News Blog

LAS VEGAS--This year's Black Hat was pretty much summed up in a prescient keynote by Richard Clarke, the nation's former cyber security czar who is now a novelist and chairman of Good Harbor Consulting. Clarke said "we're building more and more of our economy on cyberspace 1.0, yet we have secured very little of cyberspace 1.0." The apparent speed gained in Ajax (Asynchronous JavaScript and XML), which is technology that divides processing tasks between the Web server (Web site) and the Web client (browser), has opened Web 2.0 to some old-school attacks.

Nothing more clearly demonstrated this than a live hijack of a Gmail account. In a talk originally to have been presented alongside his colleague David Maynor, Errata Security CEO Robert Graham demonstrated for a standing-room-only crowd how he was able to use a tool called Hamster and Ferret to sniff the wireless airwaves for the URLs of Web 2.0 sites. While talking about another matter entirely, Graham ran the tools in the background, sniffing the wireless packets in the conference room, looking for Web 2.0 sessions cookies used by those in the audience for his talk (if, as a speaker, you ever wanted to thwart those who would be checking e-mail during your presentation, this is the tool to use). Grabbing cookies is not new. What is new is that Graham was able to grab these Web 2.0 clear text session cookies out of the thin air and then plunk the captured URL into a new browser. No password is needed; the cookie itself is enough. Toward the end, Graham opened his Hamster tool and found several likely candidates. He chose one Gmail account that had been opened during his talk. The presentation screen lit up with some poor guy's active Gmail account briefly displayed. Everyone applauded before Graham quickly wiped the information from the screen.

Should you avoid Gmail? No. If you simply change the URL in your Gmail bookmark (or any other Google-related bookmark) from http:// to https://, the Errata Security hack is no longer valid. That's not true, however, for Facebook, Hotmail, and several other Web 2.0 accounts. Graham says that while traditional Web 1.0 sites long ago learned to terminate session cookies, the cookies used on Web 2.0 sites don't expire for several years, so you could sniff accounts out of the air at your local Starbucks and months later still have access to that person's account. That's what's really scary about this new kind of man-in-the-middle attack: the victim has no idea that this is happening, and even changing the account password will have no effect. While you as an attacker can send messages, read existing messages, and even alter the look and feel of the Web mail service itself, you can't, however, lock the owner out of the account.

In a separate talk, Billy Hoffman and Brian Sullivan, both of SPI Dynamics, talked about the rush to Web 2.0, how even some established sites are "Ajaxify-ing" themselves at the expense of good security practices. To prove their point, the pair built an Ajax-enabled travel Web site, HackerTravel.com. They did so by following the current best practices for Ajax. In their talk, however, Sullivan and Hoffman showed how they could take advantage of known weaknesses within Ajax. For example, they could rearrange the JavaScript on the client to either book every seat on the plane (staging a denial-of-service attack) or purchase a round-trip ticket for $1.

Last year, Hoffman talked about the many problems within Web 2.0 Ajax technology, and this year he more or less put the subject to bed by addressing developers and insisting that they not put business logic on the client side of the transaction; that they keep all of that on the Web server. You can hear more about this topic from Hoffman and Sullivan on a recent Security Bites podcast.

Later in the conference Billy Hoffman returned with John Terrill, executive vice president and co-founder of Enterprise Management Technology, to talk about a prototype Web 2.0 worm they've built written in JavaScript and Perl. Hoffman explained that if there's a cross-site scripting vulnerability on a Web site, the worm can inject itself into that Web site in JavaScript form. Inside the worm is a Perl form so that when a user visits that Web site, the JavaScript version gets downloaded to their Web browser and the Perl form can inject itself into the Web server, so it can move from client to server with ease.

While we've seen computer worms before, they claim their new creation can pull vulnerability data off security sites such as Secunia and then exploit those new vulnerabilities, rendering current desktop security protection ineffective. Currently such a worm does not exist in the wild, but Terrill and Hoffman insist it's possible for others to do what they've done. You can hear Hoffman talk more about his creation in this recent Security Bites podcast.

There is hope. In addition to better coding practices on the Web server, another way to prevent runaway Web 2.0 vulnerabilities is to lock down the JavaScript in the client's browser. At Black Hat, Mozilla released new tools allowing anyone to test their Firefox (or any browser) against JavaScript errors. What's significant is that you can also use this tool against Apple Safari, Microsoft Internet Explorer, and Opera.

