Image: Photodisc Green
Article Tools
 |
Printer-friendly Version |
 |
Email this Article |
 |
Comment on this Article |
 |
Reprints & Permissions |
Black Hat 2008 Aftermath
Lawyers' guide to security concerns involving computers and networks
As always, the 2008 Black Hat security conference in Las Vegas was full of cutting-edge computer security research, the latest in computer security vulnerabilities, and more than a little controversy.
Since the beginning of the Black Hat conference 15 years ago, the show has always been a place for the elite of the computer security industry to release their latest work on what is known as "zero-day exploits." A zero day or "0-day" exploit is a previously unknown computer security vulnerability that is released before vendors like Microsoft have a chance to release a security fix. There were fewer zero-day exploit presentations this year than we have seen in the recent past, but the ones that were presented were big.
The most popular presentation at Black Hat 2008 was on the Internetwide DNS vulnerability discovered by Dan Kaminsky, director of penetration testing for IOActive. More than 2,000 attendees packed into an 800-person capacity room to hear him tell the intriguing story of how he had been working on a nonsecurity related, Web-caching project for a friend at Wikipedia. Kaminsky was looking into how Domain Name Servers (DNS), the computers on the Internet that convert computer names (like www.law.com) to IP addresses (and vice versa). Looking for ways to improve performance, he stumbled upon a "DNS cache poisoning" vulnerability.
DNS cache poisoning is a technique that allows a hacker to introduce forged DNS information into other DNS servers. The result of a DNS cache poisoning attack allows the hacker to take control of portions of the Internet or redirect all users of a search engine to malicious content. Kaminsky immediately recognized that his newly discovered vulnerability didn't just affect one software vendor but instead affected every vendor worldwide whose products relied upon DNS standards. Kaminsky literally discovered a security vulnerability that affected every user on the Internet. Being a consummate security professional, he realized that the effect of releasing such dangerous vulnerability information before vendors had a chance to release security fixes would present a global problem.
In our interview with Kaminsky, he frequently credited the team effort of all the major software vendors and Internet security bodies with how rapidly and quietly they gathered in Redmond, Wash., to come up with a solution to the DNS problem. After several days of deliberation on various solutions, Kaminsky said that they "decided on a port randomization fix because it was doable, not because it was ideal."
The port randomization fix causes DNS servers to use a randomization algorithm that makes DNS cache poisoning much more difficult. The vendors then all arranged to provide security patches to users worldwide on the same day to mitigate the problem. After his presentation, Kaminsky said that the legacy of this vulnerability should be "a wake-up call that everything is secure until there is an attacker."
Kaminsky's presentation also focused on the need for better software development and test processes for new Internet software that may become the next big thing. When we asked Kaminsky what he thought the next big security improvement for the Internet was, he unequivocally stated: "Next, we need real e-mail encryption between companies." Kaminsky further opined that he felt that, as a group, attorneys specifically could play a big part in forcing changes to Internet e-mail security by insisting on better products for the protection of attorney-client e-mail exchanges.
DANGER, WILL ROBINSON
Although there were fewer zero-day exploit presentations this year, that was balanced out by the number of very interesting presentations focused on the dangers of social networking sites and social engineering. While there were a number of presentations on these topics, two of them caught our attention. The first was the aptly titled "Satan Is on My Friends List" presented by Shawn Moyer and Nathan Hamiel. The duo demonstrated how they were able to perform a number of hacks on MySpace.com; not through actual hacker tools but through using a variety of Cross-Site Scripting (XSS) and features available on the site.
Cross-Site Scripting (XSS) is the controversial feature that allows users to link content such as photographs or links to other Web sites on their personal page. XSS is also used by hackers to inject malicious code into Web sites viewed by other users. During the presentation, Shawn and Nathan demonstrated how they were able to use XSS to force their way onto users' friends lists, impersonate other users and lock a legitimate user's account, among other tricks.
When we spoke with Moyer and Hamiel after their presentation, they said that most of the security problems with social network sites are "social network abuse problems, not really identity theft problems." Moyer said many of the security flaws they were able to take advantage of were actually necessary for sites like MySpace and Facebook to provide rich user experience.
