Saturday, March 29, 2008

Blackhat Europe Briefings Day 2

Second day talks that I attended to were:
  • The URI abuse talk. This was a talk which lists different attack vectors that apply to URI's. The speakers demoed a Picasa vulnerability that relies on DNS rebinding to be able to expose images from your Picasa to the evil hacker and his little brother. Then they talked about an iPhoto format string vuln that can be exploited via the photo:// URI. More information about this can be found at the speaker's blog. There was also mention of some tools which can help with finding new URI flaws, like duh4mac.c which lists all URI's on a Mac and the associated applications. While this talk had nothing which was not already available elsewhere, I thought that it was well delivered and inspiring.
  • The LDAP injection talk touched on an interesting subject that hasn't been covered much elsewhere except for a few scattered papers. While the subject matter was good, the speakers took long to get to the interesting part, which was a demo of a vulnerable web app and how they could manipulate to do privilege escalation on a web application. The most interesting part was when they showed how specifying an asterisk for a username can give access to the 1st user that matches. Then the speakers went on to describe more complex things such as blind injection, which took approaches similar to blind SQL injection.
    Finally, the speakers did not really expand on solutions and what do to to prevent such attacks. Their suggestion was to filter out malicious characters, such as the "*". However on further discussion with the speakers, they agreed that having a whitelist of characters might be a much better solution.
  • The Dtrace talk was well delivered. You could see that people got excited at the thought of being able to use that when doing reverse engineering on a Mac. Quotes like "dont think of draces as just gdb on steriods" were thrown at us when the speakers were explaining why making use of dtrace is better than making use of gdb or pydbg. And finally they presented a ruby wrapper around dtrace, making it all even more powerful. I know that I'll be adding dtrace to my arsenal of tools ;-)
  • Then it was time for the GSM cracking talk. This was a sort of update on how the whole project is going. They reminded us that there's a hell lot more GSM phones than computers, and that is one reason why their research is useful. As people who follow these security conferences know, these guys are making use of Pico computing's FPGAs to be able to generate rainbow tables that help with the cracking of GSM. They only got another month to go until their rainbow table is complete. Then they finally announced that they are considering selling a kit that allows you to crack GSM and we were left with the interesting question of "who is your target market?"
  • Hacking Secondlife talk: I found this talk to be a bit frustrating because the author took his time to arrive to the juicy stuff and when he actually did, then things were not as exciting as I would have liked them to be. In my opinion, the speaker should have named the talk "Hacking with SecondLife" instead of "hacking SecondLife", because his demonstrations were about making use of the scripting in SecondLife to get other Avatars to send http requests to a target website. He showed off slikto, which scans websites for known vulnerable scripts just like nikto, but makes use of Avatars on SecondLife that click on the evil ball. Least that I can say is that I wasn't impressed, and this sort of thing can be done on a much larger scale and much more efficiently with botnets, or by making use of DNS rebinding attacks and many other ways.
  • The final talk that I went to was the Maltego talk about investigating people by making use of open source information. Actually I wanted to watch the PDF malware talk, but started snoozing and decided that I'd rather switch track. The Maltego talk was very well delivered, the speakers were entertaining and showed some real funky visualization in the next version of their application. The talk was mostly about presentation of data to turn that into useful information (or intelligence). They also talked about bypassing google's human verification checks and the legal problems that they had with various search engines.

No comments: