Moxie Marlinspike, Dan Kaminski and Mike Zusman all presented talks at both Blackhat and Defcon that expose serious flaws the implementation and model of SSL and the way we us it today.
Read more…
Kostya started of by telling everybody: “I’m not a virtualisation expert”
Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.
This is the talk that I blogged about earlier about owning the iPhone through SMS. The work Charlie and Collin did was actually amazing.
In their presentation they first looked at SMS. SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.
Soundbyte of the day: Lex Stamos about the twitter hack: “No matter how low opinion you have of your user, they will always prove you wrong”
Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.
Each of the models has their pro’s and cons.
Charlies Miller’s and Collin Mulliners talk “Fuzzing the Phone in your Phone” today revealed full details that could make the first iPhone virus infection at the Blackhat security conference in Las Vegas.
Large SMS messages are cut up in smaller SMS messages, this means that the SMS messages need to be parsed by the phone to put it back together and thus can be used as an attack vector to breach the phone. By using a technique known as fuzzing, Miller and Mulliner where able to find exploitable conditions that could be turned into an attack and an iPhone virus. The attack takes a total of 519 SMS messages, but will work without any user interaction.
Interoperability is everywhere in browsers Java <-> VBScript, VBscript <-> .NET, .NET <-> Javascript, Javascript <-> DOM etc. This interoperability presents a large attack surface, which is up to now where not well explored.
There is a lot of code involved converting types between various languages.
The background: In the past, basic constraints where not properly checked, so any client certificate could be used to create another client certificate that would actually validate.
Moxie wrote the tool SSLSNIF is that is able to do a man in the middle attack on an SSL connection based on this vulnerability to proof to Microsoft that it could be exploited, contrary to what Microsoft said.
Even tough Microsoft and others fixed the vulnerability, the tool is still useful, mainly because people don’t pay attention to certificate warning. Also when the guys that made the fake CA certificate by means of the the MD5 collision use SSLSNIFF to actually exploit is.
But there are more ways to attack SSL then doing a man-in-the-middle attack; SSL Stripping
Talk focused on a methodology for restoration after a massive compromise while keeping the users on the network and somewhat productive.
Four phases for RETRI
I arrived late, but talk hadn’t started unfortunately it did mean standing room only.
FX had a cool feature in his presentation; every slide was accompanied by a BlackHat-O-Meter. Works like the base and acid scale. Corporate suite-and-tie types should stay with slides that have the meter all the way on the top, CISSP should be able to grasp the details of slides that are ranked somewhere in the middle, real Hackers could also grasp bottom of the scale slides.
FX’s first words are comforting, there is not so much real world router ownage going on. Mis-configuration, insider attacks, etc. are much more common.
However, infrastructures are what you want to own, so why don’t we see this more often? Because practical exploits are hard.
BlackHat Las Vegas has officially started. Jeff Moss kicked the conference off with the usual boring stuff. One of the surprises is that BlackHat Amsterdam will not happen. Instead they decided to move the event to Barcelona because they could not find a facility in Amsterdam big enough anymore. As a result BlackHat Barcelona will be bigger it feature three parallel tracks in stead of the two tracks that where possible in Amsterdam. Still I am sad that they abandoned my home country.
Then the keynote by Douglass Merill started.