ADMIN
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Features<br />
BlackHat 2010<br />
BlackHat USA 2010<br />
Learning<br />
from the Best<br />
The latest and greatest security issues By Kurt Seifried<br />
I’ve been to BlackHat twice now,<br />
and both times I have taken the same<br />
lesson home: If you think things are<br />
getting better in the field of computer<br />
security, you’re probably wrong. Over<br />
the years, progress has been made<br />
identifying bug types – currently the<br />
CWE lists 668 weaknesses in 120<br />
categories – and some progress has<br />
been made with projects to identify<br />
and remove them systematically (e.g.,<br />
OpenBSD has had remarkable success).<br />
However, you then come to<br />
the BlackHat conference and see a<br />
presentation like “HTTPS Can Byte<br />
Me,” in which Robert Hansen and<br />
Josh Sokol disclosed 24 vulnerabilities<br />
(Figure 1) that can compromise<br />
the integrity and security of SSLencrypted<br />
web traffic [2].<br />
The problem is not so much a failing<br />
within SSL, but unless you’re taking<br />
extreme measures to protect network<br />
traffic against analysis (e.g., padding<br />
traffic out, introducing time delays,<br />
etc.), chances are, attackers will be<br />
able to glean information even if they<br />
can’t read the traffic directly.<br />
Also, consider the case of the wellmeaning<br />
web browser that attempts<br />
to be helpful. I guess people hate typ-<br />
Figure 1: Final HTTPS slide – 24 issues in all.<br />
ing in personal information, so almost<br />
all browsers support “auto-complete,”<br />
which automatically fills out form<br />
fields (e.g., name, address, and credit<br />
card number). Unfortunately, this<br />
feature can be abused by attackers<br />
(imagine that), allowing them to steal<br />
personal information saved within<br />
your web browser if you visit a web<br />
page. Using JavaScript, they can set<br />
it up so you don’t even have to type<br />
anything in – combined with a hidden<br />
IFRAME, you might never realize<br />
that it happened.<br />
The security talks are especially worrying<br />
– the ones in which researchers<br />
don’t find new vulnerabilities<br />
but simply quantify existing ones.<br />
In the case of SSL certificates, they<br />
scanned the Internet and found 1.2<br />
million SSL-enabled websites [3] [4].<br />
Among the problems found were certificates<br />
for reserved addresses (e.g.,<br />
192.168.1.2, a reserved IP address<br />
used by multiple sites) that never<br />
should have been allowed. Also, they<br />
found 50 percent of servers configured<br />
to allow SSLv2 (known to be<br />
insecure for 14 years).<br />
Now, I’m not a glass half empty kind<br />
of guy, but seeing 50 percent of servers<br />
configured insecurely is<br />
a bit depressing (which is<br />
probably why most security<br />
people buy beer in pitchers,<br />
not glasses).<br />
BlackHat isn’t an unending<br />
stream of bad news,<br />
however. Many of the presentations<br />
not only present<br />
problems but also discuss<br />
the solutions. The perfect<br />
example was a presentation<br />
called “Lifting the Fog” [5], in<br />
which Marco Slaviero scanned for<br />
memcached (a memory-caching<br />
program widely used to speed up<br />
web-based applications). He found<br />
many memcached servers open to<br />
the world, and by using two poorly<br />
documented commands, stat detail<br />
on (which enables debugging) and<br />
stats cachedump (which lists all the<br />
key names), he was able to retrieve<br />
all the items stored in the memcached<br />
server. And by “all” I mean everything;<br />
according to his presentation,<br />
he retrieved 136TB of data from 229<br />
memcached servers.<br />
The good news is that securing your<br />
memcached is simple: Firewall it so<br />
that only local trusted systems can<br />
connect to it (and if you must use<br />
it over the Internet, set up a VPN to<br />
connect systems to it). This solution<br />
is not magical, but it drives home the<br />
point that you need to test and verify<br />
security measures using tools like<br />
Nmap [6] (which is how he found all<br />
the memcached instances).<br />
So, if you need an excuse (well, a<br />
work-related excuse) to go to Las Vegas,<br />
BlackHat, and Defcon afterward,<br />
they’re not only a lot of fun, but very<br />
educational. My only complaint is<br />
that with 10 tracks, chances are you’ll<br />
have to choose between two or more<br />
interesting talks, which is definitely a<br />
glass half full type of problem. n<br />
Info<br />
[1] Common Weakness Enumeration:<br />
[http:// cwe. mitre. org/]<br />
[2] HTTPS Can Byte Me:<br />
[https:// media. blackhat. com/ bh‐us‐10/<br />
whitepapers/ Hansen_Sokol/ Blackhat‐USA<br />
‐2010‐Hansen‐Sokol‐HTTPS‐Can‐Byte‐Me<br />
‐wp. pdf]<br />
[3] SSL Observatory:<br />
[http:// www. eff. org/ observatory]<br />
[4] Internet SSL Survey 2010:<br />
[http:// blog. ivanristic. com/ Qualys_SSL_<br />
Labs‐State_of_SSL_2010‐v1. 6. pdf]<br />
[5] Lifting the Fog:<br />
[https:// media. blackhat. com/ bh‐us‐10/<br />
presentations/ Slaviero/ BlackHat‐USA‐2010<br />
‐Slaviero‐Lifting‐the‐Fog‐slides. pdf]<br />
[6] “Nmap scripting” by Eric Amberg, Linux<br />
Magazine, February 2008, pg. 68<br />
34 Admin 01 www.admin-magazine.com