our users' information very seriously," said a Google spokesperson. "We worked quickly to address the vulnerability and rolled out a fix before it was reported publicly. We have not received any reports of this vulnerability being exploited."
According to Rios, he was able to use Internet Explorer to change the content type of the HTTP response being returned to the server while using Google Spreadsheets. At issue here is whether or not the browser will ignore the content-type header in certain circumstances. Rios points out that all browsers have the potential to do this under certain circumstances, thus the problem isn't entirely with Google.
In his blog, Rios created a spreadsheet, placing an alert (document.cookie) script string surrounded by HTML tags in the first cell. When that string content is saved and downloaded as a comma-separated value or CSV, the content type should be text/plain. However, since Rios added HTML to the string, Internet Explorer will see that first and render it as HTML instead.
Whenever a victim is lured to this CSV URL, an Alert dialog box will pop up on the attacker's desktop containing the victim's current Google session information. The session cookie would be valid on other Google services used by the victim such as Gmail, Docs, etc.
Rios offers this XSS flaw as a cautionary tale, and recommends that security-minded readers check out a paper by Blake Frantz of Leviathan Security. In "Flirting with MIME types," Frantz found that, while other browsers were also indiscriminate about rendering file types as HTML, IE did so on 696 file types out of 735 tested. To give perspective, the next closest was Opera at 14, with Firefox at 8, and Safari at 7.
Breaking things--that's what the very bright and super curious do; they look beyond the obvious to see what's truly lurking beneath the surface. On Wednesday and Thursday, attendees at Black Hat D.C. 2008 got a window into the latest research being done on Web applications, wireless, and embedded technologies.
On Wednesday, researchers David Hulton and "Steve" showed how with about $1,000 with of equipment they can decrypt A5/1 cellular GSM traffic in less than a hour. Following that, Adam Laurie reprised his popular RFIDiots talk from last year's Black Hat briefings with a new program that allows him to read the data off smart credit cards "hands free."
Wednesday night included a social. There was also a speaker from the Washington, D.C.-based Spy Museum with stories of real-life spies.
On Thursday, Tiller Beauchamp and David Weston gave a presentation on DTrace, a security research application that is now available within Mac OS X Leopard and coming soon to various distributions of Linux. Following that, Zac Franken reprised his previous talk on biometric and token-based access control systems with new information on work access cards. After lunch, talks included Chris Wysopal on classification and detection of backdoors, Jason Larson on SCADA security, and Jon Oberheide on exploiting virtual machine migrations.
Washington D.C. -- On Wednesday, in a talk at Black Hat D.C. 2008, two researchers set out to see whether phishing sites were created by the "Einsteinian, ninja hackers that the media makes them out to be."
In a talk titled "Bad Sushi: Beating Phishers at their own game," Nitesh Dhanjani and Billy Rios found not a sophisticated gang of elite coders, but hundreds of bad coders all copying one another, and often stealing from each other.
Dhanjani and Rios expressed disapproval of antiphishing products that use black lists to block known phishing sites. One, because some legitimate server admins might have their compromised account password visible on such lists. Two, because the researchers were able to open those lists and see the servers that were being compromised.
They followed one of the servers that had shown up on one black list multiple times. What they found was a poorly configured Internet-facing server, one that was easily compromised, and therefore hosting several phishing sites.
Once they found a compromised Web server, they then wondered: how hard is it to create an authentic-looking phishing site? Dhanjani and Rios found kits online, prepackaged with images and forms from Bank of America, Citibank, and PayPal, among others. Just install one of these kits on a compromised server and you're in business.
Looking deeper into the code used in these kits, they found that one kit had been copied many times, with different images. Moreover, the creator of the kit was skimming off the people using the kit; every time someone fell for a phishing site, their personal data not only went to the phisher who put up the site, but also to the author who wrote the kit.
With personal information flowing in, what does the average phisher do next? Dhanjani and Rios googled to find sites trading personal data--not a surprising find. What they found was that U.S. and U.K. IDs often sold for much less than European and Asian data. They could not account for the difference.
They also found forums and sites dedicated to ATM "skimming." Skimming is the physical use of secondary readers and keypads on ATMs used to capture account numbers and PINs. Often the ATM transaction goes through, and the customer doesn't realize the account has been compromised until later.
Dhanjani and Rios suggested that site administrators should lock down their sites so that phishing kits don't take root. They also suggested that sites require more security in order to raise the bar. By requiring a customer to use two-factor authentication, or a persistent cookie, many of the financial phishing sites would cease to be effective, they said.
WASHINGTON--On Wednesday, Black Hat D.C. 2008 gets under way, after two days of intense training sessions. The D.C. Black Hat security conference is much smaller than the summer Black Hat USA in Las Vegas. But what D.C. lacks in size, it makes up for in sessions and talks.
On tap for Wednesday is a keynote speech from Jerry Dixon, former director of the National Cyber Security Division, Department of Homeland Security. Following the keynote address will be two parallel tracks of programming--Web app and wireless--including presentations from Chuck Willis of Mandiant on forensic challenges of cross site scripting, Adam Laurie on practical RFID hacking, Nitesh Dhanjani and Billy Rios on beating phishers, Sachin Joglekar and Sundeep Patwardhan on attacks on VoIP through IPSec tunnels, and Neal Krawetz on image analysis.
Thursday will continue with two parallel tracks--defense and hardware/embedded--and will include Christopher Tarnovsky discussing security failures in secure devices, Zac Franken on biometrics, as well as others.
Throughout the two-day event there will be various birds-of-a-feather talks, opportunities to talk to session speakers, and on Wednesday evening, additional speakers.
- prev
- 1
- next