In an interview before her presentation, Window Snyder told me there are about 10,000 Firefox users worldwide who regularly download what are called nightly builds. Whenever the Mozilla security team puts out new fixes within the nightly builds, it's these 10,000 users who test the fixes on a wide variety of machines and under a wide variety of circumstances. Thus, Mozilla is able to roll out its security patches faster and with fewer headaches than its competitors. By tapping into their millions of users worldwide, Mozilla hopes more of these avid users will identify future Firefox flaws before they can be exploited.

An NBC reporter learned the hard (and embarrassing) way that Defcon 15, a conference of underground hackers who also happen to be security experts, is not the place to go undercover with a hidden camera.

George Ou, who blogs for CNET News.com's sister site ZDNet, has written a detailed account of the drama that unfolded Friday at the Las Vegas conference when staff members announced the "spot the undercover reporter" game. Staffers had apparently learned that a Dateline NBC producer hoping to catch someone confessing to a hacking crime was there as a regular attendee after refusing repeatedly to seek a press pass.

Just as Defcon officials were about to put her photo up on the conference projector, the reporter bolted and a crowd followed her out to her car, taking video and shouting out questions and statements. (Check out the YouTube video embedded in Ou's blog). Our favorite comment, by far: "You must feel like Lindsay Lohan."

And we thought Black Hat was exciting.

LAS VEGAS--Robert Graham of Errata Security on Thursday showed how reverse engineering your security application can uncover a treasure trove of zero-day vulnerabilities. He also demonstrated a new man-in-the-middle attack scenario that affects several popular Web 2.0 sites. He did so in a talk at Black Hat titled "The Lazy Hacker's Guide to TCB (Taking Care of Business)."

David Maynor who is no stranger to controversy at Black Hat was scheduled to speak alongside Graham, but Maynor was called away at 4 a.m. by a client in need. Errata CEO Graham presented the talk solo.

In part one, Graham talked about hacking into TippingPoint's Zero Day Initiative. The Zero Day Initiative is a program where researchers are paid for new, undisclosed vulnerabilities. What Maynor and Graham found was that TippingPoint then sent out protection to its clients, protection that could be reverse-engineered, thus revealing the vulnerability. This happens with Microsoft patches as well; the difference is that these vulnerabilities haven't been made public. The methods shown in the Black Hat talk have since been fixed by TippingPoint, but Graham pointed out that the same processes could be used by other zero-day marketplaces, such as those by eEye and IBM ISS.

In the second part of the talk, Graham showed how he could wirelessly sniff the session cookies used by Web 2.0 sites such as Google Gmail, Facebook and MySpace.com. He said that these sites seem to ignore the fact that sniffing for session cookies has been around for years. As an example, during the talk, he sniffed the wireless in the room at Black Hat, and from those results, was able to pull out a session cookie for Gmail. Within minutes, he displayed, quickly, that person's Gmail account on the project screen. By doing this, he could send messages as that person, read all the mail in the account, change the settings, such as changing the sender message to "I love sheep," or change the screen colors. What he can't do is change the password on the account.

Graham said Gmail allows you to choose "https" protection, and urged everyone to do so. He said Facebook and other Web 2.0 sites don't offer that, making the theft of the session a possibility. For that, simply do not use those accounts in a public Wi-Fi setting, such as an Internet cafe or airport waiting area.

LAS VEGAS--Thursday morning at Black Hat, Window Snyder and Mike Shaver of Mozilla released new tools for testing their browser, Firefox, and other popular browsers, such as Microsoft Internet Explorer, Apple Safari and Opera. The tools include a protocol fuzzer by Michael Eddington, and a Javascript fuzzer by Jesse Ruderman. Fuzzing is a method by which researchers randomly simulate common conditions under which most browsers fail.

In an interview before the presentation, Snyder said that Firefox enjoys a community of users in the millions worldwide. Of these, there are about 10,000 users who regularly download what are called nightly builds. Whenever the Mozilla security team puts out new fixes in the nightly builds, it's these 10,000 users who test the fixes on a wide variety of machines and under a wide variety of circumstances. Thus, Mozilla is able to roll out its security patches faster and with fewer headaches.

