From: Dave Aitel (daveimmunitysec.com)
Date: Mon Feb 02 2004 - 11:51:40 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here's my BlackHat Windows 2004 Report. (Seattle)

My talk:
Here is a picture of people during my talk. For those of you with wussy
mail servers that can only handle a teeny tiny message of 50K or
whatever, please check the archives to see it, cause this message is
going to bounce.

Ok. That's not entirely accurate. This is a picture of people right
before my talk. The room did eventually fill up. At the begginning of my
talk I said: "Free "Hacker's Handbook" to the best question, so think of
a good question." Of course, I completely forgot to keep track of which
question I thought was best, and who they were from, so at the end I
just gave it out randomly. I rewrote my talk. After you give a talk, any
talk, three times, it starts to bore you, so I did some massive
elaboration and had a "bonus talk" at the end which was about 6 0days
entitled "Enterprise-ware is your chewy center". I'll release my
slidepack as soon as those vendors release patches, so probably next
week. There was one guy sitting in front (not pictured above) who wrote
every 0day down and then I asked him who he worked for, and he said,
"Nobody". I think he worked for the FBI. Of course, the point of my talk
was not that "there are 0day" but that Enterprise-ware is so weak that
even a CISSP can find 0day in it. So one or two 0day in any given
product really doesn't make a dent.

One of the things I always do after a conference is go down the list and
say which talks I liked, which I didn't like, and which I heard were
really good, but I didn't get a chance to go to.

I liked David Litchfield's heap overflow talk, especially the last 5
minutes. Most of the talk was a good overview of heap overflows on
Windows, which is something a lot of people need, but the last bit was
counter-intuitive stuff, which pretty much everyone needs.

For some reason I was scheduled across from Halvar, which was a tough
call for a lot of people, I hear. After my talk, I was pretty burnt out,
so I didn't get to see Capturing Windows Passwords Using the Network
Provider API (Sergey Polak) or Auditing ActiveX Controls (Cesar
Cerrudo), both of which were probably good. I did catch Hidenobu Seki's
"Fingerprinting through Windows RPC". His native language is Japanese,
not english. I find whenever this is the case, that often the slow pace
of a talk can hide the really good stuff. He demonstrated some programs
he'd written for doing password brute forcing against a Windows box. He
also showed how you could enumerate users on a Windows box, even with
the security setting against that turned on. He also showed how you
could start an AT job if you had a username and password, using RPC.
Nothing rocket science, but it's very good to see it all put together in
one thing. I.E. Another CANVAS module that I think people will find
useful is going to be a enumeration, brute-forcing, and AT-job starting
module chain. (For kicks, I'll probably also add a "AT Service" starting
module)

I hear "Nobody's Anonymous - Tracking Spam" (Curtis Kret) was really
really good. The title makes it sound fairly fluffy, but apparantly it
was highly amusing.

2nd day:

I missed Richard Thieme's keynote. That second day keynote is a TOUGH
one to make. Microsoft had a big party the night before in the space
needle and it swayed in the rain, making us all think we were really
drunker than we were. I don't know how this made us drink more, but it
did. It was funny to see Halvar and the Microsoft prefix guy talk for a
while.

By the time I woke up and got downstairs, Steve Hofmeyr (Sana Security)
was partly through his talk on "Preventing Intrusions and Tolerating
False Positives". My rum-addled opinion the night before was that ANY
physical-world analogy to the information security space was a poor
match. In the light of day, I still think that when you compare the
computer security space to a person's immune system, you're making a lot
of implicit assumptions that a good hacker won't make. I know this goes
against the grain for a lot of people, but I think a good example is the
"house" metaphor, which seems to gain new life with every new class of
CISSPs. Physical metaphors, if they give us new insights into computer
security, carry a high price tag of implicit assumptions and built-in
weaknesses. This talk had some really interesting approaches to defeat
worms. The defeating worms problem is a lot easier than the defeating
multi-stage attackers problem.

I also saw the "Lessons learned when the cisco guys went to windows"
talk from FX, which was really good. Some highlights:
o A Ollydbg script to find good return addresses
o Better Unicode shellcode (20% better than mine!) :>
o SAP 0day a-plenty!

The final talk I went to, since Iwas pretty burned out by talks by now,
was the Trusted Computing 101 (David Blight). The thing about Palladium
talks is they never walk through the real examples in the beginning.
Here is how the talk would work if I did it:
Slide 1. GPG on a unix machine where root gets hacked but the GPG key is
still safe because of Pd storage
Slide 2. Dell signs my machine, which is why this works (a diagram)
Slide 3. Your bank authenticates your machine in order to let you do a
wire transfer with Pd, even though your box is haxored.

See, those three slides explain Pd better than a thousand slides on the
"Nexus" et. al.

Anyways, that's the end of this report. My fingers are tired and I have
to do real work now. Feel free to comment.

Dave Aitel
Immunity, Inc.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]