The pair agreed that the single biggest problem behind social networking sites is "no identity verification on social net sites." They also felt there was a real danger to corporations through the creation of fake "corporate" social networks that could be used release fake information and damage a company's reputation. We'll be covering more on social networking security and what you can do to protect your virtual self while using social networking sites in an upcoming article.
THERE OUGHT TO BE A LAW: SSL ABUSE
A presentation that went largely unnoticed at Black Hat 2008, because it conflicted with Kaminsky's DNS vulnerability presentation, was "Leveraging the Edge: Abusing SSL VPNs" by Mike Zusman of the Intrepidus Group. While Zusman's presentation didn't get nearly the same reaction as Kaminsky's, the vulnerabilities that he presented may have huge effect on corporate enterprise security.
SSL virtual private networks are commonly used by corporate IT departments to provide quick and secure access for remote users to internal corporate computing resources. IT security professionals favor SSL VPNs because they are inexpensive, easy to install and allow remote users to securely access internal corporate computers through Java or ActiveX plug-ins to their Web browser. The SSL VPN Java and ActiveX Web plug-ins used by most vendors caught Zusman's attention. He surmised that these very powerful Web browser plug-ins might not be that secure or well-protected while in the Web browser.
During his presentation Zusman demonstrated some startling vulnerabilities. The demonstration showed how users with a SSL VPN plug-in installed in their Web browser could be hacked by simply browsing a Web site. Zusman's exploit involved no more than 40 lines of malicious software code embedded on a Web site that accesses the unsuspecting users' Web browser SSL VPN plug-in and allows files to be copied to and from the user's hard drive, network settings to be changed, and, in some cases, full access to the remote user's computer.
The threat behind Zusman's exploit is that many corporations install SSL VPN plug-ins on all remote users' computers as a "security improvement" and could inadvertently be compromising the users they are trying to protect. As almost a side note to his presentation Zusman also demonstrated how he was able to, without hacking or exploitation, trick a major SSL certification authority into selling him legitimate SSL certificates for Microsoft and other corporations' domains. Fortunately for all of us, Zusman is one of the good guys and is working with a number of vendors to help them secure the SSL VPN Web browser plug-ins.
PHISHING, BOTNETS AND SPAM
Everyone knows that e-mail spam is a huge problem that all of us are subjected to on almost a daily basis. What you may not know is how e-mail spam is directly linked to phishing and botnets. Phishing e-mails attempt to steal personally identifiable information from unsuspecting computers by getting them to open a "Trojaned" attachment or follow a link to a malicious Web site. Botnets are a collection of hacked computers remotely controlled by individuals for nefarious purposes.
Typically the hacker or "bot herder" will use the computer under their control for denial-of-service attacks often associated with extortion or massive spamming as part of a phishing effort. There were a number of different presentations addressing how phishing and botnets, in conjunction with e-mail spam, are used by hackers.
The "Bad Sushi: Beating Phishers at Their Own Game" presentation by Nitesh Dhanjani and Billy Rios provided an inside look at the "phishing ecosystem" and how identity and credit card theft are done blatantly and openly on the Internet.
Black Hat also covered the latest trends and security implications of server virtualization and introduced visual forensic analysis in a session entitled: "Visual Computer Forensic Analysis," by Greg Conti and Erik Dean. In upcoming articles we will look more at this cutting-edge technique and the tools being developed around it, as well as delve into the dangers of social networking sites, phishing and botnet schemes, and SSL VPN security.
As you can tell, this year's Black Hat Briefings had a little something for everyone -- and a lot of new things to provide wake-up calls for IT professionals and computer users alike. Over the next few weeks, we will drill deeper to cover some of these topics in greater detail, explaining how they affect the legal industry specifically. Stay tuned for our next installment of Black Hat -- the Aftermath.
Brian Dykstra and Keith Jones are senior partners of Jones Dykstra & Associates, a Maryland-based consulting firm. Jones Dykstra & Associates specializes in e-discovery, computer forensics, expert witness testimony and computer intrusion response services.
