Black Hat USA 2008: A report from Day 1

This year’s Black Hat USA conference in Las Vegas is pretty much like all the ones in the past. It’s a world-class conference with speakers that either bore you or blow you away. Black Hat is known for releasing a few Zero-day exploits and exploring nearly every other covered topic far better than any other computer security conference. Unfortunately, about half the presentations are wastes of time, with the speakers seemingly spending more time trying to make weak jokes than to present cutting-edge facts.

But among the warts are many jewels, and as always I’m more than glad I attended. This week’s column will cover some of the highlights from Day 1 of the briefings.

The number one presentation of the conference was IOActive’s Dan Kaminsky’s talk on his recent DNS exploit find. There was some question if there would still be any interest in the topic since the details of Dan’s exploit leaked out two weeks ago. The question was answered by a standing room-only crowd of thousands that filled the largest conference room long before the scheduled start time.

[ For more on the events and revelations at the 2008 Black Hat and Defcon security conferences, check out InfoWorld’s special report. ]

Dan explained DNS from the ground up and then explained the mechanics behind the exploit. Dan explained that he didn’t necessarily discover anything new — the primary weakness has been known and discussed for years — but he discovered a way to significantly simplify the exploitation of the weakness.

There has always been a concern that DNS replies could be spoofed by an attacker to return bogus results to a DNS client requester, whether that requestor is an end-user or DNS server (which then returns the bad results to an end-user). DNS vendors tried to defeat spoofing by using a random transaction ID (0 to 64K) negotiated in the initial DNS packets. Unless the attacker could correctly guess the transaction ID they would not be able to spoof a bogus packet back. Because the odds were 65,535 to 1 against the attacker, most attackers simply didn’t even try to spoof DNS packets.

Dan realized that the attacker could send many spoofed packets, each with a different transaction ID, decreasing the odds. But the real trick was in recognizing that the attacker could force the requester to send many requests to the same domain by using varying hosts or subdomain name requests (a1.foo.com, a2.foo.com, a3.foo.com, etc.), and the attacker could match the transaction ID against any of those requests. This essentially allows an attacker to take the spoofing odds down to a point that it was guaranteed to find a match in 10 seconds or less. Further, the spoofed DNS packet could then redirect the DNS server or client to another bogus DNS server (i.e. “I don’t have the answer, but this server at x.x.x.x does”).

Dan’s presentation then talked about all the ways to attack both internal and external DNS servers — how firewalls really didn’t provide that much protection, and what could be done with the resulting attack. Let’s just say it is a lot.

The fix was to provide a random source port into the DNS request, giving the attacker yet another order of magnitude (an additional 64K times) of random guessing that they would have to figure out to be successful. This solution was first introduced by Dr. J Bernstein of DJBDNS fame many years ago, but was not implemented by BIND or MS DNS because it was (mistakenly) thought that good transaction ID randomization was enough.

Dan revealed that about 70 percent of the Fortune 500’s DNS servers are patched and 15 percent are unpatched, while 15 percent were patched but ended up being unprotected because of the NAT devices used to protect the networks took away the random source port selection. Dan’s got a great video of the progression of DNS patches around the world. It’s a great look into the speed of how critical emergency patches are deployed.

Mike Zusman, in his talk on Abusing SSL VPNs, revealed that he was able to successfully get a valid digital certificate for a subdomain in the Live.com domain (owned by Microsoft) from a Root CA provider that was not authoritative for the domain. This allowed him to insert a man-in-the-middle Live.com VPN connection without setting off certificate warnings.

Nitesh Dhanjani and Billy K. Rios discussed what they learned by backtracking phishing e-mails to their malware and data repositories. Most of what they learned was that the bad guys used pretty poor programming and didn’t practice secure computing themselves. They were surprised to see that often when the bad guys stole tens of thousands of logon credentials that they ended up being stored unprotected so that anyone could take a look at them. They found hundreds of Web sites willing to sale stolen credit card information, including the supposedly more protected CVV2 information.

Posing online as cash poor teenagers they were able to get professional phishers to send them hundreds of phishing programs, premade to steal money. They found a meta Web site called ATM Skimmers linked to a handful of other sites willing to sell you physical skimming equipment to steal from ATM users. Crime Enforcers was one of the most interesting linked sites, claiming “We are offering absolutely anonymous & offshore developing for your projects. We don’t (sic) care what you want to do with hardwares (sic) and softwares (sic) you requested (sic) to done (sic) by us.”

As usual, one of the best reasons for attending Black Hat is to see old friends, network with new acquaintances, and to hear what security company is coming or going. And the Vegas parties aren’t bad either. As a constantly running Caesar’s Palace commercial repeats every 30 minutes, “You won’t need a wake call here. You’ll need a go-to-sleep call!”