Because Mozilla enjoys a very enthusiastic community of users, the company decided to put out tools in the hands of its users that'll help make future releases of Firefox even stronger. After thinking about it, it decided the tools could be used on all browsers, not just its own because many similar vulnerabilities affect other browsers as well. The tool can be downloaded from Mozilla..

LAS VEGAS--Bruce Schneier, CTO of BT Counterpane, has been talking about the psychology of security for some time now. In his keynote address to Black Hat on Thursday morning, Schneier said that one simply cannot quantify security because it's also emotional. How we feel about security in a given situation can affect how secure we really are.

Schneier says we're all security consumers; as humans, we're constantly deciding how much time, money and effort we spend to feel secure. All animals do this. A rabbit faced with a predator has to decide whether to keep eating or simply run. Humans are both good and bad at this.

He cited several studies that show our decisions regarding the relative trade-offs aren't always logical. Schneier then talked about specific decisions we make around the severity of risk (life or death), the probability of a risk (it won't happen to me), and the magnitude of a risk (we overplay the risks when children are involved), the effectiveness of a risk (does it matter more whether I do A or B).

He also said that we tend to get these decisions wrong. Schneier said humans are better prepared for living in a hut on the African highlands in 1000 BC than for living in New York in 2007. Schneier ended his talk saying companies should spend more time working on improving the general perceptions surrounding security and not just the hardware and software they sell.

LAS VEGAS--Want to build a Web site with all the latest Ajax technology? Or how about "Ajaxifying" an existing application? Bryan Sullivan, Senior Research Engineer for SPI Labs, and Billy Hoffman, SPI Labs' team leader, did just that during their talk "Premature Ajax-ulation" Wednesday afternoon at Black Hat. The two said that often developers see only the code that works, and not how someone else may come along and exploit it.

To demonstrate, Sullivan and Hoffman built a mock travel Web site, Hacker Travel.com.

"We're actually using examples that we find from popular Ajax books, from popular Ajax Web sites," said Hoffman. "We're going to say, 'Look, we built this the way you were supposed to build it, the way so-called authoritative sources told you to.' Now here's what we need to be thinking about while you are developing these apps. And we're going to poke holes at it and show how to basically develop these things securely from the start."

Hoffman said companies traditionally hire third parties to come in and audit their site or perform a penetration test, then dump a thick PDF report on the developers' desks and say "here, fix it." What do the developers do? "They go and they type 'SQL injection' into Google and they find the first page and say 'Oh, here's how I fix it.'" That simply doesn't work, says Hoffman.

During the talk Hoffman showed how perfectly functional Ajax code could easily be manipulated by examining the Javascipt in the browser. Ajax by design pushes some of the sensitive decisions out from the server onto the client. That may speed the process for the end user, but it also exposes the process to attack. In one example Hoffman lowered the price of an airline ticket down to one dollar by manipulating the javascript. He also created a denial-of-service attack by holding all the available seats on a flight by turning off the hold release function.

The problems, said Sullivan and Hoffman, lie in the best practices often printed about Ajax. They said never put business logic on the client side, never use single Javascript to handle all the function calls, and don't use DataSet objects. When all the secrets are stored on the server side as opposed to the client side, the site is better protected against attack.

This is my eighth Black Hat, and boy has it grown, especially in the last two years. When I first attended Black Hat back in 2000, the conference had just moved into Caesar's Palace and, with its four session tracks, fit neatly into a small conference area off the main lobby. Back in 2000, there were no vendors. Lunch was served in patio lounge.

Flash forward to today where more than 4,000 confirmed attendees sprawl over two floors, attending 10 session tracks, making their way among the more than 40 vendor stalls. And lunch is now served mess-hall style in a large tent outside the hotel/casino.

Black Hat Director Jess Moss, in his introductory remarks this morning noted that among the 4,000, there are attendees from more than 50 countries, with nearly 20 percent of the audience from outside the United States. He commented that those in attendance weren't only IT or security professionals, but professionals from vertical industries interested in security. For example, in my Monday class on wireless networks was a man from Sherwin-Williams, the paint company.

I miss the intimacy of those early conferences. It's hard this year to spot people in the hallways. This morning's keynote was split into two separate speeches on different floors. And even Richard Clarke's keynote had to be simulcast into two large conference rooms. And lunch required a 20-minute wait in line.

That said, the Black Hat staff has been awesome in anticipating potential problems and addressing those few that cropped up anyway. For example, instead of the tiny registration desk, Black Hot opted for a conference room with individual stalls for preregistered, on-site registration, and media.

On the one hand, I'm glad more companies are realizing that security is very important. On the other hand, the venue, which will be used again next year, will have to be rethought. At least in terms of how to move up to 5,000 people around successfully when the escalators are broken or simply shut down (as there have been here at Caesars since Monday.

LAS VEGAS--In a presentation at the Black Hat conference here Tuesday, Neal Krawetz of Hacker Factor showed how basic manipulations to images can be revealed through digital analysis.

After presenting on the specific techniques he used, Krawetz launched into what he called the case of "Dr. Z," who happens to be Ayman al-Zawahiri, the No. 2 man in al-Qaida.

Using a photo that originally appeared on December 20, 2006, in USA Today, al-Zawahiri appears to be seated before a large banner with a desk underneath. On the desk, in the photo, is a tiny cannon. Yet in the text, al-Zawahiri is described as sitting with "a rifle behind his shoulder that was leaning against a plain brown backdrop."

Using the techniques demonstrated earlier in the talk, Krawetz deconstructed the image to show a halo around al-Zawahiri that suggests that he was likely sitting in front of a monochromatic screen. Even the letters on the banner had been altered. Further, the overall image had been cropped from the original.

Krawetz showed another image of al-Zawahiri from July 27, 2006, showing him seated in what appears to be a television studio. Krawetz said many people who saw this video were outraged that he could sitting in a television studio somewhere, yet the U.S. government couldn't find him.

Image analysis suggests that the studio and the various pictures positioned in the studio around him were added later. Again, a halo around al-Zawahiri suggests that he was shot in front of a monochromatic screen and pasted into a new background.

The studio background behind al-Zawahiri includes five different elements placed within the shot: The picture of Mohammad Alef is taken from a video of a wedding ceremony. The picture of the Twin Towers and the picture of Mohammad Atta are both taken from the 911 Commission report. Meanwhile, the studio itself appears created; the lighting suggests that the wall is an unlikely 1 foot behind al-Zawahiri, for example.

Krawetz found an image from the SITE Institute, an organization that tracks terrorism worldwide. (SITE stands for Search for International Terrorist Entities.) The image was intercepted before it was released by al-Qaida.

In the SITE video, al-Zawahiri appears before a blackened backdrop. In the upper-right corner, there appears to be the edge of a wall or screen. By adjusting the contrast, Krawetz could see that the wall behind al-Zawahiri is a draped backdrop. Krawetz didn't show the final al-Qaida image, but it likely included a composite of images designed to disguise his true location and press a specific message. As was the case in the final image Krawetz showed.

An image of Azzam al-Almriki, another member of al-Qaida, showed the young man seated in an office with a computer and a stack of books. Image analysis shows that the books were added. What an odd detail, yet it must be there to convey added meaning.

Throughout his demonstration, Krawetz did not speculate on the reasons behind al-Qaida's image manipulation. His interest is only that the images were manipulated and that the specific changes could be revealed.

In his keynote speech, Richard Clarke, novelist and chairman of Good Harbor Consulting, called for the adoption of IPv6 and the National Cyber Security Plan that President Bush signed in 2002 but has never implemented. While promoting his new novel, Breakpoint, the former National Security Council counterterrorism chief also took a few digs at former boss President Bush during a 30-minute speech.

"We are building more and more of an economy on cyberspace 1.0," Clarke told Black Hat attendees Wednesday morning. "Yet we still are running code from major vendors replete with errors that can be used to cause damage." Clarke, who gave the keynote speech at Black Hat in 2001, resurfaced an idea of his to have national standards for software. That proposal was removed from the National Cyber Security Plan that went to President Bush.

"We still do not have, and could have, cyberspace authenticated," said Clarke. "We should all be using encryption," which he said would reduce instances of laptops containing Social Security numbers being stolen. If they were all encrypted, we wouldn't care. He further suggested that encryption be used on e-mail, databases, even telephone calls to prevent illegal wiretapping.

Clarke leveled the harshest language on the Bush administration. "The Bush administration has systematically reduced the work to secure cyberspace." Clarke cited recent cuts to the Defense Advanced Research Projects Agency as an example. While he doesn't believe that government is the solution--it is just a part of the solution--he said he thinks government helps set the tone. He said he thinks Bush is "setting an example how not to do cybersecurity."